Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
whrbuflqwhah.exe

Overview

General Information

Sample name:whrbuflqwhah.exe
Analysis ID:1538050
MD5:99201be105bf0a4b25d9c5113da723fb
SHA1:443e6e285063f67cb46676b3951733592d569a7c
SHA256:e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2
Tags:Coinerexeuser-susu99069042
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • whrbuflqwhah.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\whrbuflqwhah.exe" MD5: 99201BE105BF0A4B25D9C5113DA723FB)
    • powershell.exe (PID: 7284 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7460 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7592 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 7524 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7624 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7672 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7720 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7776 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7824 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1572 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1652 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1724 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1824 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1840 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1940 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1948 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • sc.exe (PID: 7836 cmdline: C:\Windows\system32\sc.exe delete "RYVSUJUA" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7880 cmdline: C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7932 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7940 cmdline: C:\Windows\system32\sc.exe start "RYVSUJUA" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7956 cmdline: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 8064 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)
  • whrbuflqwhah.exe (PID: 8056 cmdline: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe MD5: 99201BE105BF0A4B25D9C5113DA723FB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\whrbuflqwhah.exe", ParentImage: C:\Users\user\Desktop\whrbuflqwhah.exe, ParentProcessId: 7272, ParentProcessName: whrbuflqwhah.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7284, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\whrbuflqwhah.exe", ParentImage: C:\Users\user\Desktop\whrbuflqwhah.exe, ParentProcessId: 7272, ParentProcessName: whrbuflqwhah.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7284, ProcessName: powershell.exe
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 7824, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\whrbuflqwhah.exe", ParentImage: C:\Users\user\Desktop\whrbuflqwhah.exe, ParentProcessId: 7272, ParentProcessName: whrbuflqwhah.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto", ProcessId: 7880, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\whrbuflqwhah.exe", ParentImage: C:\Users\user\Desktop\whrbuflqwhah.exe, ParentProcessId: 7272, ParentProcessName: whrbuflqwhah.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7284, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Stop EventLog
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\whrbuflqwhah.exe", ParentImage: C:\Users\user\Desktop\whrbuflqwhah.exe, ParentProcessId: 7272, ParentProcessName: whrbuflqwhah.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7932, ProcessName: sc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exeReversingLabs: Detection: 63%
Source: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exeVirustotal: Detection: 71%Perma Link
Multi AV Scanner detection for submitted file
Source: whrbuflqwhah.exeReversingLabs: Detection: 63%
Source: whrbuflqwhah.exeVirustotal: Detection: 71%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: whrbuflqwhah.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF7DCE0 FindFirstFileExW,3_2_000002C5CCF7DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64DCE0 FindFirstFileExW,22_2_00000225DC64DCE0
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AEDCE0 FindFirstFileExW,31_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A66130DCE0 FindFirstFileExW,32_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDDDCE0 FindFirstFileExW,33_2_000002BAAEDDDCE0
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879CDCE0 FindFirstFileExW,34_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537ADCE0 FindFirstFileExW,35_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D56DCE0 FindFirstFileExW,36_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E6DCE0 FindFirstFileExW,37_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3ADCE0 FindFirstFileExW,38_2_000001845B3ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD4DCE0 FindFirstFileExW,39_2_000001ADECD4DCE0
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D55907DCE0 FindFirstFileExW,40_2_000001D55907DCE0
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EADCE0 FindFirstFileExW,41_2_00000241A9EADCE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD7319DCE0 FindFirstFileExW,42_2_000001CD7319DCE0
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E89DCE0 FindFirstFileExW,43_2_000002824E89DCE0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B3DCE0 FindFirstFileExW,44_2_0000021B47B3DCE0
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002087006DCE0 FindFirstFileExW,45_2_000002087006DCE0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCer
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCerbalRP
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~

Spam, unwanted Advertisements and Ransom Demands

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\whrbuflqwhah.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,17_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,22_2_00000225DC6428C8
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AE202C NtQuerySystemInformation,StrCmpNIW,31_2_00000202C0AE202C
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,31_2_00000202C0AE253C
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDD28C8 NtEnumerateValueKey,NtEnumerateValueKey,33_2_000002BAAEDD28C8
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF41F2C3_2_000002C5CCF41F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF4D0E03_2_000002C5CCF4D0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF538A83_2_000002C5CCF538A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF72B2C3_2_000002C5CCF72B2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF7DCE03_2_000002C5CCF7DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF844A83_2_000002C5CCF844A8
Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C17_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400014D817_2_00000001400014D8
Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000256017_2_0000000140002560
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC611F2C22_2_00000225DC611F2C
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC61D0E022_2_00000225DC61D0E0
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6238A822_2_00000225DC6238A8
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC642B2C22_2_00000225DC642B2C
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64DCE022_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC6544A822_2_00000225DC6544A8
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AB1F2C31_2_00000202C0AB1F2C
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AC38A831_2_00000202C0AC38A8
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0ABD0E031_2_00000202C0ABD0E0
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AE2B2C31_2_00000202C0AE2B2C
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AF44A831_2_00000202C0AF44A8
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AEDCE031_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A6612D1F2C32_2_000002A6612D1F2C
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A6612DD0E032_2_000002A6612DD0E0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A6612E38A832_2_000002A6612E38A8
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A661302B2C32_2_000002A661302B2C
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A66131AEC532_2_000002A66131AEC5
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A66130DCE032_2_000002A66130DCE0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A6613144A832_2_000002A6613144A8
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDA1F2C33_2_000002BAAEDA1F2C
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDAD0E033_2_000002BAAEDAD0E0
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDB38A833_2_000002BAAEDB38A8
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDD2B2C33_2_000002BAAEDD2B2C
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDDDCE033_2_000002BAAEDDDCE0
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDE44A833_2_000002BAAEDE44A8
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A8799D0E034_2_0000026A8799D0E0
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879A38A834_2_0000026A879A38A8
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A87991F2C34_2_0000026A87991F2C
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879CDCE034_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879D44A834_2_0000026A879D44A8
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879C2B2C34_2_0000026A879C2B2C
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537838A835_2_00000179537838A8
Source: C:\Windows\System32\svchost.exeCode function: 35_2_000001795377D0E035_2_000001795377D0E0
Source: C:\Windows\System32\svchost.exeCode function: 35_2_0000017953771F2C35_2_0000017953771F2C
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537B44A835_2_00000179537B44A8
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537ADCE035_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537A2B2C35_2_00000179537A2B2C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D53D0E036_2_000002295D53D0E0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D5438A836_2_000002295D5438A8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D531F2C36_2_000002295D531F2C
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D56DCE036_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D5744A836_2_000002295D5744A8
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D562B2C36_2_000002295D562B2C
Source: C:\Windows\System32\svchost.exeCode function: 37_2_00000253067D1F2C37_2_00000253067D1F2C
Source: C:\Windows\System32\svchost.exeCode function: 37_2_00000253067DD0E037_2_00000253067DD0E0
Source: C:\Windows\System32\svchost.exeCode function: 37_2_00000253067E38A837_2_00000253067E38A8
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E62B2C37_2_0000025306E62B2C
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E6DCE037_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E744A837_2_0000025306E744A8
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3B44A838_2_000001845B3B44A8
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3ADCE038_2_000001845B3ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3A2B2C38_2_000001845B3A2B2C
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD4DCE039_2_000001ADECD4DCE0
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD544A839_2_000001ADECD544A8
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD42B2C39_2_000001ADECD42B2C
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D5590538A840_2_000001D5590538A8
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D55904D0E040_2_000001D55904D0E0
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D559041F2C40_2_000001D559041F2C
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D5590844A840_2_000001D5590844A8
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D55907DCE040_2_000001D55907DCE0
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D559072B2C40_2_000001D559072B2C
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EA2B2C41_2_00000241A9EA2B2C
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EADCE041_2_00000241A9EADCE0
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EB44A841_2_00000241A9EB44A8
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD73161F2C42_2_000001CD73161F2C
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD731738A842_2_000001CD731738A8
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD7316D0E042_2_000001CD7316D0E0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD73192B2C42_2_000001CD73192B2C
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD731A44A842_2_000001CD731A44A8
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD7319DCE042_2_000001CD7319DCE0
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E86D0E043_2_000002824E86D0E0
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E8738A843_2_000002824E8738A8
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E861F2C43_2_000002824E861F2C
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E89DCE043_2_000002824E89DCE0
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E8A44A843_2_000002824E8A44A8
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E892B2C43_2_000002824E892B2C
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B473CD0E044_2_0000021B473CD0E0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B473D38A844_2_0000021B473D38A8
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B473C1F2C44_2_0000021B473C1F2C
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B3DCE044_2_0000021B47B3DCE0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B444A844_2_0000021B47B444A8
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B32B2C44_2_0000021B47B32B2C
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002086F9E38A845_2_000002086F9E38A8
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002086F9DD0E045_2_000002086F9DD0E0
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002086F9D1F2C45_2_000002086F9D1F2C
Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000020870062B2C45_2_0000020870062B2C
Source: C:\Windows\System32\svchost.exeCode function: 45_2_00000208700744A845_2_00000208700744A8
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002087006DCE045_2_000002087006DCE0
Source: Joe Sandbox ViewDropped File: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe E4EDA2DE1DAB7A3891B0ED6EFF0CCD905FF4B275150004C6EB5F1D6582EEA9A2
Source: classification engineClassification label: mal100.adwa.evad.winEXE@45/67@0/0
Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,17_2_000000014000226C
Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,17_2_00000001400019C4
Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,17_2_000000014000226C
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_keg54dfm.zgo.ps1Jump to behavior
Source: whrbuflqwhah.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\whrbuflqwhah.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: whrbuflqwhah.exeReversingLabs: Detection: 63%
Source: whrbuflqwhah.exeVirustotal: Detection: 71%
Source: C:\Users\user\Desktop\whrbuflqwhah.exeFile read: C:\Users\user\Desktop\whrbuflqwhah.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\whrbuflqwhah.exe "C:\Users\user\Desktop\whrbuflqwhah.exe"
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "RYVSUJUA"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "RYVSUJUA"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe"
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "RYVSUJUA"Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "RYVSUJUA"Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: whrbuflqwhah.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: whrbuflqwhah.exeStatic file information: File size 5512704 > 1048576
Source: whrbuflqwhah.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x52a800
Source: whrbuflqwhah.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: whrbuflqwhah.exeStatic PE information: section name: .00cfg
Source: whrbuflqwhah.exe.0.drStatic PE information: section name: .00cfg
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF5ACDD push rcx; retf 003Fh3_2_000002C5CCF5ACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF8C6DD push rcx; retf 003Fh3_2_000002C5CCF8C6DE
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC62ACDD push rcx; retf 003Fh22_2_00000225DC62ACDE
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC65C6DD push rcx; retf 003Fh22_2_00000225DC65C6DE
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0ACACDD push rcx; retf 003Fh31_2_00000202C0ACACDE
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AFC6DD push rcx; retf 003Fh31_2_00000202C0AFC6DE
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A6612EACDD push rcx; retf 003Fh32_2_000002A6612EACDE
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A66131C6DD push rcx; retf 003Fh32_2_000002A66131C6DE
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDBACDD push rcx; retf 003Fh33_2_000002BAAEDBACDE
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDEC6DD push rcx; retf 003Fh33_2_000002BAAEDEC6DE
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879AACDD push rcx; retf 003Fh34_2_0000026A879AACDE
Source: C:\Windows\System32\svchost.exeCode function: 35_2_000001795378ACDD push rcx; retf 003Fh35_2_000001795378ACDE
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537BC6DD push rcx; retf 003Fh35_2_00000179537BC6DE
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D54ACDD push rcx; retf 003Fh36_2_000002295D54ACDE
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D57C6DD push rcx; retf 003Fh36_2_000002295D57C6DE
Source: C:\Windows\System32\svchost.exeCode function: 37_2_00000253067EACDD push rcx; retf 003Fh37_2_00000253067EACDE
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E7C6DD push rcx; retf 003Fh37_2_0000025306E7C6DE
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3BC6DD push rcx; retf 003Fh38_2_000001845B3BC6DE
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD5C6DD push rcx; retf 003Fh39_2_000001ADECD5C6DE
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D55905ACDD push rcx; retf 003Fh40_2_000001D55905ACDE
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D55908C6DD push rcx; retf 003Fh40_2_000001D55908C6DE
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EBC6DD push rcx; retf 003Fh41_2_00000241A9EBC6DE
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD7317ACDD push rcx; retf 003Fh42_2_000001CD7317ACDE
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD731AC6DD push rcx; retf 003Fh42_2_000001CD731AC6DE
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E87ACDD push rcx; retf 003Fh43_2_000002824E87ACDE
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E8AC6DD push rcx; retf 003Fh43_2_000002824E8AC6DE
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B473DACDD push rcx; retf 003Fh44_2_0000021B473DACDE
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B4C6DD push rcx; retf 003Fh44_2_0000021B47B4C6DE
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002086F9EACDD push rcx; retf 003Fh45_2_000002086F9EACDE
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002087007C6DD push rcx; retf 003Fh45_2_000002087007C6DE

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeFile created: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exeJump to dropped file
Source: C:\Users\user\Desktop\whrbuflqwhah.exeFile created: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exeJump to dropped file
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe"
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe"Jump to behavior
Source: C:\Windows\System32\lsass.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,17_2_00000001400010C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5683Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4171Jump to behavior
Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1759Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1723Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8277Jump to behavior
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9214Jump to behavior
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 698Jump to behavior
Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9871Jump to behavior
Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_31-14886
Source: C:\Windows\System32\wbem\WmiPrvSE.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_3-14833
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_32-14869
Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_17-409
Source: C:\Windows\System32\wbem\WmiPrvSE.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\lsass.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.4 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 5.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 6.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 7.1 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.9 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep count: 5683 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368Thread sleep count: 4171 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7656Thread sleep count: 248 > 30Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7656Thread sleep time: -248000s >= -30000sJump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7828Thread sleep count: 1759 > 30Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7828Thread sleep time: -175900s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092Thread sleep count: 1723 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092Thread sleep time: -1723000s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092Thread sleep count: 8277 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092Thread sleep time: -8277000s >= -30000sJump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100Thread sleep count: 9214 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100Thread sleep time: -9214000s >= -30000sJump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100Thread sleep count: 698 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100Thread sleep time: -698000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8108Thread sleep count: 246 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8108Thread sleep time: -246000s >= -30000sJump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8116Thread sleep count: 9871 > 30Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8116Thread sleep time: -9871000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124Thread sleep count: 253 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124Thread sleep time: -253000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132Thread sleep count: 254 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132Thread sleep time: -254000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8144Thread sleep count: 254 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8144Thread sleep time: -254000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8152Thread sleep count: 248 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8152Thread sleep time: -248000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8160Thread sleep count: 196 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8160Thread sleep time: -196000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8168Thread sleep count: 253 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8168Thread sleep time: -253000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep count: 242 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep time: -242000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8184Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 8184Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4960Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 4960Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2060Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 2060Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6016Thread sleep count: 235 > 30
Source: C:\Windows\System32\svchost.exe TID: 6016Thread sleep time: -235000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4348Thread sleep count: 235 > 30
Source: C:\Windows\System32\svchost.exe TID: 4348Thread sleep time: -235000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2128Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 2128Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 340Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 340Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2860Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 2860Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5228Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 5228Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5800Thread sleep count: 246 > 30
Source: C:\Windows\System32\svchost.exe TID: 5800Thread sleep time: -246000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4192Thread sleep count: 234 > 30
Source: C:\Windows\System32\svchost.exe TID: 4192Thread sleep time: -234000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3180Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 3180Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5000Thread sleep count: 233 > 30
Source: C:\Windows\System32\svchost.exe TID: 5000Thread sleep time: -233000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6944Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 6944Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exeLast function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF7DCE0 FindFirstFileExW,3_2_000002C5CCF7DCE0
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64DCE0 FindFirstFileExW,22_2_00000225DC64DCE0
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AEDCE0 FindFirstFileExW,31_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A66130DCE0 FindFirstFileExW,32_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDDDCE0 FindFirstFileExW,33_2_000002BAAEDDDCE0
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879CDCE0 FindFirstFileExW,34_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537ADCE0 FindFirstFileExW,35_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D56DCE0 FindFirstFileExW,36_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E6DCE0 FindFirstFileExW,37_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3ADCE0 FindFirstFileExW,38_2_000001845B3ADCE0
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD4DCE0 FindFirstFileExW,39_2_000001ADECD4DCE0
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D55907DCE0 FindFirstFileExW,40_2_000001D55907DCE0
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EADCE0 FindFirstFileExW,41_2_00000241A9EADCE0
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD7319DCE0 FindFirstFileExW,42_2_000001CD7319DCE0
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E89DCE0 FindFirstFileExW,43_2_000002824E89DCE0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B3DCE0 FindFirstFileExW,44_2_0000021B47B3DCE0
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002087006DCE0 FindFirstFileExW,45_2_000002087006DCE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_17-477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000002C5CCF7D2A4
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF72F04 GetProcessHeap,HeapAlloc,StrCmpNIW,GetProcessHeap,HeapFree,3_2_000002C5CCF72F04
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000002C5CCF7D2A4
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000002C5CCF77D90
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00000225DC647D90
Source: C:\Windows\System32\winlogon.exeCode function: 22_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00000225DC64D2A4
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00000202C0AED2A4
Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000202C0AE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00000202C0AE7D90
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A66130D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000002A66130D2A4
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000002A661307D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000002A661307D90
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_000002BAAEDD7D90
Source: C:\Windows\System32\dwm.exeCode function: 33_2_000002BAAEDDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_000002BAAEDDD2A4
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_0000026A879CD2A4
Source: C:\Windows\System32\svchost.exeCode function: 34_2_0000026A879C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_0000026A879C7D90
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00000179537A7D90
Source: C:\Windows\System32\svchost.exeCode function: 35_2_00000179537AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00000179537AD2A4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D56D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_000002295D56D2A4
Source: C:\Windows\System32\svchost.exeCode function: 36_2_000002295D567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_000002295D567D90
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_0000025306E6D2A4
Source: C:\Windows\System32\svchost.exeCode function: 37_2_0000025306E67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_0000025306E67D90
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_000001845B3AD2A4
Source: C:\Windows\System32\svchost.exeCode function: 38_2_000001845B3A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_000001845B3A7D90
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000001ADECD47D90
Source: C:\Windows\System32\svchost.exeCode function: 39_2_000001ADECD4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000001ADECD4D2A4
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D55907D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_000001D55907D2A4
Source: C:\Windows\System32\svchost.exeCode function: 40_2_000001D559077D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_000001D559077D90
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EAD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_00000241A9EAD2A4
Source: C:\Windows\System32\svchost.exeCode function: 41_2_00000241A9EA7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_00000241A9EA7D90
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD7319D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_000001CD7319D2A4
Source: C:\Windows\System32\svchost.exeCode function: 42_2_000001CD73197D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_000001CD73197D90
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E897D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_000002824E897D90
Source: C:\Windows\System32\svchost.exeCode function: 43_2_000002824E89D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_000002824E89D2A4
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B3D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,44_2_0000021B47B3D2A4
Source: C:\Windows\System32\svchost.exeCode function: 44_2_0000021B47B37D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,44_2_0000021B47B37D90
Source: C:\Windows\System32\svchost.exeCode function: 45_2_0000020870067D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_0000020870067D90
Source: C:\Windows\System32\svchost.exeCode function: 45_2_000002087006D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,45_2_000002087006D2A4

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2108B910000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29166930000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19E29D00000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 1380000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 241096C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28E722F0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19168E00000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 28D91BB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 26F19AF0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B647730000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E58CC00000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 287EAEC0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2360AE70000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2C5CCF40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20B1BA90000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 27C60030000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7740000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7770000 protect: page execute and read and writeJump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,17_2_0000000140001C88
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC61273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\dwm.exe EIP: AEDA273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8799273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5377273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D53273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B37273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: EBFD273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 5904273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E7273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 7316273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E86273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 473C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6F9D273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 83BC273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: D3F7273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: A415273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: BDF3273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C026273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C9F3273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 644B273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 7B2A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 4F6273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2AB4273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4ADB273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 25DA273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F535273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F0D6273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FFB273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C257273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B91273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6693273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 13EF273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D57273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 69B4273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CC74273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5DA7273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 199D273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F389273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3B8273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 40E4273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A653273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 29D0273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7B15273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 621A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F48273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8B4B273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 683D273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 138273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2E26273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6C5E273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D593273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FC69273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7897273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 33B4273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8D0A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AB4C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2A64273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CF3273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 641A273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4935273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 60D9273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E7B273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 2F7C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E815273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5234273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 9DA9273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 602E273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 96C273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 722F273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 68E0273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 91BB273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 19AF273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4773273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8CC0273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EAEC273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AE7273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CCF4273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\conhost.exe EIP: 1BA9273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6003273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C774273CJump to behavior
Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C777273CJump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B910000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166930000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29D00000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 1380000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 241096C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28E722F0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19168E00000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 28D91BB0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 26F19AF0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B647730000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E58CC00000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 287EAEC0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2360AE70000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2C5CCF40000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20B1BA90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 27C60030000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7740000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7770000 value starts with: 4D5AJump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dialer.exeMemory written: PID: 2580 base: 1380000 value: 4DJump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\whrbuflqwhah.exeThread register set: target process: 7824Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\whrbuflqwhah.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B370000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5644B0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B910000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29166930000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19E29D00000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 1380000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 241096C0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28E722F0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 19168E00000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 28D91BB0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 26F19AF0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B647730000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E58CC00000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 287EAEC0000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2360AE70000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2C5CCF40000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20B1BA90000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 27C60030000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7740000Jump to behavior
Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7770000Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF536F0 cpuid 3_2_000002C5CCF536F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
Source: C:\Windows\System32\wbem\WmiPrvSE.exeCode function: 3_2_000002C5CCF77960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_000002C5CCF77960

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\whrbuflqwhah.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
File and Directory Permissions Modification		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
Windows Service		1
Access Token Manipulation		1
Disable or Modify Tools		LSASS Memory1
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)1
Windows Service		1
Obfuscated Files or Information		Security Account Manager22
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
Process Injection		1
Install Root Certificate		NTDS23
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials21
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
Rootkit		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Access Token Manipulation		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd713
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
Hidden Files and Directories		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538050 Sample: whrbuflqwhah.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Sigma detected: Stop EventLog 2->47 49 Hooks registry keys query functions (used to hide registry keys) 2->49 51 5 other signatures 2->51 7 whrbuflqwhah.exe 1 2 2->7         started        11 whrbuflqwhah.exe 2->11         started        process3 file4 41 C:\ProgramData\...\whrbuflqwhah.exe, PE32+ 7->41 dropped 43 C:\Windows\System32\drivers\etc\hosts, ASCII 7->43 dropped 55 Self deletion via cmd or bat file 7->55 57 Modifies the context of a thread in another process (thread injection) 7->57 59 Modifies the hosts file 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 dialer.exe 1 7->13         started        16 powershell.exe 23 7->16         started        18 cmd.exe 1 7->18         started        20 10 other processes 7->20 63 Multi AV Scanner detection for dropped file 11->63 signatures5 process6 signatures7 65 Injects code into the Windows Explorer (explorer.exe) 13->65 67 Contains functionality to inject code into remote processes 13->67 69 Writes to foreign memory regions 13->69 73 4 other signatures 13->73 22 lsass.exe 13->22 injected 25 dwm.exe 13->25 injected 27 winlogon.exe 13->27 injected 35 22 other processes 13->35 71 Loading BitLocker PowerShell Module 16->71 29 WmiPrvSE.exe 16->29         started        31 conhost.exe 16->31         started        37 2 other processes 18->37 33 conhost.exe 20->33         started        39 10 other processes 20->39 process8 signatures9 53 Installs new ROOT certificates 22->53

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
whrbuflqwhah.exe63%ReversingLabsWin64.Infostealer.Tinba
whrbuflqwhah.exe72%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe63%ReversingLabsWin64.Infostealer.Tinba
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe72%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
fp2e7a.wpc.phicdn.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1538050
Start date and time:2024-10-20 05:57:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 10m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:30
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:25
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:whrbuflqwhah.exe
Detection:MAL
Classification:mal100.adwa.evad.winEXE@45/67@0/0
EGA Information:
  • Successful, ratio: 90%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 60
  • Number of non-executed functions: 362
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Excluded IPs from analysis (whitelisted): 40.126.32.72, 40.126.32.134, 20.190.160.22, 40.126.32.133, 20.190.160.20, 40.126.32.138, 20.190.160.14, 40.126.32.74
  • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ocsp.edge.digicert.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
  • Execution Graph export aborted for target whrbuflqwhah.exe, PID 7272 because it is empty
  • Execution Graph export aborted for target whrbuflqwhah.exe, PID 8056 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
23:57:58API Interceptor1x Sleep call for process: whrbuflqwhah.exe modified
23:58:00API Interceptor18x Sleep call for process: powershell.exe modified
23:58:35API Interceptor497764x Sleep call for process: winlogon.exe modified
23:58:36API Interceptor405165x Sleep call for process: lsass.exe modified
23:58:36API Interceptor4919x Sleep call for process: svchost.exe modified
23:58:36API Interceptor1926x Sleep call for process: dialer.exe modified
23:58:38API Interceptor482443x Sleep call for process: dwm.exe modified
23:58:44API Interceptor223x Sleep call for process: WmiPrvSE.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
fp2e7a.wpc.phicdn.net76Kobq8opu.exeGet hashmaliciousUnknownBrowse
  • 192.229.221.95
2WWOAq4c3b.exeGet hashmaliciousLummaCBrowse
  • 192.229.221.95
file.exeGet hashmaliciousLummaCBrowse
  • 192.229.221.95
https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14Get hashmaliciousPhisherBrowse
  • 192.229.221.95
SecuriteInfo.com.Trojan.PWS.Steam.37666.22649.31511.exeGet hashmaliciousStealcBrowse
  • 192.229.221.95
https://blmphilly.com/Get hashmaliciousUnknownBrowse
  • 192.229.221.95
6jIu8wTqNa.exeGet hashmaliciousUnknownBrowse
  • 192.229.221.95
SecuriteInfo.com.Win64.Evo-gen.14681.29745.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
  • 192.229.221.95
file.exeGet hashmaliciousStealcBrowse
  • 192.229.221.95
SecuriteInfo.com.Win32.PWSX-gen.3941.21019.exeGet hashmaliciousUnknownBrowse
  • 192.229.221.95

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exeSecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exeGet hashmaliciousVidarBrowse
    SecuriteInfo.com.Win32.Evo-gen.1231.21474.exeGet hashmaliciousVidar, XmrigBrowse
      SecuriteInfo.com.Trojan.DownLoader45.1081.7048.8713.exeGet hashmaliciousXmrigBrowse

        Created / dropped Files

        C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

        Download File
        Process:C:\Users\user\Desktop\whrbuflqwhah.exe
        File Type:PE32+ executable (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):5512704
        Entropy (8bit):6.53877415843636
        Encrypted:false
        SSDEEP:98304:iLYn+RXS6SNwDy4+8ZEo1cQ5fQsN/lHKVQyDMUO6PWe7xulC0jYURWBFfiX5g:iO+lFf+toK2fvKhDMnqulQz65
        MD5:99201BE105BF0A4B25D9C5113DA723FB
        SHA1:443E6E285063F67CB46676B3951733592D569A7C
        SHA-256:E4EDA2DE1DAB7A3891B0ED6EFF0CCD905FF4B275150004C6EB5F1D6582EEA9A2
        SHA-512:B57AE7282F2798CBF231F8CA6081B5FAB10068566A49F0AD735E8408CCD73D77EFB5C26A48B7591E20711F0ADBD9E619B40078B9C51D31B7A9768104529E7808
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 63%
        • Antivirus: Virustotal, Detection: 72%, Browse
        Joe Sandbox View:
        • Filename: SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe, Detection: malicious, Browse
        • Filename: SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe, Detection: malicious, Browse
        • Filename: SecuriteInfo.com.Trojan.DownLoader45.1081.7048.8713.exe, Detection: malicious, Browse
        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...L..e.........."...........S.....@..........@..............................T...........`..................................................x..<.............T...............T.x............................0..(....4..8............y..x............................text............................... ..`.rdata...P...0...R..................@..@.data.....R.......R..n..............@....pdata........T.......T.............@..@.00cfg........T.......T.............@..@.tls..........T.......T.............@....reloc..x.....T.......T.............@..B................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

        Download File
        Process:C:\Windows\System32\lsass.exe
        File Type:very short file (no magic)
        Category:modified
        Size (bytes):1
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:93B885ADFE0DA089CDF634904FD59F71
        SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
        SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
        SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
        Malicious:false
        Preview:.

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):64
        Entropy (8bit):1.1940658735648508
        Encrypted:false
        SSDEEP:3:Nlllul3nqth:NllUa
        MD5:851531B4FD612B0BC7891B3F401A478F
        SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
        SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
        SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
        Malicious:false
        Preview:@...e.................................&..............@..........

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1n55qbd.ntb.ps1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_keg54dfm.zgo.ps1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oogfclnn.vk5.psm1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjglyrxt.lep.psm1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Windows\System32\drivers\etc\hosts

        Download File
        Process:C:\Users\user\Desktop\whrbuflqwhah.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2748
        Entropy (8bit):4.270757942698912
        Encrypted:false
        SSDEEP:48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
        MD5:BD1F95D36F7FE0BA9388B8236DD385A9
        SHA1:040F86DBD18369D33C06B80415331848777BAB5A
        SHA-256:D1078FC941026B7F04E643134ADE20F14C081DD4E07D604E0BB63E2EB75D7460
        SHA-512:4256BDF517D4BF4551484E72110B24D525D101550ADB78414CAE3B3DA7444ADC44AAD314DF491F1F1DF0DBE7A9925B1BCFC546B19336EEB92A6D553CF95902A7
        Malicious:true
        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

        C:\Windows\System32\winevt\Logs\Application.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:modified
        Size (bytes):2352
        Entropy (8bit):3.7138157877155136
        Encrypted:false
        SSDEEP:48:Mtn0PgCrP+kcSLdwSCtR65EfWHjjP4OFiNafyr7O3:iignjJOLjjP4Ok4Ky3
        MD5:A940FE875824845B10E99B440C1B893C
        SHA1:AF02049485D9550DBD910C47C5845E6F70BFDA59
        SHA-256:F490E8BB9F00FCF6928DF18FF077791BAC12C3E1A6F3FF56D0B935A7DEFDB22C
        SHA-512:8A3846CD67E41584D2119079761957EC73D17A0054F7EBF6372986A87AD9E7CD06211E0770FA7E367452B3BBA45BA3B25140351BE40236C744BEB62F9E3CEC0B
        Malicious:false
        Preview:ElfChnk.................q.......q...............0...s..\.....................................................................g..................g...........................=...................................................................................p...................................t...?...........................................F...................M...5...........................@...................................................................................................................&...**..0...q........HYL."............&...........=..R..u..$.w.......A..k...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..2............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.A.P.I.2.F........)...G.u.i.d.....&.{.5.b.b.c.a.4.a.8.-.b.2.0.9.-.4.8.d.c.-.a.8.c.7.-.b.2.3.d.3.e.5.2.1.6.f.b.}.

        C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 304, DIRTY
        Category:dropped
        Size (bytes):109960
        Entropy (8bit):3.6448897775983666
        Encrypted:false
        SSDEEP:768:gVUHiapX7xadptrDT9W84KeS7VUHiapX7xadptrDT9W84KeS:rHi6xadptrX9WPBHi6xadptrX9WP
        MD5:1C16AD7CC9AC87B60A474884920637FE
        SHA1:E06C33495C9BEBA6DA41A4E26808A6D33BF04F13
        SHA-256:73DCD930793D5843BE86EF27F4F337EFD140FF21524C34861F2D26BC3D4028D6
        SHA-512:4B3A76E2B3CC9A83590E2B4BEB48A210CD8FB6265F3A490165382667A42BFB487FB63313927F6C8D9E400361515DCD918928A0B77EC1641DFD877808BF2C45AE
        Malicious:false
        Preview:ElfFile.................0...................................................................................................Fo.xElfChnk.........1...............1...........p.........H......................................................................}D8................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.010692427789071
        Encrypted:false
        SSDEEP:384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
        MD5:26C4C5213F3C6B727417EF07207AC1E0
        SHA1:1815CC405C8B70939C252390E2A1AEC87EFF45F2
        SHA-256:767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
        SHA-512:0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
        Malicious:false
        Preview:ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):1424
        Entropy (8bit):3.3978217275899176
        Encrypted:false
        SSDEEP:24:MQ/w/VTg2W8yNs8KBD8/4NeGUNvA8KBD8/4Nes:MQYrWvvV+U7V+j
        MD5:9BD36E57DE8A7FCDD5E30AFEF22EE2B0
        SHA1:A731EAF6AFE47780BF35AE801A64C6217D4947A3
        SHA-256:F25217081BC15F53E93DDAFD5F2D682AFB4CBB24792979339F1FDE95A971D5C1
        SHA-512:6BA7D84D742AE0079B9DDCF87F411BED6975AC0E46F7F04C70F563FFDA991DDE279F87D8595040B5AED8DF4192824F9A72928677AF001FCDA8C1FC4BA28EFEAB
        Malicious:false
        Preview:ElfChnk........................................................................................................................G................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............o..H."............&...............................................................@.......X...a.!.....E..........@o..H."....&O....4.'O........P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....O.p....**..............z.H."..........

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.4282829945446665
        Encrypted:false
        SSDEEP:384:XhTm5mcFmNQFmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:XRHD6CL49mVpgwQFQ
        MD5:31D68ED8BB4F9B15EBF9C4D0A35899F1
        SHA1:F93A08CF3EB83163FFB488AC148C490E0FA55E45
        SHA-256:38D4418FC18FD14561C679EC3AF1287C99027FC40202EDB087382FEFEC230BCD
        SHA-512:B186EFD9FC277976C87D8526210683101077AEF9717C99D0FDC3BA51882D36968A95CC50A72F88B5E4E93F379917BD40A57CCF8C1E2AEC1D9846BF1529446990
        Malicious:false
        Preview:ElfChnk..!.......!.......!.......!..................U.........................................................................e.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 2, DIRTY
        Category:dropped
        Size (bytes):69448
        Entropy (8bit):0.6198103849311708
        Encrypted:false
        SSDEEP:96:5wNVaO8sMa3Z85ZML8rjj93Z85ZuZNVaO8sMa3Z85ZML8rjj93Z85Zu:5OV7pp8nMLwv9p8nmV7pp8nMLwv9p8n
        MD5:580FCDF0E94F6163D0949C0E44DFFC42
        SHA1:F5ED3CF52407E3DC1266FB68FBC8EFCF65982E2B
        SHA-256:A95A7F1A4C43E0003E923C503CED412B3D519189698E24BF3D2931C8929ECBA5
        SHA-512:4F9A5DF8AE341067F6DF2137A7E039E1F261A2395F9A1A1F45C91FF5185DCC83C9B1307BA23F3E6DE420B652C0F37B3A1FBB801B505229653EB61B7058A7FE07
        Malicious:false
        Preview:ElfFile.....................................................................................................................A..>ElfChnk.....................................p.........|......................................................................mp.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.014860518194814
        Encrypted:false
        SSDEEP:1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
        MD5:4FB8E2CF8B3F20534836684947962DC2
        SHA1:B263607E627C81DA77DB65DF5AED2F3FD84B83E2
        SHA-256:DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
        SHA-512:D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
        Malicious:false
        Preview:ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.15655690871689
        Encrypted:false
        SSDEEP:768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
        MD5:2DE60575CB719BF51FAB8A63F696B052
        SHA1:BD44E6B92412898F185D5565865FEA3778573578
        SHA-256:7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
        SHA-512:0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
        Malicious:false
        Preview:ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):93800
        Entropy (8bit):2.151441285111169
        Encrypted:false
        SSDEEP:384:hosKUohhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorRor9orwTorYoS:SDCY0DCYhp
        MD5:0B62464D5C3311FCABE261A496862520
        SHA1:0D3276F8C48BA293F911DB222675A09BD59EDC89
        SHA-256:A7401EA32A6BBB7F607171D8A4E80E3544764DA8257439102E9EE9713E7FB83B
        SHA-512:E0EC215B97808D589FB44F4FA5C680ADFA4AED5855B0D82AEF2903170CBBBD1D7BCFCBCA1AF77A947FF24CDA6E72B7C631E7FFAB01A132F85E170BDA7097D270
        Malicious:false
        Preview:ElfChnk......................................+...-....J.......................................................................^................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................$..U)..............................**...............W.:.".............$..............................................................>.......V...X.!..e...............W.:."....&O....."'O.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8524226245257144
        Encrypted:false
        SSDEEP:384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
        MD5:B8E105CC52B7107E2757421373CBA144
        SHA1:39B61BEA2065C4FBEC143881220B37F3BA50A372
        SHA-256:B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
        SHA-512:7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
        Malicious:false
        Preview:ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8432997252442703
        Encrypted:false
        SSDEEP:384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
        MD5:39EE3557626C7F112A88A4DE12E904C1
        SHA1:C307FECC944D746A49EEA6451B7DA7301F03504C
        SHA-256:2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
        SHA-512:304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
        Malicious:false
        Preview:ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.9223892466691472
        Encrypted:false
        SSDEEP:384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28t:wbCyhLfIXBS5
        MD5:93BC7C28E3A7B0EC7634432FFB5F26AE
        SHA1:388548D6291DA80F672153D1C18E32BDA335AA90
        SHA-256:D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
        SHA-512:3235FEA5A58C72DCD680D436AA2652F5221C6AC6F5A53882C7817A8A65E63C13087CD5660839FC7CFA0F62C666014608B91ABB4235EF5F79F68EF5806252F84A
        Malicious:false
        Preview:ElfChnk.........F...............F...............P............................................................................*................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.838106263184782
        Encrypted:false
        SSDEEP:768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
        MD5:A2D41740C1BAF781019F282E37288DDF
        SHA1:A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
        SHA-256:7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
        SHA-512:E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
        Malicious:false
        Preview:ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.634418630947688
        Encrypted:false
        SSDEEP:768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
        MD5:A00BAFFCABB00428EA0512FCECCC55E5
        SHA1:19F7C942DC26C3FF56D6240158734AFF67D6B93E
        SHA-256:92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
        SHA-512:DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
        Malicious:false
        Preview:ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.0646587531847893
        Encrypted:false
        SSDEEP:384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
        MD5:399CAF70AC6E1E0C918905B719A0B3DD
        SHA1:62360CD0CA66E23C70E6DE3340698E7C0D789972
        SHA-256:FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
        SHA-512:A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
        Malicious:false
        Preview:ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.4364303862010575
        Encrypted:false
        SSDEEP:384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
        MD5:2BB73ACC8F7419459C4BF931AB85352C
        SHA1:F1CE2EB960D3886F76094E2327DD092FC1208C7E
        SHA-256:1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
        SHA-512:7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
        Malicious:false
        Preview:ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m................*..............%................ ..................&............0......................**......p..........T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):3.0631557320109892
        Encrypted:false
        SSDEEP:384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
        MD5:86AEA3A9CA3E5909FD44812754E52BD6
        SHA1:F79B583F83F118AC724A5A4206FC439B88BB8C65
        SHA-256:2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
        SHA-512:17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
        Malicious:false
        Preview:ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.4467272005363894
        Encrypted:false
        SSDEEP:384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
        MD5:155681C222D825199B738E8DEC707DC8
        SHA1:704C800E7313F77A218203554E1428DF2819BC34
        SHA-256:1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
        SHA-512:ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
        Malicious:false
        Preview:ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.156155224835584
        Encrypted:false
        SSDEEP:384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
        MD5:F22AC858C2ACC96E8F189E43FFE46FBD
        SHA1:540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
        SHA-256:771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
        SHA-512:B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
        Malicious:false
        Preview:ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):1.9197999988543422
        Encrypted:false
        SSDEEP:384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
        MD5:6C3F290FC62CFA9C240AEE8DB1DBA277
        SHA1:CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
        SHA-256:7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
        SHA-512:D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
        Malicious:false
        Preview:ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):5.718426658668259
        Encrypted:false
        SSDEEP:384:Thka5Ka5WsR9o2KbzyzIz7a5NsR9o2KbzyzIzia5zzuzNz0zxzuewKWMK/2a55wt:Tdqlt94xODljQdM
        MD5:8630011707C7BFBCECC0A9430637802E
        SHA1:22247A5B6A4C01883BB14E0BD4575A3553F945CB
        SHA-256:227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
        SHA-512:972629871B28EA6D01B8762B28378F8348E592BD465FE7FD1CF6AB5BD62157230AD3BB729F6290F6EDA950AB20598110676D902756E40BA3067ED37831855076
        Malicious:false
        Preview:ElfChnk.%......./.......%......./...........(l...n.........................................................................b\.;................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........**..P...%.......'wu~..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.9963080376858662
        Encrypted:false
        SSDEEP:384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
        MD5:A51AFE78FA4481FA05EDC1133C92B1D8
        SHA1:5BA44E7A99EE615E323696742DA6B930E9FF6198
        SHA-256:44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
        SHA-512:792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
        Malicious:false
        Preview:ElfChnk......................................)..0-....\.....................................................................|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.076996627399968
        Encrypted:false
        SSDEEP:384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
        MD5:A8ADBDC2B39B55444B2C844F7D81EBDE
        SHA1:F97F40E314C8A2A39953A28CB72C9270D3073418
        SHA-256:93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
        SHA-512:922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
        Malicious:false
        Preview:ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):83408
        Entropy (8bit):3.453852464611312
        Encrypted:false
        SSDEEP:384:Q0IL7yI4IqIEI0IO6yI93I59tIrIDIPIeILImIuRIAIPIdIpIJvAIVI9ILvhDIEb:QmPLvZxGp9uP
        MD5:3C1EA02E9BABB0358F400341DCA6EE7B
        SHA1:6A5981CD16907C60EBA69ECE077114CD84A136A0
        SHA-256:23E8A82D657D9CC821D1A21F27CBC7C3554DFA6C039976BE055DC4225A1672A5
        SHA-512:63DC7D28DCBAF6BA56DE7D70C1D4439C521C3C488A27570A241342686A48C4F8B9BAB3D4F75C8C11E66CF704A0C7C164B888C78B72A7A519A2B72609D31F35AA
        Malicious:false
        Preview:ElfChnk.T...............T...................x...h.....|7.....................................................................{..........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a.................................**......z.......A..7.".............a..............................................................,.......D.....!........... ....@A..7."..@..^<.....fX........l...z....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l........n..&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.801423310886069
        Encrypted:false
        SSDEEP:384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
        MD5:9EAAD7982F42DFF47B8EF784DD2EE1CC
        SHA1:542608204AF6B709B06807E9466F7543C0F08818
        SHA-256:5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
        SHA-512:036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
        Malicious:false
        Preview:ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.996272372482282
        Encrypted:false
        SSDEEP:768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
        MD5:4F68D6AF0C7DB9E98F8B592C9A07811C
        SHA1:9F519109344DD57150F16B540AAA417483EF44FE
        SHA-256:44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
        SHA-512:E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
        Malicious:false
        Preview:ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
        Category:dropped
        Size (bytes):68624
        Entropy (8bit):3.743950093469271
        Encrypted:false
        SSDEEP:768:8PYutDBjV8k+uoeUtHpoVWWG07SZRcZv76NcRUjGHzLKvc90XKcZv76NcRkpyLjh:vutDBjV8k+uoPtHpoVW
        MD5:2C2FD78FB4EEFB05CFF5ECCD1510E9F2
        SHA1:2984FC17D2AAAEBA3C5F27AA167C7B8AA2D40BCA
        SHA-256:4795DA88780E1D7E7ABF6462FE69366CF03BA078FE2DD2A493F2FD3E0051E91F
        SHA-512:78A0BA400BA1259EE3DD67F4F139D69C14C70ED139ACC566F493BE50F73C4F1E904235E1329CD987888020C2B3CD447D60C6CDD12EC43A5D6EEEC5D92D1813CC
        Malicious:false
        Preview:ElfChnk.................O.......Q...................S..6.....................................................................>..................0...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..`...O..........@."............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.738422084421742
        Encrypted:false
        SSDEEP:384:dh+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yKoKfKYKnv:dkN2cTOsKJlhSCP1t5l3WNrjzDbRt
        MD5:5AFB3CF578AC5963E4479BE8BD4BC0B5
        SHA1:7C6E6F21DB6AA8A5130ACA41B04CC7085396C1B7
        SHA-256:3B69505E8A2F8C93AA8852F723128994F745238A051303D2939C304CEB2BB5FB
        SHA-512:D89C9BF5C097FE24AA78B8E376E9B554338C779945EF879AC7ADD68B8411796A90871368D39AD152E254D6A96B6D8D117D44FD23E5702C58F5FD720D501FF3E3
        Malicious:false
        Preview:ElfChnk.....................................0..........0.....................................................................P..................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.7590316238843728
        Encrypted:false
        SSDEEP:384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
        MD5:B074238315662886E2BD70106D08A747
        SHA1:5ADA158D19401565E76349FCA97489E9FB9BFA36
        SHA-256:53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
        SHA-512:9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
        Malicious:false
        Preview:ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):3.7512368716528823
        Encrypted:false
        SSDEEP:1536:vXh2UyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:vXMnS
        MD5:B5FADEDA536BD6E6A03C7F975A21572B
        SHA1:0DC37B9C1E6A26BF38344B8CCE131AC59B3346F6
        SHA-256:B7EDD2A7DE4DC633E9A3ADB5981CDEF9FDF57C776C7B351CA027A7AD47C69F2D
        SHA-512:B8D902679920055358F2DE1F6DEEB805A015FD29EAF34B8A84664CBD9B8332B3B2DA790FC683223C370B3F014C29B0196E4BC7C1CD29619C0C4A1EA306D5EAC0
        Malicious:false
        Preview:ElfChnk.........%...............%............E..`G..z.~.....................................................................Q;R................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.3069197485541766
        Encrypted:false
        SSDEEP:768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
        MD5:E6E4C860CE7DD1BB499D6A082B461B90
        SHA1:11330861B23B1D29D777D9BD10619A07B6A6A9C0
        SHA-256:C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
        SHA-512:7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
        Malicious:false
        Preview:ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........................................................................l..............]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):2680
        Entropy (8bit):3.8680761366447016
        Encrypted:false
        SSDEEP:48:MfcApWf7CKOrCK3QbB69DVusxCKOrCK3QbkcqrAFCKOrCK3Qbkcqr5Ju:zCKOrCKgl69DV/CKOrCKgbkcGAFCKOr6
        MD5:C5D59BC570D1E9B2DBF058075876821A
        SHA1:EDDA8B2CEFFD1C2959DB4E22F9F95A6BF366600C
        SHA-256:8E2F53176BB44E245BD54A047A9B55B56CC0A48A774982157828BEF36E7487ED
        SHA-512:18A7664826C32591EFA011F065858E0747F170248F55895A43437386AF58C8CDFEA7231F3CF04E413AFA036466CAAB32C60581616DEF5A9421025569E4511C0C
        Malicious:false
        Preview:ElfChnk.........&...............&...........0...0....%b.......................................................................,,................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................**......$........H.G."............................................................................L.......b.....!..................H.G."..@..^<.....fX........<...$....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^'...........h.......>...................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.2909571978750325
        Encrypted:false
        SSDEEP:384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
        MD5:B0BF4D9EC91ABBDA5D328631B125A5C0
        SHA1:E672D69127AE7C1A51046ADAA911871EC0C10ABB
        SHA-256:8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
        SHA-512:3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
        Malicious:false
        Preview:ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.488768580471203
        Encrypted:false
        SSDEEP:1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
        MD5:E3FB1708C64D250E4D801AFB8688DF35
        SHA1:8B889F0358683733257411E451A86E3A1D42159D
        SHA-256:0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
        SHA-512:2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
        Malicious:false
        Preview:ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):70808
        Entropy (8bit):4.497075499963553
        Encrypted:false
        SSDEEP:1536:nioR9gj+uocwfe+/cRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpf/:nioRij+uocwfe+/cRFkL1TWX0gkB/J73
        MD5:D4376C1BFB4A38275CBD19A48A234116
        SHA1:4F6ADF4E1DD59A433C56E2911F424D370B32669F
        SHA-256:00309B31893B103222EE7BBCDF6710E45F0B05354F149E36DE0A5B15A84E247C
        SHA-512:548604ADA18D3493DA2CD682B81F3BD75C3297956D3E99926EC3A3B1C4A1C8D68CAE5AFA0ADAB563C4D201E39037F5EC48DA52BE47B5818F9C9C193235F82E2F
        Malicious:false
        Preview:ElfChnk.>...............>...........................6.>......................................................................]@M................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**..x.............k...............&...............................................................8.......P.....!....nqm......... ..k.......&O....2.'O.....................................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L.~.........n30'x...**..(.............m...............&...............................................................8.......P.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):66976
        Entropy (8bit):4.4769412411971805
        Encrypted:false
        SSDEEP:384:t7o7lhN7s7o787l7r787a7J7z7+7N17g7N7o7g7gY7hZ7D7k7F7r7wm7NP7Y7+7I:I9LuCg
        MD5:C5B9E1F8C181432D83C42A4DEECA4583
        SHA1:2631DD53058A2A34B4553F7230140CEFA41C6E2B
        SHA-256:AD63AF2FA836EBB902DCD4DF06D1E210689DB147F2CF83FDC7934368D4586AEA
        SHA-512:3B7F1B2B10A110123AF94BFBBA8C4D38283B89D1250FADF4B2BF2768B09035571376F30BBFB4A415C44FFD3BBD14F1B675CB8540A19EE363397315B8E53D169D
        Malicious:false
        Preview:ElfChnk.Y.......g.......Y.......g............%...&...L......................................................................>.w.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......f.......+...............................................................................f.......~.....!.....z..........@+.....0.Y...........x.......f........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n.B.....K..p...1.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n./.O.p.e.r.a.t.i.o.n.a.l......Ls..............**......g...............

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):2.1499045494600955
        Encrypted:false
        SSDEEP:384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
        MD5:2045FB0D54CA8F456B545859B9F9B0A8
        SHA1:35854F87588C367DE32A3931E01BC71535E3F400
        SHA-256:E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
        SHA-512:013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
        Malicious:false
        Preview:ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8164696340947971
        Encrypted:false
        SSDEEP:384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
        MD5:1AB19FA472669F4334C7A9D44E94E1B3
        SHA1:F71C16706CFA9930045C9A888FDB3EF46CACC5BC
        SHA-256:549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
        SHA-512:72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
        Malicious:false
        Preview:ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.9855903635327656
        Encrypted:false
        SSDEEP:384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
        MD5:7BCA54AC75C7185ADFBB42B1A84F86E3
        SHA1:AD91EE55A6F9F77AD871ACA9A5B59987CA679968
        SHA-256:A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
        SHA-512:79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
        Malicious:false
        Preview:ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):3.165454452307923
        Encrypted:false
        SSDEEP:384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
        MD5:B6B6F199DA64422984403D7374F32528
        SHA1:980D66401DFCCF96ADDDAF22334A5CE735554E7F
        SHA-256:8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
        SHA-512:5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
        Malicious:false
        Preview:ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):3.8519554794255333
        Encrypted:false
        SSDEEP:384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
        MD5:4140628CA3CEC29C0B506CEEBDF684F6
        SHA1:A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
        SHA-256:1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
        SHA-512:779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
        Malicious:false
        Preview:ElfChnk.\...............\.......................0..../........................................................................v................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):1.1642919553794224
        Encrypted:false
        SSDEEP:384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
        MD5:D7EECF043241FDB9486580582E208603
        SHA1:045D5672A8E9884B78CD31C52D372375503CBF4F
        SHA-256:6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
        SHA-512:6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
        Malicious:false
        Preview:ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):83616
        Entropy (8bit):4.585093487668882
        Encrypted:false
        SSDEEP:768:qUaIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpb3u:z+Jao7mce8pq
        MD5:0C535C85799575A063A0669BEB537587
        SHA1:361E927950EC1345568FB77474792A421C43287A
        SHA-256:0D698D6A2701BB7BAD391AD9A5AD745B3E4C3E308779974E63DF5DC73C67FCEE
        SHA-512:1C6D7200241A7EE5863BF6BBE0B37CF56E4CB552F06E4B92B09C8A582C8119A6CF8BE9A438A7FA8DC1196B288D7D0D69CFB0F5F26FA3B3631007DBC91E80C184
        Malicious:false
        Preview:ElfChnk.........................................h ...Y.?......................................................................c.........................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..0...........59..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
        Category:dropped
        Size (bytes):79016
        Entropy (8bit):1.819255691788891
        Encrypted:false
        SSDEEP:384:yAhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUm4MUm2hL6UsE0Zm:LY7L5rY7L5
        MD5:BF73715605FAD3276CB70C5624BD0B1A
        SHA1:D90C8D6229F0A16B830E29C2591A14449898934A
        SHA-256:D54B14D736F74395F05F4F738B198A2D45C60E976429CE2891167EF36EB579DA
        SHA-512:4B2DC0ECF4515EC55F3815D53B21B0682EF738ABB69F346D435CA2065292A637A08177A81D8A5E6612FCA991F8EDF539DF83F2963E3D720EDB9C22DB7B01184E
        Malicious:false
        Preview:ElfFile.....................................................................................................................\>.eElfChnk....................................../..(4....5.......................................................................Z................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):67776
        Entropy (8bit):0.36719323656603353
        Encrypted:false
        SSDEEP:96:aZKNVaO80oL7/6Fg1ZKNVaO80oL7/6Fg:aZ8V7oiFg1Z8V7oiFg
        MD5:2382D9185464E87639DFB18E9082A8FC
        SHA1:AEB3201FB95233ABBE4D74D336783DE5501319E6
        SHA-256:1A310CA1F2B6D0410B499512EEC0D3AD58AB915454A3F4840BE42B76B359454C
        SHA-512:D36403B946979D9F26D2A866F9D8660CFB9F114684CFBF6C7A87D32C0DB00C4C22BE34732AFB5C6E0ADCBC362E7251C9C26110DF70841CE2F13C5A3DB1B5814F
        Malicious:false
        Preview:ElfChnk..............................................xS......................................................................tJ................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............................&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):1.6469884746870727
        Encrypted:false
        SSDEEP:384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
        MD5:FC81D9FBA555C6BC7223594B8F6B46DE
        SHA1:971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
        SHA-256:9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
        SHA-512:7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
        Malicious:false
        Preview:ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):3.402178153425166
        Encrypted:false
        SSDEEP:1536:CNUOQWgSsqQmEGc+IqAW0qIWYSMGEi4y:CNUOQWgSsqQmEGc+IqAW0qIWYSMGEi4y
        MD5:FD4319C5F5AD58EE8C875C61232C9C30
        SHA1:A89CCB7261742E885EDFAAF3C402EFE07F9417A2
        SHA-256:22A641C9CAB573471C4525224CD0E1C7424326A87AAD8A59C326DF55D5639570
        SHA-512:E1B9EF82FB19BCEA59BBF6965848EA92DE83B9F87B36DC5E453787CFF06A78FA6B9CC5B387009C4D4F7A77998B2B8D250337C19DBC830287BF38DE168A76BEF0
        Malicious:false
        Preview:ElfChnk.........@...............@...............`.........................................................................._f#.................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H............3...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):1.3132453844344478
        Encrypted:false
        SSDEEP:384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
        MD5:6237EE0458A0478242B975E9BB7AA97D
        SHA1:6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
        SHA-256:C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
        SHA-512:56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
        Malicious:false
        Preview:ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.325262033408211
        Encrypted:false
        SSDEEP:384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
        MD5:D13189B45679E53F5744A4D449F8B00F
        SHA1:ED410CAB42772E329F656B4793B46AC7159CF05B
        SHA-256:BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
        SHA-512:83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
        Malicious:false
        Preview:ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.7947046118743749
        Encrypted:false
        SSDEEP:384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
        MD5:55E73A924B170FBFFF862E8E195E839A
        SHA1:3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
        SHA-256:1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
        SHA-512:E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
        Malicious:false
        Preview:ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):67448
        Entropy (8bit):4.362541887087964
        Encrypted:false
        SSDEEP:384:8grRcRvxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+l:8hxA8nPLGbd
        MD5:42421F1B7286F036582A6D7D99CF3147
        SHA1:8E897235D1DFF91A69DE38C8E94EE46D26444DBB
        SHA-256:CF20D23E84769288754DF5D324B46B78FB469D9AE5B745BEB262A33782FE5DDA
        SHA-512:786F7CAA3A9B54342E6B8EAB3BCA4C0C0D39A3933E2364BAC9BA0B70AC0102688132FC7450559D4C04DC3D988E2DA3891003E71B334256B3352ACE1E8C9015D1
        Malicious:false
        Preview:ElfChnk.....................................X...@...W.7......................................................................Kj......................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**..............j.KB.".........x68................................................................<.......T...-.!................@j.KB.".....+...O..R^.Ap.$...@........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......Qb......*...................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e...$...".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.273338343434408
        Encrypted:false
        SSDEEP:384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
        MD5:C37372EB51AEDB4552CB839C7294403A
        SHA1:7B7C408D72B084CE36AA6B623AC6B907FD21D569
        SHA-256:C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
        SHA-512:69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
        Malicious:false
        Preview:ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):1.231195890775603
        Encrypted:false
        SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
        MD5:3365A34953FD7B16667108A049B64DA5
        SHA1:C72421A58E063D64072152344B266F8306A78702
        SHA-256:AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
        SHA-512:A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
        Malicious:false
        Preview:ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.350875711842647
        Encrypted:false
        SSDEEP:384:Zh+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwb:ZOqabeGTnbuSxH
        MD5:6FA59B2FB733B8FA5E0074C9B93602FC
        SHA1:B6FC27D7B620403BE985F6A19D5CEE5C8FA1418D
        SHA-256:38C2A1038D038123085A68752AEA0813A3CCBD7D1FBC5100817BC63176FFEF72
        SHA-512:BF930369188EBA913EE5BEB77D5B48612246B5BE93E680E9B4D00A712543CCEB3DDF10C887924FBA2ACDDFA8FEDD5388E022BF18787091AEA2E042362CE4536A
        Malicious:false
        Preview:ElfChnk.....................................H...x...M........................................................................#..............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.421206160086997
        Encrypted:false
        SSDEEP:384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
        MD5:67CAD90771EBC0BD20736201D89C1586
        SHA1:EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
        SHA-256:7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
        SHA-512:27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
        Malicious:false
        Preview:ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\Security.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):68120
        Entropy (8bit):4.3283799428200735
        Encrypted:false
        SSDEEP:384:xPFR/PFRao8onS6cWNfoLSbdsLSvnQYoxMtg6Wo9MtxLo9MtMozonuoxNo/Vo1+7:fPGa1ZGg6UXa5B
        MD5:A0DFBDE96F777AA2D2619DC0DF86CCCD
        SHA1:7721A8D94CC5847CD5C8980C9492FF36798B29B0
        SHA-256:38361DCAC6564031E595226820184B35BD7C17D3859DAE52556D71E1D3B1A22B
        SHA-512:2E3D8C0CE34C92770C5F3FCED512F7CEEE96EB04A61529007BC8EE7A7A94F2F2EC83D78ECC78D8655C420C4D03F226CC004898A36225E220FD8CADEFD9E66070
        Malicious:false
        Preview:ElfChnk.................U.......U......................x.....................................................................T3.....................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......U.........>.".........Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

        C:\Windows\System32\winevt\Logs\Setup.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):67984
        Entropy (8bit):0.4044369109592055
        Encrypted:false
        SSDEEP:96:mwKNVaO80oiX38yhO2XwKNVaO80oiX38yhO2:mw8V7BhhZw8V7Bhh
        MD5:E15077F31626F38E0A2CA0A73D234501
        SHA1:D5E1F1B9A5409A2B95FB3F1AC6ABACFD60E3404A
        SHA-256:4336A3ED827629B9FF0CCEBB88A8839E045B9855FE0B98F619A62D07C6F59FD6
        SHA-512:2022A7554366B8B1F46EF304FD3403126CA11FA982D360D0BC58D0903890A5BDECDD072526B7417BB927527D48A8B7E695273E688126099F4804A512EE3F7C0A
        Malicious:false
        Preview:ElfChnk..............................................[........................................................................W.............................................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**.................B."............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

        C:\Windows\System32\winevt\Logs\System.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):79312
        Entropy (8bit):4.4040143243423095
        Encrypted:false
        SSDEEP:768:/eKePj6znLmLQXHmtpJnqiNHpzoQpTeZ/J:a6X4MHmcsQJ
        MD5:D1059054463896BA14027F0070A3F5AE
        SHA1:1E288FC255506598D996AD4EE2D94C1AB3EE28CC
        SHA-256:23CE1CD7A76E4CC6F21B49AA3706ECB5DDAAFD63AFD297B490D79EA59BEC7932
        SHA-512:64E3AAC862ACE06479BE0398C627D68086FFF37C7B626765FA4A835705676E9F1493E1E51B9B17822C2772EB24F385F3B56A27BC0000CFE2BCE5B5598AF4193C
        Malicious:false
        Preview:ElfChnk.................m.......u...................-.......................................................................I..<....................s...h...................=...................................................N...............................Y...............w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......m.........>.".........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

        C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

        Download File
        Process:C:\Windows\System32\svchost.exe
        File Type:data
        Category:dropped
        Size (bytes):77088
        Entropy (8bit):3.84886054221554
        Encrypted:false
        SSDEEP:1536:vIEvJ0Bj1aIEvJ0Bj1bztNPY3c9Nw0zEkkp:F
        MD5:7C4A8F303A35AA62A03E778EAEA2B653
        SHA1:B5E6B150833BCE7199F0C44E2A0C1938CF0950B5
        SHA-256:61212098C4C3B346115A43725352ACD4796165ADFA805DDC31C80BFC0B782C64
        SHA-512:4E3DE36B8C1A811B98117A42D1D328B45A87E4483347049455578B8865A6165BFC36212B416157DF2202B7852F730EB525638F75AC9F7E13811F56B4E84E74BE
        Malicious:false
        Preview:ElfChnk.................y....................(.. -..........................................................................G...............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**......y.........A.".........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

        Static File Info

        General

        File type:PE32+ executable (GUI) x86-64, for MS Windows
        Entropy (8bit):6.53877415843636
        TrID:
        • Win64 Executable GUI (202006/5) 92.65%
        • Win64 Executable (generic) (12005/4) 5.51%
        • Generic Win/DOS Executable (2004/3) 0.92%
        • DOS Executable Generic (2002/1) 0.92%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:whrbuflqwhah.exe
        File size:5'512'704 bytes
        MD5:99201be105bf0a4b25d9c5113da723fb
        SHA1:443e6e285063f67cb46676b3951733592d569a7c
        SHA256:e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2
        SHA512:b57ae7282f2798cbf231f8ca6081b5fab10068566a49f0ad735e8408ccd73d77efb5c26a48b7591e20711f0adbd9e619b40078b9c51d31b7a9768104529e7808
        SSDEEP:98304:iLYn+RXS6SNwDy4+8ZEo1cQ5fQsN/lHKVQyDMUO6PWe7xulC0jYURWBFfiX5g:iO+lFf+toK2fvKhDMnqulQz65
        TLSH:FA4612096253D9AEF8E09D799A0742751E43E545CADF40CEE3C2CD98ED508B3A3724EE
        File Content Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...L..e.........."...........S.....@..........@..............................T...........`........................................

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x140001140
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x140000000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x65F9C64C [Tue Mar 19 17:07:24 2024 UTC]
        TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:b237ac2118704db9e7609540658f5790

        Entrypoint Preview

        Instruction
        dec eax
        sub esp, 28h
        dec eax
        mov eax, dword ptr [00011ED5h]
        mov dword ptr [eax], 00000001h
        call 00007F3278EC758Fh
        nop
        nop
        nop
        dec eax
        add esp, 28h
        ret
        nop
        inc ecx
        push edi
        inc ecx
        push esi
        push esi
        push edi
        push ebx
        dec eax
        sub esp, 20h
        dec eax
        mov eax, dword ptr [00000030h]
        dec eax
        mov edi, dword ptr [eax+08h]
        dec eax
        mov esi, dword ptr [00011EC9h]
        xor eax, eax
        dec eax
        cmpxchg dword ptr [esi], edi
        sete bl
        je 00007F3278EC75B0h
        dec eax
        cmp edi, eax
        je 00007F3278EC75ABh
        dec esp
        mov esi, dword ptr [00016989h]
        nop word ptr [eax+eax+00000000h]
        mov ecx, 000003E8h
        inc ecx
        call esi
        xor eax, eax
        dec eax
        cmpxchg dword ptr [esi], edi
        sete bl
        je 00007F3278EC7587h
        dec eax
        cmp edi, eax
        jne 00007F3278EC7569h
        dec eax
        mov edi, dword ptr [00011E90h]
        mov eax, dword ptr [edi]
        cmp eax, 01h
        jne 00007F3278EC758Eh
        mov ecx, 0000001Fh
        call 00007F3278ED8984h
        jmp 00007F3278EC75A9h
        cmp dword ptr [edi], 00000000h
        je 00007F3278EC758Bh
        mov byte ptr [00542531h], 00000001h
        jmp 00007F3278EC759Bh
        mov dword ptr [edi], 00000001h
        dec eax
        mov ecx, dword ptr [00011E7Ah]
        dec eax
        mov edx, dword ptr [00011E7Bh]
        call 00007F3278ED897Bh
        mov eax, dword ptr [edi]
        cmp eax, 01h
        jne 00007F3278EC759Bh
        dec eax
        mov ecx, dword ptr [00011E50h]

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x178180x3c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5480000x198.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x54b0000x78.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x130a00x28.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x134100x138.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x179d00x178.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x117960x11800534e9ea0887f36602d6d14b8360957d2False0.45576171875data6.17868523304557IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x130000x500c0x520090229a5fd96fa1d83f6376324021472cFalse0.510718368902439data4.958364190279132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x190000x52e6b80x52a800a814ecb1f5f96cabed4050850d1fc8deunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .pdata0x5480000x1980x200ffbf52ea93ef1f925677ec10c8347a42False0.533203125data3.6276651287955146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .00cfg0x5490000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .tls0x54a0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .reloc0x54b0000x780x200111b62decd44d01c1a3fcff66d2d0696False0.240234375data1.4878116201849654IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Imports

        DLLImport
        msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strcat, strcpy, strlen, strncmp, strstr, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
        KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Oct 20, 2024 05:58:16.678709030 CEST1.1.1.1192.168.2.40x49d1No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
        Oct 20, 2024 05:58:16.678709030 CEST1.1.1.1192.168.2.40x49d1No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
        Oct 20, 2024 05:58:39.379698992 CEST1.1.1.1192.168.2.40xb5c4No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
        Oct 20, 2024 05:58:39.379698992 CEST1.1.1.1192.168.2.40xb5c4No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

        Code Manipulations

        User Modules

        Hook Summary

        Function NameHook TypeActive in Processes
        ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
        NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
        ZwResumeThreadINLINEexplorer.exe, winlogon.exe
        NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
        ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
        NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
        NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
        ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
        ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
        NtResumeThreadINLINEexplorer.exe, winlogon.exe
        RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
        NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
        NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
        ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
        ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

        Processes

        Process: explorer.exe, Module: ntdll.dll
        Function NameHook TypeNew Data
        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
        Process: winlogon.exe, Module: ntdll.dll
        Function NameHook TypeNew Data
        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:23:57:58
        Start date:19/10/2024
        Path:C:\Users\user\Desktop\whrbuflqwhah.exe
        Wow64 process (32bit):false
        Commandline:"C:\Users\user\Desktop\whrbuflqwhah.exe"
        Imagebase:0x7ff783b90000
        File size:5'512'704 bytes
        MD5 hash:99201BE105BF0A4B25D9C5113DA723FB
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        General

        Target ID:1
        Start time:23:57:59
        Start date:19/10/2024
        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        Imagebase:0x7ff788560000
        File size:452'608 bytes
        MD5 hash:04029E121A0CFA5991749937DD22A1D9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:2
        Start time:23:57:59
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:3
        Start time:23:58:01
        Start date:19/10/2024
        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        Imagebase:0x7ff693ab0000
        File size:496'640 bytes
        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:4
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        Imagebase:0x7ff6bd2d0000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:5
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:6
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:7
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:8
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\wusa.exe
        Wow64 process (32bit):false
        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
        Imagebase:0x7ff6fdcd0000
        File size:345'088 bytes
        MD5 hash:FBDA2B8987895780375FE0E6254F6198
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:9
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:10
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:11
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe stop wuauserv
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:12
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:13
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe stop bits
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:14
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:15
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe stop dosvc
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:16
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:17
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\dialer.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\dialer.exe
        Imagebase:0x7ff73f770000
        File size:39'936 bytes
        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:18
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe delete "RYVSUJUA"
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:19
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:20
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:21
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:22
        Start time:23:58:02
        Start date:19/10/2024
        Path:C:\Windows\System32\winlogon.exe
        Wow64 process (32bit):false
        Commandline:winlogon.exe
        Imagebase:0x7ff7cd660000
        File size:906'240 bytes
        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:23
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe stop eventlog
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:24
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\sc.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\sc.exe start "RYVSUJUA"
        Imagebase:0x7ff703ae0000
        File size:72'192 bytes
        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:25
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:26
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe"
        Imagebase:0x7ff6bd2d0000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:27
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:28
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:29
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
        Wow64 process (32bit):false
        Commandline:C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
        Imagebase:0x7ff6ccfe0000
        File size:5'512'704 bytes
        MD5 hash:99201BE105BF0A4B25D9C5113DA723FB
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Antivirus matches:
        • Detection: 63%, ReversingLabs
        • Detection: 72%, Virustotal, Browse
        Has exited:true

        General

        Target ID:30
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\choice.exe
        Wow64 process (32bit):false
        Commandline:choice /C Y /N /D Y /T 3
        Imagebase:0x7ff606860000
        File size:35'840 bytes
        MD5 hash:1A9804F0C374283B094E9E55DC5EE128
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:31
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\lsass.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\lsass.exe
        Imagebase:0x7ff7a2ae0000
        File size:59'456 bytes
        MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:32
        Start time:23:58:03
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:33
        Start time:23:58:04
        Start date:19/10/2024
        Path:C:\Windows\System32\dwm.exe
        Wow64 process (32bit):false
        Commandline:"dwm.exe"
        Imagebase:0x7ff74e710000
        File size:94'720 bytes
        MD5 hash:5C27608411832C5B39BA04E33D53536C
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:34
        Start time:23:58:05
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:35
        Start time:23:58:05
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:36
        Start time:23:58:05
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:37
        Start time:23:58:06
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:38
        Start time:23:58:06
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:39
        Start time:23:58:06
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:40
        Start time:23:58:06
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:41
        Start time:23:58:07
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:42
        Start time:23:58:07
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:43
        Start time:23:58:07
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:44
        Start time:23:58:08
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:45
        Start time:23:58:08
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:46
        Start time:23:58:09
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:47
        Start time:23:58:09
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:48
        Start time:23:58:09
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:49
        Start time:23:58:09
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:50
        Start time:23:58:09
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:51
        Start time:23:58:10
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:52
        Start time:23:58:10
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:53
        Start time:23:58:10
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        General

        Target ID:54
        Start time:23:58:11
        Start date:19/10/2024
        Path:C:\Windows\System32\svchost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
        Imagebase:0x7ff6eef20000
        File size:55'320 bytes
        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
        Has elevated privileges:true
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Has exited:false

        Disassembly

        Reset < >

          Executed Functions

          Function 00007FF783B91140 Relevance: .0, Instructions: 4COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1724623747.00007FF783B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF783B90000, based on PE: true
          • Associated: 00000000.00000002.1724565814.00007FF783B90000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1724662598.00007FF783BA3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1724692129.00007FF783BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1724719701.00007FF783BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1725552540.00007FF78409E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1725589539.00007FF7840D8000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff783b90000_whrbuflqwhah.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1235303a4078601fa075146d934a06d32e9be1ad41df72c2bceefdb3f93881ef
          • Instruction ID: 60d7d99bc8891d278712dfff7f5e01099a9b122a8231ac0144d35fd32f18c388
          • Opcode Fuzzy Hash: 1235303a4078601fa075146d934a06d32e9be1ad41df72c2bceefdb3f93881ef
          • Instruction Fuzzy Hash: 93B012B0E0570984E7423F4AD881358BA607B08780FE40430C98C23362DE7D5040DB30

          Execution Graph

          Execution Coverage:0.7%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:0%
          Total number of Nodes:73
          Total number of Limit Nodes:2
          execution_graph 14818 2c5ccf71abc 14823 2c5ccf71628 GetProcessHeap 14818->14823 14820 2c5ccf71ad2 Sleep SleepEx 14821 2c5ccf71acb 14820->14821 14821->14820 14822 2c5ccf71598 StrCmpIW StrCmpW 14821->14822 14822->14821 14824 2c5ccf71648 _invalid_parameter_noinfo 14823->14824 14868 2c5ccf71268 GetProcessHeap 14824->14868 14826 2c5ccf71650 14827 2c5ccf71268 2 API calls 14826->14827 14828 2c5ccf71661 14827->14828 14829 2c5ccf71268 2 API calls 14828->14829 14830 2c5ccf7166a 14829->14830 14831 2c5ccf71268 2 API calls 14830->14831 14832 2c5ccf71673 14831->14832 14833 2c5ccf7168e RegOpenKeyExW 14832->14833 14834 2c5ccf718a6 14833->14834 14835 2c5ccf716c0 RegOpenKeyExW 14833->14835 14834->14821 14836 2c5ccf716e9 14835->14836 14837 2c5ccf716ff RegOpenKeyExW 14835->14837 14872 2c5ccf712bc RegQueryInfoKeyW 14836->14872 14838 2c5ccf7173a RegOpenKeyExW 14837->14838 14839 2c5ccf71723 14837->14839 14842 2c5ccf71775 RegOpenKeyExW 14838->14842 14843 2c5ccf7175e 14838->14843 14883 2c5ccf7104c RegQueryInfoKeyW 14839->14883 14847 2c5ccf71799 14842->14847 14848 2c5ccf717b0 RegOpenKeyExW 14842->14848 14846 2c5ccf712bc 13 API calls 14843->14846 14849 2c5ccf7176b RegCloseKey 14846->14849 14850 2c5ccf712bc 13 API calls 14847->14850 14851 2c5ccf717eb RegOpenKeyExW 14848->14851 14852 2c5ccf717d4 14848->14852 14849->14842 14855 2c5ccf717a6 RegCloseKey 14850->14855 14853 2c5ccf71826 RegOpenKeyExW 14851->14853 14854 2c5ccf7180f 14851->14854 14856 2c5ccf712bc 13 API calls 14852->14856 14858 2c5ccf7184a 14853->14858 14859 2c5ccf71861 RegOpenKeyExW 14853->14859 14857 2c5ccf7104c 5 API calls 14854->14857 14855->14848 14860 2c5ccf717e1 RegCloseKey 14856->14860 14861 2c5ccf7181c RegCloseKey 14857->14861 14862 2c5ccf7104c 5 API calls 14858->14862 14863 2c5ccf7189c RegCloseKey 14859->14863 14864 2c5ccf71885 14859->14864 14860->14851 14861->14853 14865 2c5ccf71857 RegCloseKey 14862->14865 14863->14834 14866 2c5ccf7104c 5 API calls 14864->14866 14865->14859 14867 2c5ccf71892 RegCloseKey 14866->14867 14867->14863 14889 2c5ccf86168 14868->14889 14870 2c5ccf71283 GetProcessHeap 14871 2c5ccf712ae _invalid_parameter_noinfo 14870->14871 14871->14826 14873 2c5ccf7148a RegCloseKey 14872->14873 14874 2c5ccf71327 GetProcessHeap 14872->14874 14873->14837 14877 2c5ccf7133e _invalid_parameter_noinfo 14874->14877 14875 2c5ccf71476 GetProcessHeap HeapFree 14875->14873 14876 2c5ccf71352 RegEnumValueW 14876->14877 14877->14875 14877->14876 14879 2c5ccf713d3 GetProcessHeap 14877->14879 14880 2c5ccf7141e lstrlenW GetProcessHeap 14877->14880 14881 2c5ccf713f3 GetProcessHeap HeapFree 14877->14881 14882 2c5ccf71443 StrCpyW 14877->14882 14890 2c5ccf7152c 14877->14890 14879->14877 14880->14877 14881->14880 14882->14877 14884 2c5ccf711b5 RegCloseKey 14883->14884 14887 2c5ccf710bf _invalid_parameter_noinfo 14883->14887 14884->14838 14885 2c5ccf710cf RegEnumValueW 14885->14887 14886 2c5ccf7114e GetProcessHeap 14886->14887 14887->14884 14887->14885 14887->14886 14888 2c5ccf7116e GetProcessHeap HeapFree 14887->14888 14888->14887 14891 2c5ccf71546 14890->14891 14894 2c5ccf7157c 14890->14894 14892 2c5ccf71565 StrCmpW 14891->14892 14893 2c5ccf7155d StrCmpIW 14891->14893 14891->14894 14892->14891 14893->14891 14894->14877 14895 2c5ccf4273c 14897 2c5ccf4276a 14895->14897 14896 2c5ccf42858 LoadLibraryA 14896->14897 14897->14896 14898 2c5ccf428d4 14897->14898

          Executed Functions

          Function 000002C5CCF7328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: 68bba05f479b3f6f92d8e82985eb30a77bb311ae7d0b176ec6b71207cf32c58e
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: 99118B71614F21A2FBB09F21B80CF5D22B4A744314F60412B9A4A859B1EFB8F3CC8740
          Function 000002C5CCF71ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 000002C5CCF71628: GetProcessHeap.KERNEL32 ref: 000002C5CCF71633
            • Part of subcall function 000002C5CCF71628: HeapAlloc.KERNEL32 ref: 000002C5CCF71642
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF716B2
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF716DF
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF716F9
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF71719
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF71734
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF71754
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF7176F
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF7178F
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF717AA
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF717CA
          • Sleep.KERNEL32 ref: 000002C5CCF71AD7
          • SleepEx.KERNELBASE ref: 000002C5CCF71ADD
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF717E5
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF71805
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF71820
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF71840
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF7185B
            • Part of subcall function 000002C5CCF71628: RegOpenKeyExW.ADVAPI32 ref: 000002C5CCF7187B
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF71896
            • Part of subcall function 000002C5CCF71628: RegCloseKey.ADVAPI32 ref: 000002C5CCF718A0
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: a4f102d8383056bbea95915e366e118465734705d205fcb0c3fa3ad5464cc09f
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: B531BC61200F6182FF549F2ADA49AAD13B4AB84BD0F04A5239E0DC76B5FF14F6D9C350
          Function 000002C5CCF73844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 57 2c5ccf73844-2c5ccf7384f 58 2c5ccf73869-2c5ccf73870 57->58 59 2c5ccf73851-2c5ccf73864 StrCmpNIW 57->59 59->58 60 2c5ccf73866 59->60 60->58
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID:
          • String ID: dialer
          • API String ID: 0-3528709123
          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction ID: 2b198737b1e3ffa9bd87ec3077cf84c69e3f3e5ca7b75950e633d0e13ceed80b
          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction Fuzzy Hash: 1DD0A761311F26D6FF14DFA6C8CCE6C2361EB04744F884062C90005270DB68FBCD9710
          Function 000002C5CCF4273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: 0ac2824bd3abc25ed4b105cc25e93931c0c6ee0192761c6853b67d4cd4dc1ae0
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: CB610132B01FA487EB58CF15D048B2DB3A2FB54BA4F588172DE5907798DA38F992D700

          Non-executed Functions

          Function 000002C5CCF72B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 367 2c5ccf72b2c-2c5ccf72ba5 call 2c5ccf92ce0 370 2c5ccf72bab-2c5ccf72bb1 367->370 371 2c5ccf72ee0-2c5ccf72f03 367->371 370->371 372 2c5ccf72bb7-2c5ccf72bba 370->372 372->371 373 2c5ccf72bc0-2c5ccf72bc3 372->373 373->371 374 2c5ccf72bc9-2c5ccf72bd9 GetModuleHandleA 373->374 375 2c5ccf72bdb-2c5ccf72beb call 2c5ccf86090 374->375 376 2c5ccf72bed 374->376 378 2c5ccf72bf0-2c5ccf72c0e 375->378 376->378 378->371 381 2c5ccf72c14-2c5ccf72c33 StrCmpNIW 378->381 381->371 382 2c5ccf72c39-2c5ccf72c3d 381->382 382->371 383 2c5ccf72c43-2c5ccf72c4d 382->383 383->371 384 2c5ccf72c53-2c5ccf72c5a 383->384 384->371 385 2c5ccf72c60-2c5ccf72c73 384->385 386 2c5ccf72c75-2c5ccf72c81 385->386 387 2c5ccf72c83 385->387 388 2c5ccf72c86-2c5ccf72c8a 386->388 387->388 389 2c5ccf72c8c-2c5ccf72c98 388->389 390 2c5ccf72c9a 388->390 391 2c5ccf72c9d-2c5ccf72ca7 389->391 390->391 392 2c5ccf72d9d-2c5ccf72da1 391->392 393 2c5ccf72cad-2c5ccf72cb0 391->393 394 2c5ccf72da7-2c5ccf72daa 392->394 395 2c5ccf72ed2-2c5ccf72eda 392->395 396 2c5ccf72cc2-2c5ccf72ccc 393->396 397 2c5ccf72cb2-2c5ccf72cbf call 2c5ccf7199c 393->397 398 2c5ccf72dac-2c5ccf72db8 call 2c5ccf7199c 394->398 399 2c5ccf72dbb-2c5ccf72dc5 394->399 395->371 395->385 401 2c5ccf72d00-2c5ccf72d0a 396->401 402 2c5ccf72cce-2c5ccf72cdb 396->402 397->396 398->399 406 2c5ccf72dc7-2c5ccf72dd4 399->406 407 2c5ccf72df5-2c5ccf72df8 399->407 403 2c5ccf72d0c-2c5ccf72d19 401->403 404 2c5ccf72d3a-2c5ccf72d3d 401->404 402->401 409 2c5ccf72cdd-2c5ccf72cea 402->409 403->404 410 2c5ccf72d1b-2c5ccf72d28 403->410 411 2c5ccf72d4b-2c5ccf72d58 lstrlenW 404->411 412 2c5ccf72d3f-2c5ccf72d49 call 2c5ccf71bbc 404->412 406->407 414 2c5ccf72dd6-2c5ccf72de3 406->414 415 2c5ccf72dfa-2c5ccf72e03 call 2c5ccf71bbc 407->415 416 2c5ccf72e05-2c5ccf72e12 lstrlenW 407->416 417 2c5ccf72ced-2c5ccf72cf3 409->417 420 2c5ccf72d2b-2c5ccf72d31 410->420 422 2c5ccf72d7b-2c5ccf72d8d call 2c5ccf73844 411->422 423 2c5ccf72d5a-2c5ccf72d64 411->423 412->411 427 2c5ccf72d93-2c5ccf72d98 412->427 424 2c5ccf72de6-2c5ccf72dec 414->424 415->416 434 2c5ccf72e4a-2c5ccf72e55 415->434 418 2c5ccf72e35-2c5ccf72e3f call 2c5ccf73844 416->418 419 2c5ccf72e14-2c5ccf72e1e 416->419 426 2c5ccf72cf9-2c5ccf72cfe 417->426 417->427 429 2c5ccf72e42-2c5ccf72e44 418->429 419->418 428 2c5ccf72e20-2c5ccf72e33 call 2c5ccf7152c 419->428 420->427 430 2c5ccf72d33-2c5ccf72d38 420->430 422->427 422->429 423->422 433 2c5ccf72d66-2c5ccf72d79 call 2c5ccf7152c 423->433 424->434 435 2c5ccf72dee-2c5ccf72df3 424->435 426->401 426->417 427->429 428->418 428->434 429->395 429->434 430->404 430->420 433->422 433->427 441 2c5ccf72ecc-2c5ccf72ed0 434->441 442 2c5ccf72e57-2c5ccf72e5b 434->442 435->407 435->424 441->395 445 2c5ccf72e63-2c5ccf72e7d call 2c5ccf785c0 442->445 446 2c5ccf72e5d-2c5ccf72e61 442->446 448 2c5ccf72e80-2c5ccf72e83 445->448 446->445 446->448 450 2c5ccf72ea6-2c5ccf72ea9 448->450 451 2c5ccf72e85-2c5ccf72ea3 call 2c5ccf785c0 448->451 450->441 454 2c5ccf72eab-2c5ccf72ec9 call 2c5ccf785c0 450->454 451->450 454->441
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
          • API String ID: 2119608203-3850299575
          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction ID: ee8352752450ca50ba828086874caefb3b7b09da596e9e2bebcd40f2e5328520
          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction Fuzzy Hash: 5EB14662220FA182FBA88F25D548BAD63B5FB44B94F445017EA49977A5EF34FAC0C740
          Function 000002C5CCF77D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction ID: c41c88ce3c41cb50e426ffaf9fe1a02a707a435d09a99e30fd8d7638b037e576
          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction Fuzzy Hash: 6A311A72215F908AFB609F60E844BED6375F785744F44442ADA4D57BA4EF38E688C710
          Function 000002C5CCF72F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: dialer
          • API String ID: 756756679-3528709123
          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction ID: 152facd192f523f2df585c48c1513db5d898d7f1e4961e2e8fdd46ed25a77f36
          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction Fuzzy Hash: F5318D22701F61D2FA14DF16E548B6E67A0FB44B84F0880229E4847B76EF38F6E58740
          Function 000002C5CCF7D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction ID: 0a2ee12668bc25c161af6cf81985824a782016ae4975c3f8164ef7d80c01d4f5
          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction Fuzzy Hash: 19315E32214F9086EB60CF25E844B9E73B4F789754F500126EA9D47BA8DF38E695CB00
          Function 000002C5CCF77960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction ID: 70a19f2f641c07b57ee929879b9e50c10e578b9664e7860f57f6490abbeac581
          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction Fuzzy Hash: 7C112E22710F1189FF10CF60E8597AC33A4F719B58F440E22DA6D867B5DB78E2D88380
          Function 000002C5CCF844A8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: ExceptionRaise_clrfp
          • String ID:
          • API String ID: 15204871-0
          • Opcode ID: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
          • Instruction ID: a687499b3177b6911dbd628479040c6645a6e84e9485165fbf9a035658cdd4d6
          • Opcode Fuzzy Hash: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
          • Instruction Fuzzy Hash: 80B14D77600F948BEB15CF29C85A75C7BA0F345B48F158912DBA987BB8CB39E591CB00
          Function 000002C5CCF538A8 Relevance: 1.7, APIs: 1, Instructions: 227COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: _clrfp
          • String ID:
          • API String ID: 3618594692-0
          • Opcode ID: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
          • Instruction ID: df4cbedd7efb455547f9b6b31b6d37ffcb6b75eee55f6367526c8bf05b81cb65
          • Opcode Fuzzy Hash: 91c45a23742243141810e6f77c67a66073dfa56da4d49e6a277af36b1acf7cf1
          • Instruction Fuzzy Hash: 62B15977600F988AEB19CF2DC88A75C7BA0F344B48F158916DB99837B4CB79E595C700
          Function 000002C5CCF7DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
          • Instruction ID: 6c5fe7a1bf82b78158df1c24e5c8dcc6986c349fad925fd5e7fed8855ad84b95
          • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
          • Instruction Fuzzy Hash: 1251CA22700FA089FB20DF72A948B9E7BB5F7447D4F544116EE5867BA5DB38E681C700
          Function 000002C5CCF41F2C Relevance: .3, Instructions: 264COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ede98a6d8d02e88a1d8b84a5c6c80a15dedc9657b0a7b1a34b363c45f1d0dee8
          • Instruction ID: cc0c05f899f80cb833d3a231cfb0464e4a1ec6e382a2566460e41e792964ab67
          • Opcode Fuzzy Hash: ede98a6d8d02e88a1d8b84a5c6c80a15dedc9657b0a7b1a34b363c45f1d0dee8
          • Instruction Fuzzy Hash: C8B15C62220FA086FB65CF25D848BAD63A4F784B98F445067EE4953BA4DB35FBC1C740
          Function 000002C5CCF4D0E0 Relevance: .1, Instructions: 149COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
          • Instruction ID: f7e3616e1c8363b452760c0916d2d166974f17424fb2bffa287e51f1d6313e4e
          • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
          • Instruction Fuzzy Hash: 8D51DA22700FA085FB20DF72E848B9E7BA5F7447D4F144156EE5927BA5DB38E681C700
          Function 000002C5CCF536F0 Relevance: .0, Instructions: 32COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
          • Instruction ID: c21025887cad8662608b05060026ef5bdb99ddd268cb3de46854d4915831384e
          • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
          • Instruction Fuzzy Hash: 82F0F472615A649EEB988F28A446B597791F348384FD0811AD68983A14D63CE591CF04
          Function 000002C5CCF71628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
          • API String ID: 106492572-2879589442
          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction ID: daf174247e283e2852de72677f6196f92336cb26a6693c34924f7ed054bb1a24
          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction Fuzzy Hash: DE71E976210F2186FB20DF65E898A9D23B4FB85B88F005112DD4E87B79DE38E6C8C744
          Function 000002C5CCF712BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
          • String ID: d
          • API String ID: 2005889112-2564639436
          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction ID: b0aff870c2623e3f2607c398dca2a1a3fd50e68746f43f7c7d26d8c40c6e1b96
          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction Fuzzy Hash: B4515B76200F9486FB54CF62E44875E77A1F78AF89F048126DA4A47729DF3CE299C700
          Function 000002C5CCF71D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentThread$AddressHandleModuleProc
          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
          • API String ID: 4175298099-1975688563
          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction ID: a037ced12b9c9d42a6a4c27664f5d393be4f54c886b12dae0944b1ad029c4802
          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction Fuzzy Hash: 30318164200F6AA0FE05EF69E869EEC2330BB05764F805063D44956576AF38F7CEC3A0
          Function 000002C5CCF46910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 209 2c5ccf46910-2c5ccf46916 210 2c5ccf46918-2c5ccf4691b 209->210 211 2c5ccf46951-2c5ccf4695b 209->211 212 2c5ccf46945-2c5ccf46984 call 2c5ccf46fc0 210->212 213 2c5ccf4691d-2c5ccf46920 210->213 214 2c5ccf46a78-2c5ccf46a8d 211->214 232 2c5ccf4698a-2c5ccf4699f call 2c5ccf46e54 212->232 233 2c5ccf46a52 212->233 215 2c5ccf46938 __scrt_dllmain_crt_thread_attach 213->215 216 2c5ccf46922-2c5ccf46925 213->216 217 2c5ccf46a9c-2c5ccf46ab6 call 2c5ccf46e54 214->217 218 2c5ccf46a8f 214->218 224 2c5ccf4693d-2c5ccf46944 215->224 220 2c5ccf46927-2c5ccf46930 216->220 221 2c5ccf46931-2c5ccf46936 call 2c5ccf46f04 216->221 230 2c5ccf46ab8-2c5ccf46aed call 2c5ccf46f7c call 2c5ccf46e1c call 2c5ccf47318 call 2c5ccf47130 call 2c5ccf47154 call 2c5ccf46fac 217->230 231 2c5ccf46aef-2c5ccf46b20 call 2c5ccf47190 217->231 222 2c5ccf46a91-2c5ccf46a9b 218->222 221->224 230->222 243 2c5ccf46b31-2c5ccf46b37 231->243 244 2c5ccf46b22-2c5ccf46b28 231->244 241 2c5ccf46a6a-2c5ccf46a77 call 2c5ccf47190 232->241 242 2c5ccf469a5-2c5ccf469b6 call 2c5ccf46ec4 232->242 237 2c5ccf46a54-2c5ccf46a69 233->237 241->214 259 2c5ccf46a07-2c5ccf46a11 call 2c5ccf47130 242->259 260 2c5ccf469b8-2c5ccf469dc call 2c5ccf472dc call 2c5ccf46e0c call 2c5ccf46e38 call 2c5ccf4ac0c 242->260 249 2c5ccf46b39-2c5ccf46b43 243->249 250 2c5ccf46b7e-2c5ccf46b94 call 2c5ccf4268c 243->250 244->243 248 2c5ccf46b2a-2c5ccf46b2c 244->248 255 2c5ccf46c1f-2c5ccf46c2c 248->255 256 2c5ccf46b45-2c5ccf46b4d 249->256 257 2c5ccf46b4f-2c5ccf46b5d call 2c5ccf55780 249->257 270 2c5ccf46bcc-2c5ccf46bce 250->270 271 2c5ccf46b96-2c5ccf46b98 250->271 262 2c5ccf46b63-2c5ccf46b78 call 2c5ccf46910 256->262 257->262 274 2c5ccf46c15-2c5ccf46c1d 257->274 259->233 282 2c5ccf46a13-2c5ccf46a1f call 2c5ccf47180 259->282 260->259 312 2c5ccf469de-2c5ccf469e5 __scrt_dllmain_after_initialize_c 260->312 262->250 262->274 272 2c5ccf46bd5-2c5ccf46bea call 2c5ccf46910 270->272 273 2c5ccf46bd0-2c5ccf46bd3 270->273 271->270 279 2c5ccf46b9a-2c5ccf46bbc call 2c5ccf4268c call 2c5ccf46a78 271->279 272->274 291 2c5ccf46bec-2c5ccf46bf6 272->291 273->272 273->274 274->255 279->270 306 2c5ccf46bbe-2c5ccf46bc6 call 2c5ccf55780 279->306 299 2c5ccf46a45-2c5ccf46a50 282->299 300 2c5ccf46a21-2c5ccf46a2b call 2c5ccf47098 282->300 296 2c5ccf46bf8-2c5ccf46bff 291->296 297 2c5ccf46c01-2c5ccf46c11 call 2c5ccf55780 291->297 296->274 297->274 299->237 300->299 311 2c5ccf46a2d-2c5ccf46a3b 300->311 306->270 311->299 312->259 313 2c5ccf469e7-2c5ccf46a04 call 2c5ccf4abc8 312->313 313->259
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 4e1c1bfffd3de0136a9dfc2d2d379a7bd86e80015c5c01253069dd107aedc90e
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: BC810161700F318AFB54EF66A489F9D26D0EB85780F1480A79A04473B6EB78FBC68700
          Function 000002C5CCF7CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetLastError.KERNEL32 ref: 000002C5CCF7CE37
          • FlsGetValue.KERNEL32(?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CE4C
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CE6D
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CE9A
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CEAB
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CEBC
          • SetLastError.KERNEL32 ref: 000002C5CCF7CED7
          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CF0D
          • FlsSetValue.KERNEL32(?,?,00000001,000002C5CCF7ECCC,?,?,?,?,000002C5CCF7BF9F,?,?,?,?,?,000002C5CCF77AB0), ref: 000002C5CCF7CF2C
            • Part of subcall function 000002C5CCF7D6CC: HeapAlloc.KERNEL32 ref: 000002C5CCF7D721
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CF54
            • Part of subcall function 000002C5CCF7D744: HeapFree.KERNEL32 ref: 000002C5CCF7D75A
            • Part of subcall function 000002C5CCF7D744: GetLastError.KERNEL32 ref: 000002C5CCF7D764
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CF65
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002C5CCF80A6B,?,?,?,000002C5CCF8045C,?,?,?,000002C5CCF7C84F), ref: 000002C5CCF7CF76
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Value$ErrorLast$Heap$AllocFree
          • String ID:
          • API String ID: 570795689-0
          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction ID: 2b7f8a842b7a6ebadb1d8a27d6926f4929c489240f990933d5aaf002683fab22
          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction Fuzzy Hash: F8418420B01F6441FE68AF35596DFAD12B25B447F0F254727A8364A6F6EE28F7C19310
          Function 000002C5CCF72244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
          • API String ID: 2171963597-1373409510
          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction ID: db35b4e239bc3782610f3395e092a8c227b244bc7435a29ee1a29a20cfcd87a7
          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction Fuzzy Hash: BD213C72614F6083FB10CF25F448B5D67A1F78ABA4F504216EA5906AB8DF3CE2C9CB00
          Function 000002C5CCF49944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 467 2c5ccf49944-2c5ccf499ac call 2c5ccf4a814 470 2c5ccf499b2-2c5ccf499b5 467->470 471 2c5ccf49e13-2c5ccf49e1b call 2c5ccf4bb48 467->471 470->471 472 2c5ccf499bb-2c5ccf499c1 470->472 474 2c5ccf499c7-2c5ccf499cb 472->474 475 2c5ccf49a90-2c5ccf49aa2 472->475 474->475 479 2c5ccf499d1-2c5ccf499dc 474->479 477 2c5ccf49aa8-2c5ccf49aac 475->477 478 2c5ccf49d63-2c5ccf49d67 475->478 477->478 480 2c5ccf49ab2-2c5ccf49abd 477->480 482 2c5ccf49d69-2c5ccf49d70 478->482 483 2c5ccf49da0-2c5ccf49daa call 2c5ccf48a34 478->483 479->475 481 2c5ccf499e2-2c5ccf499e7 479->481 480->478 485 2c5ccf49ac3-2c5ccf49aca 480->485 481->475 486 2c5ccf499ed-2c5ccf499f7 call 2c5ccf48a34 481->486 482->471 487 2c5ccf49d76-2c5ccf49d9b call 2c5ccf49e1c 482->487 483->471 493 2c5ccf49dac-2c5ccf49dcb call 2c5ccf46d40 483->493 490 2c5ccf49c94-2c5ccf49ca0 485->490 491 2c5ccf49ad0-2c5ccf49b07 call 2c5ccf48e10 485->491 486->493 501 2c5ccf499fd-2c5ccf49a28 call 2c5ccf48a34 * 2 call 2c5ccf49124 486->501 487->483 490->483 494 2c5ccf49ca6-2c5ccf49caa 490->494 491->490 505 2c5ccf49b0d-2c5ccf49b15 491->505 498 2c5ccf49cba-2c5ccf49cc2 494->498 499 2c5ccf49cac-2c5ccf49cb8 call 2c5ccf490e4 494->499 498->483 504 2c5ccf49cc8-2c5ccf49cd5 call 2c5ccf48cb4 498->504 499->498 512 2c5ccf49cdb-2c5ccf49ce3 499->512 535 2c5ccf49a2a-2c5ccf49a2e 501->535 536 2c5ccf49a48-2c5ccf49a52 call 2c5ccf48a34 501->536 504->483 504->512 509 2c5ccf49b19-2c5ccf49b4b 505->509 514 2c5ccf49c87-2c5ccf49c8e 509->514 515 2c5ccf49b51-2c5ccf49b5c 509->515 516 2c5ccf49ce9-2c5ccf49ced 512->516 517 2c5ccf49df6-2c5ccf49e12 call 2c5ccf48a34 * 2 call 2c5ccf4baa8 512->517 514->490 514->509 515->514 518 2c5ccf49b62-2c5ccf49b7b 515->518 520 2c5ccf49cef-2c5ccf49cfe call 2c5ccf490e4 516->520 521 2c5ccf49d00 516->521 517->471 522 2c5ccf49b81-2c5ccf49bc6 call 2c5ccf490f8 * 2 518->522 523 2c5ccf49c74-2c5ccf49c79 518->523 531 2c5ccf49d03-2c5ccf49d0d call 2c5ccf4a8ac 520->531 521->531 548 2c5ccf49bc8-2c5ccf49bee call 2c5ccf490f8 call 2c5ccf4a038 522->548 549 2c5ccf49c04-2c5ccf49c0a 522->549 528 2c5ccf49c84 523->528 528->514 531->483 546 2c5ccf49d13-2c5ccf49d61 call 2c5ccf48d44 call 2c5ccf48f50 531->546 535->536 540 2c5ccf49a30-2c5ccf49a3b 535->540 536->475 552 2c5ccf49a54-2c5ccf49a74 call 2c5ccf48a34 * 2 call 2c5ccf4a8ac 536->552 540->536 545 2c5ccf49a3d-2c5ccf49a42 540->545 545->471 545->536 546->483 567 2c5ccf49c15-2c5ccf49c72 call 2c5ccf49870 548->567 568 2c5ccf49bf0-2c5ccf49c02 548->568 556 2c5ccf49c7b 549->556 557 2c5ccf49c0c-2c5ccf49c10 549->557 573 2c5ccf49a8b 552->573 574 2c5ccf49a76-2c5ccf49a80 call 2c5ccf4a99c 552->574 558 2c5ccf49c80 556->558 557->522 558->528 567->558 568->548 568->549 573->475 577 2c5ccf49a86-2c5ccf49def call 2c5ccf486ac call 2c5ccf4a3f4 call 2c5ccf488a0 574->577 578 2c5ccf49df0-2c5ccf49df5 call 2c5ccf4baa8 574->578 577->578 578->517
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: f79423f5efdb356f61ca22c1eaac9adf8b64f400f3fd49f40bb90f511ad6cc83
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: C4E19A72604F608AFB60DF65D488B9D77A8F785B88F100156EE8957BAACB34F2D1C704
          Function 000002C5CCF7A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 588 2c5ccf7a544-2c5ccf7a5ac call 2c5ccf7b414 591 2c5ccf7aa13-2c5ccf7aa1b call 2c5ccf7c748 588->591 592 2c5ccf7a5b2-2c5ccf7a5b5 588->592 592->591 593 2c5ccf7a5bb-2c5ccf7a5c1 592->593 595 2c5ccf7a5c7-2c5ccf7a5cb 593->595 596 2c5ccf7a690-2c5ccf7a6a2 593->596 595->596 600 2c5ccf7a5d1-2c5ccf7a5dc 595->600 598 2c5ccf7a6a8-2c5ccf7a6ac 596->598 599 2c5ccf7a963-2c5ccf7a967 596->599 598->599 603 2c5ccf7a6b2-2c5ccf7a6bd 598->603 601 2c5ccf7a969-2c5ccf7a970 599->601 602 2c5ccf7a9a0-2c5ccf7a9aa call 2c5ccf79634 599->602 600->596 604 2c5ccf7a5e2-2c5ccf7a5e7 600->604 601->591 605 2c5ccf7a976-2c5ccf7a99b call 2c5ccf7aa1c 601->605 602->591 614 2c5ccf7a9ac-2c5ccf7a9cb call 2c5ccf77940 602->614 603->599 607 2c5ccf7a6c3-2c5ccf7a6ca 603->607 604->596 608 2c5ccf7a5ed-2c5ccf7a5f7 call 2c5ccf79634 604->608 605->602 611 2c5ccf7a894-2c5ccf7a8a0 607->611 612 2c5ccf7a6d0-2c5ccf7a707 call 2c5ccf79a10 607->612 608->614 622 2c5ccf7a5fd-2c5ccf7a628 call 2c5ccf79634 * 2 call 2c5ccf79d24 608->622 611->602 615 2c5ccf7a8a6-2c5ccf7a8aa 611->615 612->611 627 2c5ccf7a70d-2c5ccf7a715 612->627 619 2c5ccf7a8ac-2c5ccf7a8b8 call 2c5ccf79ce4 615->619 620 2c5ccf7a8ba-2c5ccf7a8c2 615->620 619->620 636 2c5ccf7a8db-2c5ccf7a8e3 619->636 620->602 626 2c5ccf7a8c8-2c5ccf7a8d5 call 2c5ccf798b4 620->626 656 2c5ccf7a62a-2c5ccf7a62e 622->656 657 2c5ccf7a648-2c5ccf7a652 call 2c5ccf79634 622->657 626->602 626->636 628 2c5ccf7a719-2c5ccf7a74b 627->628 633 2c5ccf7a887-2c5ccf7a88e 628->633 634 2c5ccf7a751-2c5ccf7a75c 628->634 633->611 633->628 634->633 637 2c5ccf7a762-2c5ccf7a77b 634->637 638 2c5ccf7a8e9-2c5ccf7a8ed 636->638 639 2c5ccf7a9f6-2c5ccf7aa12 call 2c5ccf79634 * 2 call 2c5ccf7c6a8 636->639 641 2c5ccf7a874-2c5ccf7a879 637->641 642 2c5ccf7a781-2c5ccf7a7c6 call 2c5ccf79cf8 * 2 637->642 643 2c5ccf7a900 638->643 644 2c5ccf7a8ef-2c5ccf7a8fe call 2c5ccf79ce4 638->644 639->591 647 2c5ccf7a884 641->647 669 2c5ccf7a7c8-2c5ccf7a7ee call 2c5ccf79cf8 call 2c5ccf7ac38 642->669 670 2c5ccf7a804-2c5ccf7a80a 642->670 652 2c5ccf7a903-2c5ccf7a90d call 2c5ccf7b4ac 643->652 644->652 647->633 652->602 667 2c5ccf7a913-2c5ccf7a961 call 2c5ccf79944 call 2c5ccf79b50 652->667 656->657 661 2c5ccf7a630-2c5ccf7a63b 656->661 657->596 673 2c5ccf7a654-2c5ccf7a674 call 2c5ccf79634 * 2 call 2c5ccf7b4ac 657->673 661->657 666 2c5ccf7a63d-2c5ccf7a642 661->666 666->591 666->657 667->602 689 2c5ccf7a815-2c5ccf7a872 call 2c5ccf7a470 669->689 690 2c5ccf7a7f0-2c5ccf7a802 669->690 677 2c5ccf7a80c-2c5ccf7a810 670->677 678 2c5ccf7a87b 670->678 694 2c5ccf7a68b 673->694 695 2c5ccf7a676-2c5ccf7a680 call 2c5ccf7b59c 673->695 677->642 679 2c5ccf7a880 678->679 679->647 689->679 690->669 690->670 694->596 698 2c5ccf7a686-2c5ccf7a9ef call 2c5ccf792ac call 2c5ccf7aff4 call 2c5ccf794a0 695->698 699 2c5ccf7a9f0-2c5ccf7a9f5 call 2c5ccf7c6a8 695->699 698->699 699->639
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction ID: 4fbba73395db811a47501f55ac2328287aff0420587bf389b45c72572918b46d
          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction Fuzzy Hash: B1E18C72600F608AFB649F65D888B9D77B0F745B98F11111AEE8997BA9CB34F2D1C700
          Function 000002C5CCF7F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: api-ms-$ext-ms-
          • API String ID: 3013587201-537541572
          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction ID: 4ae18a58fc57a1d4ab9da43e5b42b8e242448a52315d6b3cd3c23f588679a911
          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction Fuzzy Hash: 5741B222311F2092FA16CF16E80CF5D63A5BB45BA0F5941279D0A8B7A4EE38F6D5C348
          Function 000002C5CCF7104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 739 2c5ccf7104c-2c5ccf710b9 RegQueryInfoKeyW 740 2c5ccf711b5-2c5ccf711d0 739->740 741 2c5ccf710bf-2c5ccf710c9 739->741 741->740 742 2c5ccf710cf-2c5ccf7111f RegEnumValueW 741->742 743 2c5ccf711a5-2c5ccf711af 742->743 744 2c5ccf71125-2c5ccf7112a 742->744 743->740 743->742 744->743 745 2c5ccf7112c-2c5ccf71135 744->745 746 2c5ccf71147-2c5ccf7114c 745->746 747 2c5ccf71137 745->747 749 2c5ccf71199-2c5ccf711a3 746->749 750 2c5ccf7114e-2c5ccf71193 GetProcessHeap call 2c5ccf86168 GetProcessHeap HeapFree 746->750 748 2c5ccf7113b-2c5ccf7113f 747->748 748->743 751 2c5ccf71141-2c5ccf71145 748->751 749->743 750->749 751->746 751->748
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
          • String ID: d
          • API String ID: 3743429067-2564639436
          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction ID: bce4f37591f0d046750088742367140679f31cbcf041a882e8584ea241ff19c8
          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction Fuzzy Hash: 12416073214F94C6E760CF21E458B9E77B5F389B98F04811ADA894B768DF78E589CB00
          Function 000002C5CCF7D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FlsGetValue.KERNEL32(?,?,?,000002C5CCF7C7DE,?,?,?,?,?,?,?,?,000002C5CCF7CF9D,?,?,00000001), ref: 000002C5CCF7D087
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF7C7DE,?,?,?,?,?,?,?,?,000002C5CCF7CF9D,?,?,00000001), ref: 000002C5CCF7D0A6
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF7C7DE,?,?,?,?,?,?,?,?,000002C5CCF7CF9D,?,?,00000001), ref: 000002C5CCF7D0CE
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF7C7DE,?,?,?,?,?,?,?,?,000002C5CCF7CF9D,?,?,00000001), ref: 000002C5CCF7D0DF
          • FlsSetValue.KERNEL32(?,?,?,000002C5CCF7C7DE,?,?,?,?,?,?,?,?,000002C5CCF7CF9D,?,?,00000001), ref: 000002C5CCF7D0F0
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Value
          • String ID: 1%$Y%
          • API String ID: 3702945584-1395475152
          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction ID: 6dcc2c00d5c899c6195e62195aebbbb646155c6477655301d1ce9b7b593cc3c1
          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction Fuzzy Hash: A7119320704F6041FA689F35695DF2D62B15B443F0F545377A839466FEDE69F6C28310
          Function 000002C5CCF77510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID:
          • API String ID: 190073905-0
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 31f3b0315ec40e49e737950288ac132e5f303b7397ce8086c59fe9f40c635b1b
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: B881B421720F6186FB569F69A84DF9D63F1A745780F14842B9A04877BAEB38FBC5C700
          Function 000002C5CCF79DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: api-ms-
          • API String ID: 2559590344-2084034818
          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction ID: 7e297d6f4a6b1aa693e45b9464983fca3b562608d70e22e5997ab1d10934c94a
          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction Fuzzy Hash: 7131A421212F60D1FE51DF42A408FAD62A4B749BA0F5905269D1D4B7A5DF39F7C58320
          Function 000002C5CCF83DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction ID: d013ce7759838e6d493ddaff1bd7c8b7bdf4c51b22c384711443c3c9e56a981a
          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction Fuzzy Hash: 47118B21310F6082F750CF12E858B1D63A0F389FE4F044226EA1A877B4DB78EA888744
          Function 000002C5CCF73790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModule
          • String ID: wr
          • API String ID: 1092925422-2678910430
          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction ID: 92e21339d870889fb25053310f7068dcd7e9b45668bca24590f74858bae9ecbf
          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction Fuzzy Hash: 61115B66704F6182FF149F21E408A6D66B4FB89B85F48012ADE89077A5EF3DE6C9C704
          Function 000002C5CCF75B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Thread$Current$Context
          • String ID:
          • API String ID: 1666949209-0
          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction ID: 982e24226b5b9e6e8ca29d9436457c8fc1a4942e9bb11f3c76cb3193c923376d
          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction Fuzzy Hash: 4DD19976218F9881EA719F1AE49475EB7B0F388B84F104117EA8D47BB5DF38E691CB40
          Function 000002C5CCF7CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction ID: 250332e1950f821c0c2ae0ce47ac5fa3cdc4f9aacd306c61481e39a479d4850d
          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction Fuzzy Hash: 57117F20704F6041FA64AF31995DF6D22B26B857F0F545727A836477FAEE28F6C29310
          Function 000002C5CCF7199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
          • String ID:
          • API String ID: 517849248-0
          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction ID: b58e9cd9ef4100494c92e1d790299311dca8c3a1253c4ac2b8c5f45ac74d4e86
          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction Fuzzy Hash: FC013521300F5082FA14DF52A84CB5D63A1B789FC4F888036DE4983765DE38EAC98700
          Function 000002C5CCF736C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
          • String ID:
          • API String ID: 449555515-0
          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction ID: bb30638dd6482a56e062fe6fe78beadb73e1933ed7b64874b7d09c354aecf36f
          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction Fuzzy Hash: 9E01D765616F6086FF249F22E81CB1D62B0BB4AB96F040426C9490B775EF3DF6C98744
          Function 000002C5CCF79005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 6f91de65aeafc2df199cd87f9434427f6d802e0ae104afbe662d9f631a286b1c
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 11515332611F208AFB14DF25E84CF5D27A6F344B98F128526DA16477A8EAB5FB91C700
          Function 000002C5CCF78FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: 8d492a19733989be62eb3583543c6f63e46bd6dfdefac0ef8f94633fcb56cb28
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 65318832210F6086FB14DF26E84CB1D3BA5F340B88F158016AE56077A9DB79FB90C704
          Function 000002C5CCF71A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: FinalHandleNamePathlstrlen
          • String ID: \\?\
          • API String ID: 2719912262-4282027825
          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction ID: 92ad01856b38dfa28b8afd11096c1cfd4304904b69a2ccca3ee56d8315a1879c
          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction Fuzzy Hash: 3CF03162304F5192FB60CF21E888F5D6760F749B88F948122DA4946665DB2CE7CDCB00
          Function 000002C5CCF7BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction ID: 619292cf311e4ecc2ff4dc090908b1fa50ab87fb44025024d9b15cf71cce6539
          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction Fuzzy Hash: 0CF01261311F1581FB14CF24E44DB5D6370EB86761F54421BDA6A452F4DF2DF6C58740
          Function 000002C5CCF73044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CombinePath
          • String ID: \\.\pipe\
          • API String ID: 3422762182-91387939
          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction ID: 68fcc7013f9a8fa1aace4376be1cabeb95fa17acc11e346d0d212ad1f5a5f98a
          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction Fuzzy Hash: EBF05824204FA082FA008F52B90C91D6260AB4AFC4F188022EE4A07B28DF28E6C98700
          Function 000002C5CCF750D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction ID: 6859c7655ca23a3b6a2f6f3590fb5d43b44afa158a06342c9116805e67970e86
          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction Fuzzy Hash: 2902B832219F9486EBA1CF55E49475EB7B1F3C4794F104026EA8E87BA8DB7CE594CB00
          Function 000002C5CCF75710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction ID: 88d3ddda1520454c0367b72f057e4243f1a1aa5cb60848190fe7621f181ccacc
          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction Fuzzy Hash: FB619736519F94C6FA618F15E448B1EB7B0F388794F104126EA8D87BB8DB7CE694CB40
          Function 000002C5CCF53504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 708751c06d6b1f18cfc6a4f370d90721a7b22ab36ea1101da63cd1e4c55900dd
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: F611A322A50F3B11FA641F2CE4CDB7D11C16B58374F59962AAB66066FECAE4FBCD4100
          Function 000002C5CCF84104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 2c806ae017ec0039f0dc922bde17caf77aeaff030f48e3b5e742184b799b6069
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: D711C832A50F7011F666DF58D47DB6D1B406B6B3B4F4A0626A5F606EF68B24F6C06100
          Function 000002C5CCF4F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: d0fd9a01260543a53b918d040f0e92c3d7b38b1176da7bd1ba08e9da58dc30b9
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: 53619276600F6083FA6ACF69E54CF2E6AA0E785780F515497DA0E177B5DA34FBC28200
          Function 000002C5CCF7AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: cf1fbfbb729011a61d28b461c2e63141bcd260bae335d9d5b657841968aa7c62
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: E6613532600F948AFB249F69E484B9D77B0F348B88F155216EF4957BA8DB38E6D5C700
          Function 000002C5CCF4A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 10d66be3ee068225c0ae177264fee438c938be1ddeb4f391b9288c20711e5074
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: B1517F32100FA0CAFB64CF659448B6C77A1F355B88F184197DA9997BA5DB39F6D0CB00
          Function 000002C5CCF7AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 5da5eca3b85b8f6c10de45b494530460429d3c1b7890e40b82c90bbf9e498136
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 42518E72100FA08AFB648F269588B9D77B0F355B85F156117EA9987BE5CB38F6E0C700
          Function 000002C5CCF48405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 0f92499df1eb31ddadef71cf334219f47f28f9a8dcc0b548dd53da37c008a192
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: EF51AA32701F288AFB15DF15E448F5D37A5F354BA8F5081A6DA16837A8EB34FAC18704
          Function 000002C5CCF483E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: 26fcc034926060cf37efdec15f4e3b4d449bfdc38e30cb8aa4d09abbfd3e60e0
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: D6319A72201F6496F715DF12E888F5D7BA4F340B98F158056EE5A877A8DB38FA80C704
          Function 000002C5CCF82058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 2718003287-0
          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction ID: 95a3a77a9f4b4609e3ded344451771d385e07917875dd26fe20b3e40ca1e8244
          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction Fuzzy Hash: 5ED1F072B14F9089F711CFA9D448B9C3BB1F355798F104216CE5A97BAADA34F686C340
          Function 000002C5CCF714A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Heap$Process$Free
          • String ID:
          • API String ID: 3168794593-0
          • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction ID: 2101144ad6074918f4d1737b56a1c26bca8b6d3e13933bc281b9248f68d74d11
          • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction Fuzzy Hash: 8E117936600FA0C6E714DF62A80854E77A0F78AF81F0A4026EB4A43726DE38E2D48740
          Function 000002C5CCF82980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction ID: abe1c4211fe60cac78172f913c84a017aa97a08f7f5ca8792086b46f6588da01
          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction Fuzzy Hash: 2891C372710F7085F764DF659488BAD2BA0F746B98F14510BDE0A676A6DB34F6C2C700
          Function 000002C5CCF7253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction ID: f781b73df33fb40c966952420794725ffddb39f29e733b6ab4e20cf550f517fc
          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction Fuzzy Hash: 7D71B136200FA186FB25DF259948BAE67B4F389B84F440127DD0957BA9DE39F7C68700
          Function 000002C5CCF49E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 758d25b197946d59776170b4b0f61600c97064d3225e969e0355700885c73df9
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 37616833600F948AFB20DF65D484B9D77A4F348B98F044256EF4917BA9DB38E295C704
          Function 000002C5CCF72330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction ID: 58577b83be53b04627d2b38e68abdecd66133219ccc010fd3584a6d5faaeb8a6
          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction Fuzzy Hash: 1B51B062204FA1C1F6649F29A45CBAE6671F385780F450127DE5913BAADE39F7C48740
          Function 000002C5CCF826F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction ID: f4439310b4ca8af06bb2f7fc702f8c2548a176c7a0d1636427e8bc9cae99dc14
          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction Fuzzy Hash: 6D41A072315F9082EB20CF25E8487AE67A0F799794F904022EE4D877A4EB3CF681C740
          Function 000002C5CCF794A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction ID: e993f158d7deabf053c14ec41c5cb6d9bd9555aeb22c5fa3b516d5ab1b3e6a42
          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction Fuzzy Hash: 7311E936214F9082EB618F25E44865D77E5F788B94F584225EB8D07769DF38E691CB00
          Function 000002C5CCF47356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: ab0660ffc5191ce62248556f231cc8c8a5cd021703e26b20b9c140e0859bb124
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: 3CE086A1640F4890EF028F61E8946DC33A0DB58B64B4891239A5C46321FA3CF2E9C300
          Function 000002C5CCF473B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.3079935051.000002C5CCF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C5CCF40000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf40000_WmiPrvSE.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: Locator'$riptor at (
          • API String ID: 592178966-4215709766
          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction ID: b0dccb19e9a2a1a2b0bafda9b8c7c201e0267bc97d719ce2aa31237807cbe04a
          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction Fuzzy Hash: 84E086A1600F4880EF028F61D49059C7360E758B54B889123CA4C46321EA3CF2E5C300
          Function 000002C5CCF71BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID:
          • API String ID: 756756679-0
          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction ID: d27ee2491ec31289d53bf247a13e0c8bd391acf0bdda7f32d9476fb2bc624cac
          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction Fuzzy Hash: F2118C25601F6481FA44DFA6A808A6D73A1FB89FD0F19802ADE4D97776DF38F586C340
          Function 000002C5CCF71268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.3080943393.000002C5CCF70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C5CCF70000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_2c5ccf70000_WmiPrvSE.jbxd
          Similarity
          • API ID: Heap$AllocProcess
          • String ID:
          • API String ID: 1617791916-0
          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction ID: bb9afce46477adc033a494bfbd3706c0452ca9c9d00f0b1f8fedefcc46066e78
          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction Fuzzy Hash: A4E03935601F1486FB04CF62D80874E36E1EB8AF06F06802489090B362EF7DE5D9C750

          Execution Graph

          Execution Coverage:47.1%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:38.1%
          Total number of Nodes:226
          Total number of Limit Nodes:23
          execution_graph 384 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 385 140002b8e K32EnumProcesses 384->385 386 140002beb SleepEx 385->386 387 140002ba3 385->387 386->385 387->386 389 140002540 387->389 390 140002558 389->390 391 14000254d 389->391 390->387 393 1400010c0 391->393 431 1400018ac OpenProcess 393->431 396 1400014ba 396->390 397 140001122 OpenProcess 397->396 398 14000113e OpenProcess 397->398 399 140001161 K32GetModuleFileNameExW 398->399 400 1400011fd NtQueryInformationProcess 398->400 401 1400011aa CloseHandle 399->401 402 14000117a PathFindFileNameW lstrlenW 399->402 403 1400014b1 CloseHandle 400->403 404 140001224 400->404 401->400 406 1400011b8 401->406 402->401 405 140001197 StrCpyW 402->405 403->396 404->403 407 140001230 OpenProcessToken 404->407 405->401 406->400 408 1400011d8 StrCmpIW 406->408 407->403 409 14000124e GetTokenInformation 407->409 408->403 408->406 410 1400012f1 409->410 411 140001276 GetLastError 409->411 412 1400012f8 CloseHandle 410->412 411->410 413 140001281 LocalAlloc 411->413 412->403 418 14000130c 412->418 413->410 414 140001297 GetTokenInformation 413->414 415 1400012df 414->415 416 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 414->416 417 1400012e6 LocalFree 415->417 416->417 417->412 418->403 419 14000139b StrStrA 418->419 420 1400013c3 418->420 419->418 421 1400013c8 419->421 420->403 421->403 422 1400013f3 VirtualAllocEx 421->422 422->403 423 140001420 WriteProcessMemory 422->423 423->403 424 14000143b 423->424 436 14000211c 424->436 426 14000145b 426->403 427 140001478 WaitForSingleObject 426->427 430 140001471 CloseHandle 426->430 429 140001487 GetExitCodeThread 427->429 427->430 429->430 430->403 432 14000110e 431->432 433 1400018d8 IsWow64Process 431->433 432->396 432->397 434 1400018f8 CloseHandle 433->434 435 1400018ea 433->435 434->432 435->434 439 140001914 GetModuleHandleA 436->439 440 140001934 GetProcAddress 439->440 441 14000193d 439->441 440->441 442 140002bf8 443 140002c05 442->443 445 140002c25 ConnectNamedPipe 443->445 446 140002c1a Sleep 443->446 453 140001b54 AllocateAndInitializeSid 443->453 447 140002c83 Sleep 445->447 448 140002c34 ReadFile 445->448 446->443 450 140002c8e DisconnectNamedPipe 447->450 449 140002c57 448->449 448->450 460 140002524 449->460 450->445 454 140001bb1 SetEntriesInAclW 453->454 455 140001c6f 453->455 454->455 456 140001bf5 LocalAlloc 454->456 455->443 456->455 457 140001c09 InitializeSecurityDescriptor 456->457 457->455 458 140001c19 SetSecurityDescriptorDacl 457->458 458->455 459 140001c30 CreateNamedPipeW 458->459 459->455 461 140002531 460->461 462 140002539 WriteFile 460->462 463 1400010c0 30 API calls 461->463 462->450 463->462 464 140002258 467 14000226c 464->467 491 140001f2c 467->491 470 140001f2c 14 API calls 471 14000228f GetCurrentProcessId OpenProcess 470->471 472 140002321 FindResourceExA 471->472 473 1400022af OpenProcessToken 471->473 476 140002341 SizeofResource 472->476 477 140002261 ExitProcess 472->477 474 1400022c3 LookupPrivilegeValueW 473->474 475 140002318 CloseHandle 473->475 474->475 478 1400022da AdjustTokenPrivileges 474->478 475->472 476->477 479 14000235a LoadResource 476->479 478->475 480 140002312 GetLastError 478->480 479->477 481 14000236e LockResource GetCurrentProcessId 479->481 480->475 505 1400017ec GetProcessHeap HeapAlloc 481->505 483 14000238b RegCreateKeyExW 484 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 483->484 485 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 483->485 486 14000250f SleepEx 484->486 487 1400023f4 RegSetKeySecurity LocalFree 485->487 488 14000240e RegCreateKeyExW 485->488 486->486 487->488 489 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 488->489 490 14000247f RegCloseKey 488->490 489->490 490->484 492 140001f35 StrCpyW StrCatW GetModuleHandleW 491->492 493 1400020ff 491->493 492->493 494 140001f86 GetCurrentProcess K32GetModuleInformation 492->494 493->470 495 1400020f6 FreeLibrary 494->495 496 140001fb6 CreateFileW 494->496 495->493 496->495 497 140001feb CreateFileMappingW 496->497 498 140002014 MapViewOfFile 497->498 499 1400020ed CloseHandle 497->499 500 1400020e4 CloseHandle 498->500 501 140002037 498->501 499->495 500->499 501->500 502 140002050 lstrcmpiA 501->502 504 14000208e 501->504 502->501 503 140002090 VirtualProtect VirtualProtect 502->503 503->500 504->500 511 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 505->511 507 140001885 GetProcessHeap HeapFree 508 140001830 508->507 509 140001851 OpenProcess 508->509 509->508 510 140001867 TerminateProcess CloseHandle 509->510 510->508 512 140001565 511->512 513 14000162f GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 511->513 512->513 514 14000157a OpenProcess 512->514 516 14000161a CloseHandle 512->516 517 1400015c9 ReadProcessMemory 512->517 513->508 514->512 515 140001597 K32EnumProcessModules 514->515 515->512 515->516 516->512 517->512 518 1400021d0 519 1400021dd 518->519 520 140001b54 6 API calls 519->520 521 1400021f2 Sleep 519->521 522 1400021fd ConnectNamedPipe 519->522 520->519 521->519 523 140002241 Sleep 522->523 524 14000220c ReadFile 522->524 525 14000224c DisconnectNamedPipe 523->525 524->525 526 14000222f 524->526 525->522 526->525 527 140002560 528 140002592 527->528 529 14000273a 527->529 530 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 528->530 531 140002598 528->531 532 140002748 529->532 533 14000297e ReadFile 529->533 534 140002633 530->534 536 140002704 530->536 537 1400025a5 531->537 538 1400026bd ExitProcess 531->538 539 140002751 532->539 540 140002974 532->540 533->534 535 1400029a8 533->535 535->534 548 1400018ac 3 API calls 535->548 536->534 550 1400010c0 30 API calls 536->550 544 1400025ae 537->544 545 140002660 RegOpenKeyExW 537->545 541 140002919 539->541 542 14000275c 539->542 543 14000175c 22 API calls 540->543 549 140001944 ReadFile 541->549 546 140002761 542->546 547 14000279d 542->547 543->534 544->534 560 1400025cb ReadFile 544->560 551 1400026a1 545->551 552 14000268d RegDeleteValueW 545->552 546->534 609 14000217c 546->609 612 140001944 547->612 553 1400029c7 548->553 555 140002928 549->555 550->536 596 1400019c4 SysAllocString SysAllocString CoInitializeEx 551->596 552->551 553->534 564 1400029db GetProcessHeap HeapAlloc 553->564 565 140002638 553->565 555->534 567 140001944 ReadFile 555->567 559 1400026a6 604 14000175c GetProcessHeap HeapAlloc 559->604 560->534 562 1400025f5 560->562 562->534 574 1400018ac 3 API calls 562->574 570 1400014d8 13 API calls 564->570 576 140002a90 4 API calls 565->576 566 1400027b4 ReadFile 566->534 571 1400027dc 566->571 572 14000293f 567->572 587 140002a14 570->587 571->534 577 1400027e9 GetProcessHeap HeapAlloc ReadFile 571->577 572->534 578 140002947 ShellExecuteW 572->578 580 140002614 574->580 576->534 582 14000290b GetProcessHeap 577->582 583 14000282d 577->583 578->534 580->534 580->565 586 140002624 580->586 581 140002a49 GetProcessHeap 584 140002a52 HeapFree 581->584 582->584 583->582 588 140002881 lstrlenW GetProcessHeap HeapAlloc 583->588 589 14000285e 583->589 584->534 590 1400010c0 30 API calls 586->590 587->581 636 1400016cc 587->636 630 140002a90 CreateFileW 588->630 589->582 616 140001c88 589->616 590->534 597 140001a11 CoInitializeSecurity 596->597 598 140001b2c SysFreeString SysFreeString 596->598 599 140001a59 CoCreateInstance 597->599 600 140001a4d 597->600 598->559 601 140001b26 CoUninitialize 599->601 602 140001a88 VariantInit 599->602 600->599 600->601 601->598 603 140001ade 602->603 603->601 605 1400014d8 13 API calls 604->605 607 14000179a 605->607 606 1400017c8 GetProcessHeap HeapFree 607->606 608 1400016cc 5 API calls 607->608 608->607 610 140001914 2 API calls 609->610 611 140002191 610->611 613 140001968 ReadFile 612->613 614 14000198b 613->614 615 1400019a5 613->615 614->613 614->615 615->534 615->566 617 140001cbb 616->617 618 140001cce CreateProcessW 617->618 620 140001e97 617->620 622 140001e62 OpenProcess 617->622 624 140001dd2 VirtualAlloc 617->624 626 140001d8c WriteProcessMemory 617->626 618->617 619 140001d2b VirtualAllocEx 618->619 619->617 621 140001d60 WriteProcessMemory 619->621 620->582 621->617 622->617 623 140001e78 TerminateProcess 622->623 623->617 624->617 625 140001df1 GetThreadContext 624->625 625->617 627 140001e09 WriteProcessMemory 625->627 626->617 627->617 628 140001e30 SetThreadContext 627->628 628->617 629 140001e4e ResumeThread 628->629 629->617 629->620 631 1400028f7 GetProcessHeap HeapFree 630->631 632 140002ada WriteFile 630->632 631->582 633 140002b1c CloseHandle 632->633 634 140002afe 632->634 633->631 634->633 635 140002b02 WriteFile 634->635 635->633 637 140001745 636->637 638 1400016eb OpenProcess 636->638 637->581 638->637 639 140001703 638->639 640 14000211c 2 API calls 639->640 641 140001723 640->641 642 14000173c CloseHandle 641->642 643 140001731 CloseHandle 641->643 642->637 643->642

          Callgraph

          Executed Functions

          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
          • API String ID: 4177739653-1130149537
          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab CloseHandle 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
          • API String ID: 2561231171-3753927220
          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
          • String ID:
          • API String ID: 4084875642-0
          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
          • String ID:
          • API String ID: 3197395349-0
          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
          • String ID: .text$C:\Windows\System32\
          • API String ID: 2721474350-832442975
          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
          • String ID: M$\\.\pipe\dialerchildproc64
          • API String ID: 2203880229-3489460547
          • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
          • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 129 1400021d0-1400021da 130 1400021dd-1400021f0 call 140001b54 129->130 133 1400021f2-1400021fb Sleep 130->133 134 1400021fd-14000220a ConnectNamedPipe 130->134 133->130 135 140002241-140002246 Sleep 134->135 136 14000220c-14000222d ReadFile 134->136 137 14000224c-140002255 DisconnectNamedPipe 135->137 136->137 138 14000222f-140002234 136->138 137->134 138->137 139 140002236-14000223f 138->139 139->137
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
          • String ID: \\.\pipe\dialercontrol_redirect64
          • API String ID: 2071455217-3440882674
          • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
          • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 149 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 150 140002b8e-140002ba1 K32EnumProcesses 149->150 151 140002ba3-140002bb2 150->151 152 140002beb-140002bf4 SleepEx 150->152 153 140002bb4-140002bb8 151->153 154 140002bdc-140002be7 151->154 152->150 155 140002bba 153->155 156 140002bcb-140002bce call 140002540 153->156 154->152 157 140002bbe-140002bc3 155->157 160 140002bd2 156->160 158 140002bc5-140002bc9 157->158 159 140002bd6-140002bda 157->159 158->156 158->157 159->153 159->154 160->159
          APIs
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Heap$AllocProcess$EnumProcessesSleep
          • String ID:
          • API String ID: 3676546796-0
          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
          • HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
            • Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
            • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
            • Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651
          • OpenProcess.KERNEL32 ref: 0000000140001859
          • TerminateProcess.KERNEL32 ref: 000000014000186C
          • CloseHandle.KERNEL32 ref: 0000000140001875
          • GetProcessHeap.KERNEL32 ref: 0000000140001885
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
          • String ID:
          • API String ID: 1323846700-0
          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
          Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 173 1400018ac-1400018d6 OpenProcess 174 140001901-140001912 173->174 175 1400018d8-1400018e8 IsWow64Process 173->175 176 1400018f8-1400018fb CloseHandle 175->176 177 1400018ea-1400018f3 175->177 176->174 177->176
          APIs
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Process$CloseHandleOpenWow64
          • String ID:
          • API String ID: 10462204-0
          • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
          • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
          • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
          • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 178 140002258-14000225c call 14000226c 180 140002261-140002263 ExitProcess 178->180
          APIs
            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
            • Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
            • Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
            • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
            • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
          • ExitProcess.KERNEL32 ref: 0000000140002263
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
          • String ID:
          • API String ID: 3836936051-0
          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

          Non-executed Functions

          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 189 140002560-14000258c 190 140002592 189->190 191 14000273a-140002742 189->191 192 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 190->192 193 140002598-14000259f 190->193 194 140002748-14000274b 191->194 195 14000297e-1400029a2 ReadFile 191->195 196 140002a74-140002a8e 192->196 198 140002704-140002715 192->198 199 1400025a5-1400025a8 193->199 200 1400026bd-1400026bf ExitProcess 193->200 201 140002751-140002756 194->201 202 140002974-140002979 call 14000175c 194->202 195->196 197 1400029a8-1400029af 195->197 197->196 206 1400029b5-1400029c9 call 1400018ac 197->206 198->196 207 14000271b-140002733 call 1400010c0 198->207 208 1400025ae-1400025b1 199->208 209 140002660-14000268b RegOpenKeyExW 199->209 203 140002919-14000292c call 140001944 201->203 204 14000275c-14000275f 201->204 202->196 203->196 231 140002932-140002941 call 140001944 203->231 210 140002761-140002766 204->210 211 14000279d-1400027ae call 140001944 204->211 206->196 229 1400029cf-1400029d5 206->229 232 140002735 207->232 218 140002651-14000265b 208->218 219 1400025b7-1400025ba 208->219 216 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 209->216 217 14000268d-14000269b RegDeleteValueW 209->217 210->196 220 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 210->220 211->196 240 1400027b4-1400027d6 ReadFile 211->240 216->196 217->216 218->196 226 140002644-14000264c 219->226 227 1400025c0-1400025c5 219->227 226->196 227->196 234 1400025cb-1400025ef ReadFile 227->234 238 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 229->238 239 140002a5f 229->239 231->196 255 140002947-14000296f ShellExecuteW 231->255 232->196 234->196 236 1400025f5-1400025fc 234->236 236->196 243 140002602-140002616 call 1400018ac 236->243 258 140002a18-140002a1e 238->258 259 140002a49-140002a4f GetProcessHeap 238->259 245 140002a66-140002a6f call 140002a90 239->245 240->196 247 1400027dc-1400027e3 240->247 243->196 264 14000261c-140002622 243->264 245->196 247->196 254 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 247->254 260 14000290b-140002914 GetProcessHeap 254->260 261 14000282d-140002839 254->261 255->196 258->259 265 140002a20-140002a32 258->265 262 140002a52-140002a5d HeapFree 259->262 260->262 261->260 266 14000283f-14000284b 261->266 262->196 268 140002624-140002633 call 1400010c0 264->268 269 140002638-14000263f 264->269 270 140002a34-140002a36 265->270 271 140002a38-140002a40 265->271 266->260 272 140002851-14000285c 266->272 268->196 269->245 270->271 276 140002a44 call 1400016cc 270->276 271->259 277 140002a42 271->277 273 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 272->273 274 14000285e-140002869 272->274 273->260 274->260 278 14000286f-14000287c call 140001c88 274->278 276->259 277->265 278->260
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
          • String ID: SOFTWARE$dialerstager$open
          • API String ID: 3276259517-3931493855
          • Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
          • Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 285 140001c88-140001cb8 286 140001cbb-140001cc8 285->286 287 140001e8c-140001e91 286->287 288 140001cce-140001d25 CreateProcessW 286->288 287->286 291 140001e97 287->291 289 140001e88 288->289 290 140001d2b-140001d5a VirtualAllocEx 288->290 289->287 292 140001e5d-140001e60 290->292 293 140001d60-140001d7b WriteProcessMemory 290->293 294 140001e99-140001eb9 291->294 295 140001e62-140001e76 OpenProcess 292->295 296 140001e85 292->296 293->292 297 140001d81-140001d87 293->297 295->289 298 140001e78-140001e83 TerminateProcess 295->298 296->289 299 140001dd2-140001def VirtualAlloc 297->299 300 140001d89 297->300 298->289 299->292 301 140001df1-140001e07 GetThreadContext 299->301 302 140001d8c-140001dba WriteProcessMemory 300->302 301->292 304 140001e09-140001e2e WriteProcessMemory 301->304 302->292 303 140001dc0-140001dcc 302->303 303->302 305 140001dce 303->305 304->292 306 140001e30-140001e4c SetThreadContext 304->306 305->299 306->292 307 140001e4e-140001e5b ResumeThread 306->307 307->292 308 140001eba-140001ebf 307->308 308->294
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
          • String ID: @
          • API String ID: 3462610200-2766056989
          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
          • String ID: dialersvc64
          • API String ID: 4184240511-3881820561
          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: Delete$CloseEnumOpen
          • String ID: SOFTWARE\dialerconfig
          • API String ID: 3013565938-461861421
          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: File$Write$CloseCreateHandle
          • String ID: \\.\pipe\dialercontrol_redirect64
          • API String ID: 148219782-3440882674
          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000011.00000002.3055565921.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
          • Associated: 00000011.00000002.3055221611.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056050499.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
          • Associated: 00000011.00000002.3056708208.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: ntdll.dll
          • API String ID: 1646373207-2227199552
          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

          Execution Graph

          Execution Coverage:1.7%
          Dynamic/Decrypted Code Coverage:95.3%
          Signature Coverage:0%
          Total number of Nodes:127
          Total number of Limit Nodes:16
          execution_graph 14870 225dc643ab9 14873 225dc643a06 14870->14873 14871 225dc643a70 14872 225dc643a56 VirtualQuery 14872->14871 14872->14873 14873->14871 14873->14872 14874 225dc643a8a VirtualAlloc 14873->14874 14874->14871 14875 225dc643abb GetLastError 14874->14875 14875->14871 14875->14873 14876 225dc641abc 14881 225dc641628 GetProcessHeap 14876->14881 14878 225dc641ad2 Sleep SleepEx 14879 225dc641acb 14878->14879 14879->14878 14880 225dc641598 StrCmpIW StrCmpW 14879->14880 14880->14879 14882 225dc641648 _invalid_parameter_noinfo 14881->14882 14926 225dc641268 GetProcessHeap 14882->14926 14884 225dc641650 14885 225dc641268 2 API calls 14884->14885 14886 225dc641661 14885->14886 14887 225dc641268 2 API calls 14886->14887 14888 225dc64166a 14887->14888 14889 225dc641268 2 API calls 14888->14889 14890 225dc641673 14889->14890 14891 225dc64168e RegOpenKeyExW 14890->14891 14892 225dc6418a6 14891->14892 14893 225dc6416c0 RegOpenKeyExW 14891->14893 14892->14879 14894 225dc6416e9 14893->14894 14895 225dc6416ff RegOpenKeyExW 14893->14895 14937 225dc6412bc RegQueryInfoKeyW 14894->14937 14897 225dc64173a RegOpenKeyExW 14895->14897 14898 225dc641723 14895->14898 14900 225dc641775 RegOpenKeyExW 14897->14900 14901 225dc64175e 14897->14901 14930 225dc64104c RegQueryInfoKeyW 14898->14930 14905 225dc641799 14900->14905 14906 225dc6417b0 RegOpenKeyExW 14900->14906 14904 225dc6412bc 13 API calls 14901->14904 14907 225dc64176b RegCloseKey 14904->14907 14908 225dc6412bc 13 API calls 14905->14908 14909 225dc6417eb RegOpenKeyExW 14906->14909 14910 225dc6417d4 14906->14910 14907->14900 14911 225dc6417a6 RegCloseKey 14908->14911 14913 225dc641826 RegOpenKeyExW 14909->14913 14914 225dc64180f 14909->14914 14912 225dc6412bc 13 API calls 14910->14912 14911->14906 14918 225dc6417e1 RegCloseKey 14912->14918 14916 225dc64184a 14913->14916 14917 225dc641861 RegOpenKeyExW 14913->14917 14915 225dc64104c 5 API calls 14914->14915 14919 225dc64181c RegCloseKey 14915->14919 14920 225dc64104c 5 API calls 14916->14920 14921 225dc64189c RegCloseKey 14917->14921 14922 225dc641885 14917->14922 14918->14909 14919->14913 14923 225dc641857 RegCloseKey 14920->14923 14921->14892 14924 225dc64104c 5 API calls 14922->14924 14923->14917 14925 225dc641892 RegCloseKey 14924->14925 14925->14921 14948 225dc656168 14926->14948 14928 225dc641283 GetProcessHeap 14929 225dc6412ae _invalid_parameter_noinfo 14928->14929 14929->14884 14931 225dc6411b5 RegCloseKey 14930->14931 14932 225dc6410bf 14930->14932 14931->14897 14932->14931 14933 225dc6410cf RegEnumValueW 14932->14933 14935 225dc641125 _invalid_parameter_noinfo 14933->14935 14934 225dc64114e GetProcessHeap 14934->14935 14935->14931 14935->14933 14935->14934 14936 225dc64116e GetProcessHeap HeapFree 14935->14936 14936->14935 14938 225dc64148a RegCloseKey 14937->14938 14939 225dc641327 GetProcessHeap 14937->14939 14938->14895 14945 225dc64133e _invalid_parameter_noinfo 14939->14945 14940 225dc641476 GetProcessHeap HeapFree 14940->14938 14941 225dc641352 RegEnumValueW 14941->14945 14943 225dc6413d3 GetProcessHeap 14943->14945 14944 225dc64141e lstrlenW GetProcessHeap 14944->14945 14945->14940 14945->14941 14945->14943 14945->14944 14946 225dc641443 StrCpyW 14945->14946 14947 225dc6413f3 GetProcessHeap HeapFree 14945->14947 14949 225dc64152c 14945->14949 14946->14945 14947->14944 14950 225dc64157c 14949->14950 14953 225dc641546 14949->14953 14950->14945 14951 225dc641565 StrCmpW 14951->14953 14952 225dc64155d StrCmpIW 14952->14953 14953->14950 14953->14951 14953->14952 14954 225dc61273c 14955 225dc61276a 14954->14955 14956 225dc6127c5 VirtualAlloc 14955->14956 14959 225dc6128d4 14955->14959 14958 225dc6127ec 14956->14958 14956->14959 14957 225dc612858 LoadLibraryA 14957->14958 14958->14957 14958->14959 14960 225dc6428c8 14962 225dc64290e 14960->14962 14961 225dc642970 14962->14961 14964 225dc643844 14962->14964 14965 225dc643851 StrCmpNIW 14964->14965 14966 225dc643866 14964->14966 14965->14966 14966->14962 14967 225dc64554d 14968 225dc645554 14967->14968 14969 225dc6455bb 14968->14969 14970 225dc645637 VirtualProtect 14968->14970 14971 225dc645671 14970->14971 14972 225dc645663 GetLastError 14970->14972 14972->14971 14973 225dc645cf0 14974 225dc645cfd 14973->14974 14975 225dc645d09 14974->14975 14982 225dc645e1a 14974->14982 14976 225dc645d3e 14975->14976 14977 225dc645d8d 14975->14977 14978 225dc645d66 SetThreadContext 14976->14978 14978->14977 14979 225dc645e41 VirtualProtect FlushInstructionCache 14979->14982 14980 225dc645efe 14981 225dc645f1e 14980->14981 14995 225dc6443e0 14980->14995 14991 225dc644df0 GetCurrentProcess 14981->14991 14982->14979 14982->14980 14985 225dc645f23 14986 225dc645f77 14985->14986 14987 225dc645f37 ResumeThread 14985->14987 14999 225dc647940 14986->14999 14988 225dc645f6b 14987->14988 14988->14985 14990 225dc645fbf 14992 225dc644e0c 14991->14992 14993 225dc644e22 VirtualProtect FlushInstructionCache 14992->14993 14994 225dc644e53 14992->14994 14993->14992 14994->14985 14997 225dc6443fc 14995->14997 14996 225dc64445f 14996->14981 14997->14996 14998 225dc644412 VirtualFree 14997->14998 14998->14997 15000 225dc647949 14999->15000 15001 225dc647954 15000->15001 15002 225dc64812c IsProcessorFeaturePresent 15000->15002 15001->14990 15003 225dc648144 15002->15003 15006 225dc648320 RtlCaptureContext 15003->15006 15005 225dc648157 15005->14990 15007 225dc64833a RtlLookupFunctionEntry 15006->15007 15008 225dc648389 15007->15008 15009 225dc648350 RtlVirtualUnwind 15007->15009 15008->15005 15009->15007 15009->15008

          Executed Functions

          Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
          • API String ID: 106492572-2879589442
          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction ID: 406a7c028b3c229bdc1c75f8301e19e1701b13e4dfdd540bc7c265abecc9bc67
          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction Fuzzy Hash: 47712D7E328E60A6EB109FA9E85869D33B4F784F9AF509111DE4E47B69EF34C444C740
          Function 00000225DC643790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModule
          • String ID: wr
          • API String ID: 1092925422-2678910430
          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction ID: 5b5ece5b16f05410ef88fc7334ca4b30fcb2165cfe8f9a178b0778bd0effcbe9
          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction Fuzzy Hash: 96118B2A318F5493EF549BA9E408269B2A0FB88F86F148038DF8A03B94EF3DC505C704
          Function 00000225DC645B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 59 225dc645b30-225dc645b57 60 225dc645b59-225dc645b68 59->60 61 225dc645b6b-225dc645b76 GetCurrentThreadId 59->61 60->61 62 225dc645b78-225dc645b7d 61->62 63 225dc645b82-225dc645b89 61->63 64 225dc645faf-225dc645fc6 call 225dc647940 62->64 65 225dc645b9b-225dc645baf 63->65 66 225dc645b8b-225dc645b96 call 225dc645960 63->66 68 225dc645bbe-225dc645bc4 65->68 66->64 72 225dc645bca-225dc645bd3 68->72 73 225dc645c95-225dc645cb6 68->73 75 225dc645c1a-225dc645c8d call 225dc644510 call 225dc6444b0 call 225dc644470 72->75 76 225dc645bd5-225dc645c18 call 225dc6485c0 72->76 77 225dc645cbc-225dc645cdc GetThreadContext 73->77 78 225dc645e1f-225dc645e30 call 225dc6474bf 73->78 88 225dc645c90 75->88 76->88 81 225dc645e1a 77->81 82 225dc645ce2-225dc645d03 77->82 92 225dc645e35-225dc645e3b 78->92 81->78 82->81 91 225dc645d09-225dc645d12 82->91 88->68 94 225dc645d92-225dc645da3 91->94 95 225dc645d14-225dc645d25 91->95 96 225dc645e41-225dc645e98 VirtualProtect FlushInstructionCache 92->96 97 225dc645efe-225dc645f0e 92->97 105 225dc645e15 94->105 106 225dc645da5-225dc645dc3 94->106 101 225dc645d27-225dc645d3c 95->101 102 225dc645d8d 95->102 103 225dc645ec9-225dc645ef9 call 225dc6478ac 96->103 104 225dc645e9a-225dc645ea4 96->104 99 225dc645f1e-225dc645f2a call 225dc644df0 97->99 100 225dc645f10-225dc645f17 97->100 121 225dc645f2f-225dc645f35 99->121 100->99 108 225dc645f19 call 225dc6443e0 100->108 101->102 110 225dc645d3e-225dc645d88 call 225dc643970 SetThreadContext 101->110 102->105 103->92 104->103 111 225dc645ea6-225dc645ec1 call 225dc644390 104->111 106->105 112 225dc645dc5-225dc645e10 call 225dc643900 call 225dc6474dd 106->112 108->99 110->102 111->103 112->105 125 225dc645f77-225dc645f95 121->125 126 225dc645f37-225dc645f75 ResumeThread call 225dc6478ac 121->126 128 225dc645fa9 125->128 129 225dc645f97-225dc645fa6 125->129 126->121 128->64 129->128
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Thread$Current$Context
          • String ID:
          • API String ID: 1666949209-0
          • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
          • Instruction ID: f245da02ec037058e9828f5728e6f8f7909b60f63258dcba4de34453af5a61e8
          • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
          • Instruction Fuzzy Hash: B9D1997A20CF9896DA70DB4AE49835A7BA0F7C8B85F104156EACE47BA5DF3CC541CB40
          Function 00000225DC6450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 131 225dc6450d0-225dc6450fc 132 225dc64510d-225dc645116 131->132 133 225dc6450fe-225dc645106 131->133 134 225dc645127-225dc645130 132->134 135 225dc645118-225dc645120 132->135 133->132 136 225dc645141-225dc64514a 134->136 137 225dc645132-225dc64513a 134->137 135->134 138 225dc64514c-225dc645151 136->138 139 225dc645156-225dc645161 GetCurrentThreadId 136->139 137->136 140 225dc6456d3-225dc6456da 138->140 141 225dc645163-225dc645168 139->141 142 225dc64516d-225dc645174 139->142 141->140 143 225dc645176-225dc64517c 142->143 144 225dc645181-225dc64518a 142->144 143->140 145 225dc64518c-225dc645191 144->145 146 225dc645196-225dc6451a2 144->146 145->140 147 225dc6451a4-225dc6451c9 146->147 148 225dc6451ce-225dc645225 call 225dc6456e0 * 2 146->148 147->140 153 225dc64523a-225dc645243 148->153 154 225dc645227-225dc64522e 148->154 155 225dc645255-225dc64525e 153->155 156 225dc645245-225dc645252 153->156 157 225dc645236 154->157 158 225dc645230 154->158 159 225dc645273-225dc645298 call 225dc647870 155->159 160 225dc645260-225dc645270 155->160 156->155 157->153 162 225dc6452a6-225dc6452aa 157->162 161 225dc6452b0-225dc6452b6 158->161 171 225dc64532d-225dc645342 call 225dc643cc0 159->171 172 225dc64529e 159->172 160->159 163 225dc6452e5-225dc6452eb 161->163 164 225dc6452b8-225dc6452d4 call 225dc644390 161->164 162->161 168 225dc645315-225dc645328 163->168 169 225dc6452ed-225dc64530c call 225dc6478ac 163->169 164->163 174 225dc6452d6-225dc6452de 164->174 168->140 169->168 178 225dc645351-225dc64535a 171->178 179 225dc645344-225dc64534c 171->179 172->162 174->163 180 225dc64536c-225dc6453ba call 225dc648c60 178->180 181 225dc64535c-225dc645369 178->181 179->162 184 225dc6453c2-225dc6453ca 180->184 181->180 185 225dc6454d7-225dc6454df 184->185 186 225dc6453d0-225dc6454bb call 225dc647440 184->186 187 225dc6454e1-225dc6454f4 call 225dc644590 185->187 188 225dc645523-225dc64552b 185->188 198 225dc6454bd 186->198 199 225dc6454bf-225dc6454ce call 225dc644060 186->199 202 225dc6454f6 187->202 203 225dc6454f8-225dc645521 187->203 191 225dc645537-225dc645546 188->191 192 225dc64552d-225dc645535 188->192 196 225dc645548 191->196 197 225dc64554f 191->197 192->191 195 225dc645554-225dc645561 192->195 200 225dc645563 195->200 201 225dc645564-225dc6455b9 call 225dc6485c0 195->201 196->197 197->195 198->185 208 225dc6454d2 199->208 209 225dc6454d0 199->209 200->201 210 225dc6455bb-225dc6455c3 201->210 211 225dc6455c8-225dc645661 call 225dc644510 call 225dc644470 VirtualProtect 201->211 202->188 203->185 208->184 209->185 216 225dc645671-225dc6456d1 211->216 217 225dc645663-225dc645668 GetLastError 211->217 216->140 217->216
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
          • Instruction ID: ca8f9a462bd9996edb27ee4ecd3a9b3d43bbe2f9124c1ca87dd336038b8394af
          • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
          • Instruction Fuzzy Hash: 1102C83661DF9496EB60CB99E49436AB7A1F3C4795F104056EA8E87BA8DF7CC444CF00
          Function 00000225DC6439E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Virtual$AllocQuery
          • String ID:
          • API String ID: 31662377-0
          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
          • Instruction ID: 3d7c28a49f1379a387e1eab8d3c47744672dc9424a01523034e22865a73a9f88
          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
          • Instruction Fuzzy Hash: 7F31302625DE98A1EA30DB9DE05835E76A1F388B85F108575F6CF46BA8DF7CC180CB04
          Function 00000225DC64328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: 7d3d60018f90cf45d3bc6b126cf75a44508ad4678cf0a9f52ef5460c3c2565a3
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: 7011C07C62CEA8B2FB619BE8F90C3993295AB54B47F50C1B4EB0781690EF78C044C240
          Function 00000225DC644DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
          • String ID:
          • API String ID: 3733156554-0
          • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
          • Instruction ID: 7e590623df8fc7209075b22fdaf8685971673eb90f371bc8902be2096d1f9670
          • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
          • Instruction Fuzzy Hash: 9FF03A2A21CF24D0D630DB89E44976ABBA0F788BD5F148151FA8E43B69CE3CC681CF00
          Function 00000225DC61273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 265 225dc61273c-225dc6127a4 call 225dc6129d4 * 4 274 225dc6127aa-225dc6127ad 265->274 275 225dc6129b2 265->275 274->275 276 225dc6127b3-225dc6127b6 274->276 277 225dc6129b4-225dc6129d0 275->277 276->275 278 225dc6127bc-225dc6127bf 276->278 278->275 279 225dc6127c5-225dc6127e6 VirtualAlloc 278->279 279->275 280 225dc6127ec-225dc61280c 279->280 281 225dc612838-225dc61283f 280->281 282 225dc61280e-225dc612836 280->282 283 225dc612845-225dc612852 281->283 284 225dc6128df-225dc6128e6 281->284 282->281 282->282 283->284 287 225dc612858-225dc61286a LoadLibraryA 283->287 285 225dc6128ec-225dc612901 284->285 286 225dc612992-225dc6129b0 284->286 285->286 288 225dc612907 285->288 286->277 289 225dc6128ca-225dc6128d2 287->289 290 225dc61286c-225dc612878 287->290 293 225dc61290d-225dc612921 288->293 289->287 291 225dc6128d4-225dc6128d9 289->291 294 225dc6128c5-225dc6128c8 290->294 291->284 296 225dc612982-225dc61298c 293->296 297 225dc612923-225dc612934 293->297 294->289 295 225dc61287a-225dc61287d 294->295 301 225dc6128a7-225dc6128b7 295->301 302 225dc61287f-225dc6128a5 295->302 296->286 296->293 299 225dc612936-225dc61293d 297->299 300 225dc61293f-225dc612943 297->300 303 225dc612970-225dc612980 299->303 304 225dc612945-225dc61294b 300->304 305 225dc61294d-225dc612951 300->305 306 225dc6128ba-225dc6128c1 301->306 302->306 303->296 303->297 304->303 308 225dc612963-225dc612967 305->308 309 225dc612953-225dc612961 305->309 306->294 308->303 310 225dc612969-225dc61296c 308->310 309->303 310->303
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: AllocLibraryLoadVirtual
          • String ID:
          • API String ID: 3550616410-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: b5a9ffdff3e85ff3f1f12f145a610503c53f3502f35e5ceb3ac916478b11310c
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: D261363AB02AA097DF56CF5ED00876DB392F754BA6F18C521CE5907788DA38D852C700
          Function 00000225DC641ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
            • Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641734
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA
          • Sleep.KERNEL32 ref: 00000225DC641AD7
          • SleepEx.KERNELBASE ref: 00000225DC641ADD
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
            • Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
            • Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6418A0
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: b89290e72799dd3975187c06206b195ef9f7eec7f326f7ac498d84b976088364
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: 0731356921CE61B2FF509BAED6593A933A4AB54BC6F04D4A19E0F873E5FF30C451C210

          Non-executed Functions

          Function 00000225DC642B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 573 225dc642b2c-225dc642ba5 call 225dc662ce0 576 225dc642bab-225dc642bb1 573->576 577 225dc642ee0-225dc642f03 573->577 576->577 578 225dc642bb7-225dc642bba 576->578 578->577 579 225dc642bc0-225dc642bc3 578->579 579->577 580 225dc642bc9-225dc642bd9 GetModuleHandleA 579->580 581 225dc642bdb-225dc642beb call 225dc656090 580->581 582 225dc642bed 580->582 583 225dc642bf0-225dc642c0e 581->583 582->583 583->577 587 225dc642c14-225dc642c33 StrCmpNIW 583->587 587->577 588 225dc642c39-225dc642c3d 587->588 588->577 589 225dc642c43-225dc642c4d 588->589 589->577 590 225dc642c53-225dc642c5a 589->590 590->577 591 225dc642c60-225dc642c73 590->591 592 225dc642c75-225dc642c81 591->592 593 225dc642c83 591->593 594 225dc642c86-225dc642c8a 592->594 593->594 595 225dc642c9a 594->595 596 225dc642c8c-225dc642c98 594->596 597 225dc642c9d-225dc642ca7 595->597 596->597 598 225dc642d9d-225dc642da1 597->598 599 225dc642cad-225dc642cb0 597->599 602 225dc642da7-225dc642daa 598->602 603 225dc642ed2-225dc642eda 598->603 600 225dc642cc2-225dc642ccc 599->600 601 225dc642cb2-225dc642cbf call 225dc64199c 599->601 605 225dc642cce-225dc642cdb 600->605 606 225dc642d00-225dc642d0a 600->606 601->600 607 225dc642dbb-225dc642dc5 602->607 608 225dc642dac-225dc642db8 call 225dc64199c 602->608 603->577 603->591 605->606 612 225dc642cdd-225dc642cea 605->612 613 225dc642d3a-225dc642d3d 606->613 614 225dc642d0c-225dc642d19 606->614 609 225dc642df5-225dc642df8 607->609 610 225dc642dc7-225dc642dd4 607->610 608->607 617 225dc642dfa-225dc642e03 call 225dc641bbc 609->617 618 225dc642e05-225dc642e12 lstrlenW 609->618 610->609 616 225dc642dd6-225dc642de3 610->616 619 225dc642ced-225dc642cf3 612->619 621 225dc642d4b-225dc642d58 lstrlenW 613->621 622 225dc642d3f-225dc642d49 call 225dc641bbc 613->622 614->613 620 225dc642d1b-225dc642d28 614->620 625 225dc642de6-225dc642dec 616->625 617->618 635 225dc642e4a-225dc642e55 617->635 631 225dc642e35-225dc642e3f call 225dc643844 618->631 632 225dc642e14-225dc642e1e 618->632 629 225dc642cf9-225dc642cfe 619->629 630 225dc642d93-225dc642d98 619->630 633 225dc642d2b-225dc642d31 620->633 626 225dc642d5a-225dc642d64 621->626 627 225dc642d7b-225dc642d8d call 225dc643844 621->627 622->621 622->630 625->635 636 225dc642dee-225dc642df3 625->636 626->627 637 225dc642d66-225dc642d79 call 225dc64152c 626->637 627->630 640 225dc642e42-225dc642e44 627->640 629->606 629->619 630->640 631->640 632->631 641 225dc642e20-225dc642e33 call 225dc64152c 632->641 633->630 642 225dc642d33-225dc642d38 633->642 645 225dc642ecc-225dc642ed0 635->645 646 225dc642e57-225dc642e5b 635->646 636->609 636->625 637->627 637->630 640->603 640->635 641->631 641->635 642->613 642->633 645->603 650 225dc642e63-225dc642e7d call 225dc6485c0 646->650 651 225dc642e5d-225dc642e61 646->651 654 225dc642e80-225dc642e83 650->654 651->650 651->654 657 225dc642e85-225dc642ea3 call 225dc6485c0 654->657 658 225dc642ea6-225dc642ea9 654->658 657->658 658->645 660 225dc642eab-225dc642ec9 call 225dc6485c0 658->660 660->645
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
          • API String ID: 2119608203-3850299575
          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction ID: 02e5d621d8295eb5dd385e75f9606a0c78f62cf6da70878d64f9e7b1c174dd69
          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction Fuzzy Hash: DCB1B47A21CE60A6EB968FEDC4487A973A5F744B8AF24D056DE0A53B94DF34CC41C340
          Function 00000225DC647D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction ID: a0dd4a3191c2f22ec65cd5f9c7d8c34c65d38d6a3a9ca6151c6be4ce44add157
          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction Fuzzy Hash: 29318376219F909AEB609FA4E8447ED73A0F784745F44812ADB4E57B94EF38C548CB10
          Function 00000225DC64D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction ID: f4e1f7a423249601853f9bf4c02ae152ed9a85bcd9bd447fde6e0ecec31a17ad
          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction Fuzzy Hash: 1531C73A218F90A6DB60DFA9E8443EE73A0F789755F504126EB9E43B94DF38C145CB00
          Function 00000225DC6412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
          • String ID: d
          • API String ID: 2005889112-2564639436
          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction ID: fb1b484c7ebee393b1b53cdd5cd81ac2c1ca147a5507fda1b24fca473b782784
          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction Fuzzy Hash: 46515E7A214F9496EB64CFAAE54836A77A1F789F9AF148124DF4A07B58DF3CC045C700
          Function 00000225DC641D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CurrentThread$AddressHandleModuleProc
          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
          • API String ID: 4175298099-1975688563
          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction ID: 52c27ab1b4cc8d1b0b7a026bbb00d0580f7e8789e5eca17ee175a033894297e0
          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction Fuzzy Hash: 9231B8AC518DAAB0EB46EFEDE9597D43361B70434BF90D093940B025B1AF38828AC350
          Function 00000225DC616910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 415 225dc616910-225dc616916 416 225dc616918-225dc61691b 415->416 417 225dc616951-225dc61695b 415->417 418 225dc616945-225dc616984 call 225dc616fc0 416->418 419 225dc61691d-225dc616920 416->419 420 225dc616a78-225dc616a8d 417->420 438 225dc61698a-225dc61699f call 225dc616e54 418->438 439 225dc616a52 418->439 421 225dc616938 __scrt_dllmain_crt_thread_attach 419->421 422 225dc616922-225dc616925 419->422 423 225dc616a9c-225dc616ab6 call 225dc616e54 420->423 424 225dc616a8f 420->424 430 225dc61693d-225dc616944 421->430 426 225dc616927-225dc616930 422->426 427 225dc616931-225dc616936 call 225dc616f04 422->427 436 225dc616ab8-225dc616aed call 225dc616f7c call 225dc616e1c call 225dc617318 call 225dc617130 call 225dc617154 call 225dc616fac 423->436 437 225dc616aef-225dc616b20 call 225dc617190 423->437 428 225dc616a91-225dc616a9b 424->428 427->430 436->428 449 225dc616b22-225dc616b28 437->449 450 225dc616b31-225dc616b37 437->450 447 225dc6169a5-225dc6169b6 call 225dc616ec4 438->447 448 225dc616a6a-225dc616a77 call 225dc617190 438->448 442 225dc616a54-225dc616a69 439->442 465 225dc6169b8-225dc6169dc call 225dc6172dc call 225dc616e0c call 225dc616e38 call 225dc61ac0c 447->465 466 225dc616a07-225dc616a11 call 225dc617130 447->466 448->420 449->450 454 225dc616b2a-225dc616b2c 449->454 455 225dc616b39-225dc616b43 450->455 456 225dc616b7e-225dc616b94 call 225dc61268c 450->456 461 225dc616c1f-225dc616c2c 454->461 462 225dc616b45-225dc616b4d 455->462 463 225dc616b4f-225dc616b5d call 225dc625780 455->463 474 225dc616b96-225dc616b98 456->474 475 225dc616bcc-225dc616bce 456->475 468 225dc616b63-225dc616b78 call 225dc616910 462->468 463->468 478 225dc616c15-225dc616c1d 463->478 465->466 518 225dc6169de-225dc6169e5 __scrt_dllmain_after_initialize_c 465->518 466->439 488 225dc616a13-225dc616a1f call 225dc617180 466->488 468->456 468->478 474->475 483 225dc616b9a-225dc616bbc call 225dc61268c call 225dc616a78 474->483 484 225dc616bd5-225dc616bea call 225dc616910 475->484 485 225dc616bd0-225dc616bd3 475->485 478->461 483->475 512 225dc616bbe-225dc616bc6 call 225dc625780 483->512 484->478 498 225dc616bec-225dc616bf6 484->498 485->478 485->484 505 225dc616a45-225dc616a50 488->505 506 225dc616a21-225dc616a2b call 225dc617098 488->506 503 225dc616bf8-225dc616bff 498->503 504 225dc616c01-225dc616c11 call 225dc625780 498->504 503->478 504->478 505->442 506->505 517 225dc616a2d-225dc616a3b 506->517 512->475 517->505 518->466 519 225dc6169e7-225dc616a04 call 225dc61abc8 518->519 519->466
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 7539ecd07ed9e19813cea4b70ed8e4e8e5b401edcb5cd18e99020899339b4ff2
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: DF81122D702E71A6FE60EBED944D35962E0EB95783F18C425AB4983797EF38C946C700
          Function 00000225DC64CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetLastError.KERNEL32 ref: 00000225DC64CE37
          • FlsGetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE4C
          • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE6D
          • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE9A
          • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEAB
          • FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEBC
          • SetLastError.KERNEL32 ref: 00000225DC64CED7
          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF0D
          • FlsSetValue.KERNEL32(?,?,00000001,00000225DC64ECCC,?,?,?,?,00000225DC64BF9F,?,?,?,?,?,00000225DC647AB0), ref: 00000225DC64CF2C
            • Part of subcall function 00000225DC64D6CC: HeapAlloc.KERNEL32 ref: 00000225DC64D721
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF54
            • Part of subcall function 00000225DC64D744: HeapFree.KERNEL32 ref: 00000225DC64D75A
            • Part of subcall function 00000225DC64D744: GetLastError.KERNEL32 ref: 00000225DC64D764
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF65
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF76
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Value$ErrorLast$Heap$AllocFree
          • String ID:
          • API String ID: 570795689-0
          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction ID: c96d39c070731bccc58dc25472949b9c8324ede58aceb138708ddbc32eb2cb43
          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction Fuzzy Hash: 3B41AB2C34CE64B6FE68A7FD955D36932825F857B2F24C7A4A937467E6DF388442C200
          Function 00000225DC642244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
          • API String ID: 2171963597-1373409510
          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction ID: 1de5ddcc8f1dfc1167620b25f9dc58926eb66b08d3309719a253bb24b32ba1e0
          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction Fuzzy Hash: 8E215679628F5093F710CBA9F54835977A1F785796F608215DB5903BA4CF7CC145CB00
          Function 00000225DC619944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: ccd8efdbd64409059a3f17658d38d7afc50ea8cd74631e28eb6d2bb9e49f1cd4
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: F3E1D37A602F609AEF60DFA9D48839D77E0F749B8BF108115EE8947B99CB34C592C700
          Function 00000225DC64A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction ID: bf4187be2395a619f89a1bc8f3fca4df6631bddcfcdd61a4c67bb6d669326bcb
          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction Fuzzy Hash: 65E1A47A60CF60AAFB60DFA9D44839D77A4F745799F208155EE8A57B9ACB34C082C700
          Function 00000225DC64F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: api-ms-$ext-ms-
          • API String ID: 3013587201-537541572
          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction ID: 4194e3e7209c85e71950454c05d0e0ffaf74f2fe4e207fa6d649fb1745087b51
          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction Fuzzy Hash: E541F42A32DE20B1EB56CBEEA9087553391BB49BE2F15C125AD0F87785EF38C445C315
          Function 00000225DC64104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
          • String ID: d
          • API String ID: 3743429067-2564639436
          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction ID: d1ef6154134f3d25a2e3b62082cc3c12da5f52964662e2438e80bc3b6bcb4469
          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction Fuzzy Hash: B6418077218F94D6E760CFA5E44879E77A1F388B99F148129DB8A07B58DF38C449CB00
          Function 00000225DC64D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FlsGetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D087
          • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0A6
          • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0CE
          • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0DF
          • FlsSetValue.KERNEL32(?,?,?,00000225DC64C7DE,?,?,?,?,?,?,?,?,00000225DC64CF9D,?,?,00000001), ref: 00000225DC64D0F0
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Value
          • String ID: 1%$Y%
          • API String ID: 3702945584-1395475152
          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction ID: be52c68ba33939f5a848b29d9d21d48e408fdab80177f021fac5a07cf6ddf0ee
          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction Fuzzy Hash: C111B628B0CE64A1FE6897BED55D32971415B557F2F14C3A4A87B477DADE78C442C200
          Function 00000225DC647510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID:
          • API String ID: 190073905-0
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: a54115b046e8042141df28d7bb05dcfe8318faa30d7cb3b304a9c15ab40c91e6
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: 0281362C61CE31AAFB54ABEDA44C39937D1E785782F14C4A4DA0B877A6DB38C845CF00
          Function 00000225DC649DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: api-ms-
          • API String ID: 2559590344-2084034818
          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction ID: 1846bb63d11909a53191b25e77548844483a8de6adc9bd3f24389271b0a95010
          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction Fuzzy Hash: 2131E62935EE60F1EE21DBCAA408B653398BB48BA6F5985259D1F0B798DF39C447C300
          Function 00000225DC653DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction ID: 158becd88709c9cbcacd230cd8387edf0a13bed790f97ee48f9835d8b457c441
          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction Fuzzy Hash: 5A119135720F6096E7608BDAE84831977A0F788FE6F248225EB5E877A4CF78C914C740
          Function 00000225DC642F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: dialer
          • API String ID: 756756679-3528709123
          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction ID: 2e98920b3895b546e8cfee93848436d20f1d91fbd890dc42e4983bef65e91d92
          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction Fuzzy Hash: 9131CE2A309F65A2EB52CFDEE54872A77A0FB44B86F18C1209F4A47B55EF34C4A1C300
          Function 00000225DC64CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction ID: 4157702fcb9233f49a77c46e803b27685ba528657f510afb3a862d3f666b09f6
          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction Fuzzy Hash: B3119D2874CE6071FE64ABFE954D32932426B95BB6F10C3A4A837477EADE78C441C200
          Function 00000225DC64199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
          • String ID:
          • API String ID: 517849248-0
          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction ID: c75f4c628c11a50a5007a532dfe706c93d8ee4e04b1e1be502c9ae2a36d6589c
          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction Fuzzy Hash: 0E016929314E5092EB60DB9AA84C35963A1F788BC6F988075DF8A43754DF3CC989C740
          Function 00000225DC6436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
          • String ID:
          • API String ID: 449555515-0
          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction ID: 5377c2d080006a4fe2cd119959f91c4f1597db279fc077c9b970d2bb0f292206
          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction Fuzzy Hash: E101296D325F6492FB649BAAE80C71A73A0BB49B87F148464CE4A07765EF3DC158C704
          Function 00000225DC648FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
          • Instruction ID: b166926d79cf74f009588074e3820990c0fc1e07a97fa4e01069ba2e3ee14553
          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
          • Instruction Fuzzy Hash: 6651BF3A75DA20EAEB14DF99E84CB5937AAF344B8AF10C5A4DA174778CDB35C842C700
          Function 00000225DC641A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: FinalHandleNamePathlstrlen
          • String ID: \\?\
          • API String ID: 2719912262-4282027825
          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction ID: e535c0649dfb5c656df934673802aa2881829a80634b4f76755b7f08d64bed47
          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction Fuzzy Hash: 69F04466718E51A2E7608BE9F9887596761F748BC9F94C020DB4A46654DF3CC68DCB00
          Function 00000225DC643044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CombinePath
          • String ID: \\.\pipe\
          • API String ID: 3422762182-91387939
          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction ID: 05bf48fb40d5b317a8235632c964cef6d02a25c8f7691d3038dd68194b884147
          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction Fuzzy Hash: 51F08C28328FA4A2FA448FDBB90C1196260AB48FD2F18E170EF4A07B58DF3CC485C700
          Function 00000225DC64BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction ID: 44bd982de87b7b9a06009664450f2777bab72fc188efb7fa02744482d7f49e87
          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction Fuzzy Hash: 72F09669329F14A1EB108FECE44C3596361EB89766F648259DB6A462F4CF3CC044C740
          Function 00000225DC645710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
          • Instruction ID: 8f9846ecf6cf7499faee6b5ce6658377365f055e4165f45403509503972279d5
          • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
          • Instruction Fuzzy Hash: 6561CD3A51DF94D6E760CB99E44831AB7A0F3C8796F109165EA8E87BA8DB7CC544CF00
          Function 00000225DC623504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 0f0cd1f3b4902091acada321e62a835e8ba03bea7c675b6eead67c7f9176ca24
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: 6B11C63AA60E3131FB6415ECE45D37991C86B58BB6F48C639A97F2E3D6CB34C881C200
          Function 00000225DC654104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: a15945065d89435b6d58080b2ea34464beef53a1596a2d5ce657289fdf07ecc6
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: 5911733EA34E7131F67415ECD45D3751151EB783FAF38C6A4A976076D6DA34C841E200
          Function 00000225DC61F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: 944570b48e0c60bc5ad5e959f3b97a539a301ff4876b6c2567b65f1bc9dbc55e
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: 2961E27E606E6066FE69CBFCE55D32E66A0F785793F54C415EA0A037A4DB34C842C302
          Function 00000225DC64AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 5ee5bc15fcc7ca4683ce8519a978933ac552fc7779cbca0cf07b2e2c35c6d78e
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 6561CF3B608F94AAEB20DFA9D04439D7BA1F348B8DF148255EF4A17B99DB38C085C700
          Function 00000225DC61A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 4352b4e7d2f757b2eeab07a41cb79b5cce5006a568909e68af21b5ba570d396d
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 9B51C23A105BA0EAEF748F99944835877A0F355B97F28C215EB89C7BD6CB38C451C700
          Function 00000225DC64AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: e2a4ec1541559836ceca0d34c116ae26037d4692d9dd8773577d8c71d6944edc
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 9C51C37A10CBA0FAEB748F9A948835977A0F354B86F24C159FA5A47BD7CB38C451C700
          Function 00000225DC618405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 8a2ee0853dea6fc810b70285cdad8afa924fb268fca63da5ab5c18953c58d14e
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 9F51BF3A712A20AAEF94CF99E448B1937A5F358B9FF52C224DE0647788EB34CC41C704
          Function 00000225DC6183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: a13f22b0c5ddbfd73ffef1e451b0b481ee6602808d75d20c911345d57e3c4186
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: A731C03A602B60A6EB64DF5AE84871977A4F748BDFF16C214EE5B47784DB38C940C704
          Function 00000225DC652058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 2718003287-0
          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction ID: bfa2cf39ed762a0c864f02a182d0b99d9a486c982741babc9b475573dd9f7606
          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction Fuzzy Hash: F7D1F376724E90A9E712CFB9D44839C3BB1F754799F248216CF5E97B99DA34C406C340
          Function 00000225DC6414A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Heap$Process$Free
          • String ID:
          • API String ID: 3168794593-0
          • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction ID: 6bfd24914fe268a9eaf32d670607eda920269b08af1813506c338134dac0ed3e
          • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction Fuzzy Hash: E2115E7A524FA0E6E724DFEEA80816977A0FB89F86F148025DB4A53726DE34C451C740
          Function 00000225DC652980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction ID: 6d7b5b403a3188d3b4841f9fb94707250acf1a7d2d8579f267c512fad794f412
          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction Fuzzy Hash: 7391D67AB20E70A5F766DFAD94883AD3BA0F754B8AF24C109DE0A57795DB34C486C700
          Function 00000225DC647960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction ID: d33dc497d620ec2850d47fa6d7599d0f75ef197f864d2f2ea1a1538dcd62ba05
          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction Fuzzy Hash: 54113026714F119AEF50CFE8E8593A833A4F719759F440E21DB6D467A4DF78C1A8C380
          Function 00000225DC64253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction ID: 898a99a824d3708835f2c6571b9ade3bad5d2cda467ec0446c5c9970c4b06ed6
          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction Fuzzy Hash: 6471F63A20CFA166E7269FED98483EA7794F389B86F648066DD0B53B89DE35C541C700
          Function 00000225DC619E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 1c103488b81b5755e9a858689f9c8f9220dbcbf2f2fcf3c8ea21b2028d61d58d
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: C5619D3B602F549AEB20CFA9D44439D7BA0F748B8EF148215EF4917B99DB38D156C700
          Function 00000225DC642330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction ID: 46897ffc2cc2630562e995aa3ab88a20c60a5fe9943d3a7bd5f75d2a5dc7dda7
          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction Fuzzy Hash: 8051273A60CFA1A1E6799FEDE05C37A7B51F784B41F648165CE4B03B49CA39C544C740
          Function 00000225DC6526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction ID: ff598f2dff618ae855125180d135eff0feb50115b417593be16094bb43c2f728
          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction Fuzzy Hash: BC41C476325E90A6DB21CFA9E8483AE77A0F798795F508021EE4E87794EB7CC445C740
          Function 00000225DC6494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction ID: 8e6f9ddc8bd4a0050d82363797f3a651ef4e3f91162d625b6a7f86f7e5c4113b
          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction Fuzzy Hash: CF115B36218F9092EB608B59E40435977E4FB88B99F288260EF8D47B68DF3CC552CB00
          Function 00000225DC617356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: 40d697394cd767119a46280874914b4daa5d8e9346db535fcc515f98333aa0ca
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: 7EE08661A41F84A0DF118F66E8442D873A0DB58B69B48D122995C46311FA38D1E9C300
          Function 00000225DC6173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000016.00000002.3076077378.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: Locator'$riptor at (
          • API String ID: 592178966-4215709766
          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction ID: 33387b3a89b0f7cf97b4c9f63ea1e6ce0b438a2dcf969175634c70bf0c094b31
          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction Fuzzy Hash: F9E0CD61A01F44D0DF118F65D4441D87360E75CB69F88D222CD4C47311FB38D1E5C300
          Function 00000225DC641BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID:
          • API String ID: 756756679-0
          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction ID: 435233d5cd765dd7833698f1ddb9f59ae8d1156237805913c2fcddc5f4e0a6b6
          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction Fuzzy Hash: B2119129615F5492EB54DFAEA80C26973A1FB89FC2F188065DE4E53765DF38C442C300
          Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000016.00000002.3077107015.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd
          Similarity
          • API ID: Heap$AllocProcess
          • String ID:
          • API String ID: 1617791916-0
          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction ID: 46137aeb2ac080d4014b8e101a3abee4704eba82c5d2520b876412a79b8151bf
          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction Fuzzy Hash: 77E06D39621E1486EB548FEAD80C36A36E1FB89F06F14C024CA0907751DF7DC499C750

          Executed Functions

          Function 00007FF6CCFE1140 Relevance: .0, Instructions: 4COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000001D.00000002.1725784337.00007FF6CCFE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6CCFE0000, based on PE: true
          • Associated: 0000001D.00000002.1725766723.00007FF6CCFE0000.00000002.00000001.01000000.00000004.sdmpDownload File
          • Associated: 0000001D.00000002.1725844500.00007FF6CCFF3000.00000002.00000001.01000000.00000004.sdmpDownload File
          • Associated: 0000001D.00000002.1725888487.00007FF6CCFF9000.00000004.00000001.01000000.00000004.sdmpDownload File
          • Associated: 0000001D.00000002.1726557966.00007FF6CCFFA000.00000008.00000001.01000000.00000004.sdmpDownload File
          • Associated: 0000001D.00000002.1729355957.00007FF6CD523000.00000004.00000001.01000000.00000004.sdmpDownload File
          • Associated: 0000001D.00000002.1729379853.00007FF6CD528000.00000002.00000001.01000000.00000004.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_29_2_7ff6ccfe0000_whrbuflqwhah.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1235303a4078601fa075146d934a06d32e9be1ad41df72c2bceefdb3f93881ef
          • Instruction ID: d4c8ad65ee591ea158914f60be854de999062e7af29f54b5b37fffc69d8a6deb
          • Opcode Fuzzy Hash: 1235303a4078601fa075146d934a06d32e9be1ad41df72c2bceefdb3f93881ef
          • Instruction Fuzzy Hash: 28B01230D04789C8E3002F02D84135C36A0AF08742F414035C45C83353CEFD90408B50

          Execution Graph

          Execution Coverage:1%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:0%
          Total number of Nodes:261
          Total number of Limit Nodes:15
          execution_graph 14836 202c0ab273c 14839 202c0ab276a 14836->14839 14837 202c0ab28d4 14838 202c0ab2858 LoadLibraryA 14838->14839 14839->14837 14839->14838 14840 202c0ae202c 14841 202c0ae205d 14840->14841 14842 202c0ae2173 14841->14842 14849 202c0ae2081 14841->14849 14853 202c0ae213e 14841->14853 14843 202c0ae2178 14842->14843 14844 202c0ae21e7 14842->14844 14861 202c0ae2f04 GetProcessHeap HeapAlloc 14843->14861 14845 202c0ae21ec 14844->14845 14844->14853 14848 202c0ae2f04 11 API calls 14845->14848 14847 202c0ae20b9 StrCmpNIW 14847->14849 14851 202c0ae2190 14848->14851 14849->14847 14852 202c0ae20e0 14849->14852 14849->14853 14851->14853 14852->14849 14854 202c0ae1bf4 14852->14854 14855 202c0ae1c8f 14854->14855 14856 202c0ae1c1b GetProcessHeap HeapAlloc 14854->14856 14855->14852 14856->14855 14857 202c0ae1c56 14856->14857 14858 202c0ae1c77 GetProcessHeap HeapFree 14857->14858 14867 202c0ae152c 14857->14867 14858->14855 14866 202c0ae2f57 14861->14866 14862 202c0ae3015 GetProcessHeap HeapFree 14862->14851 14863 202c0ae3010 14863->14862 14864 202c0ae2fa2 StrCmpNIW 14864->14866 14865 202c0ae1bf4 6 API calls 14865->14866 14866->14862 14866->14863 14866->14864 14866->14865 14868 202c0ae1546 14867->14868 14871 202c0ae157c 14867->14871 14869 202c0ae155d StrCmpIW 14868->14869 14870 202c0ae1565 StrCmpW 14868->14870 14868->14871 14869->14868 14870->14868 14871->14858 14872 202c0ae1abc 14877 202c0ae1628 GetProcessHeap HeapAlloc 14872->14877 14874 202c0ae1ad2 Sleep SleepEx 14875 202c0ae1acb 14874->14875 14875->14874 14876 202c0ae1598 StrCmpIW StrCmpW 14875->14876 14876->14875 14921 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14877->14921 14879 202c0ae1650 14922 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14879->14922 14881 202c0ae1661 14923 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14881->14923 14883 202c0ae166a 14924 202c0ae1268 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14883->14924 14885 202c0ae1673 14886 202c0ae168e RegOpenKeyExW 14885->14886 14887 202c0ae16c0 RegOpenKeyExW 14886->14887 14888 202c0ae18a6 14886->14888 14889 202c0ae16ff RegOpenKeyExW 14887->14889 14890 202c0ae16e9 14887->14890 14888->14875 14892 202c0ae173a RegOpenKeyExW 14889->14892 14893 202c0ae1723 14889->14893 14925 202c0ae12bc RegQueryInfoKeyW 14890->14925 14894 202c0ae175e 14892->14894 14895 202c0ae1775 RegOpenKeyExW 14892->14895 14934 202c0ae104c RegQueryInfoKeyW 14893->14934 14899 202c0ae12bc 16 API calls 14894->14899 14900 202c0ae17b0 RegOpenKeyExW 14895->14900 14901 202c0ae1799 14895->14901 14902 202c0ae176b RegCloseKey 14899->14902 14904 202c0ae17eb RegOpenKeyExW 14900->14904 14905 202c0ae17d4 14900->14905 14903 202c0ae12bc 16 API calls 14901->14903 14902->14895 14906 202c0ae17a6 RegCloseKey 14903->14906 14908 202c0ae180f 14904->14908 14909 202c0ae1826 RegOpenKeyExW 14904->14909 14907 202c0ae12bc 16 API calls 14905->14907 14906->14900 14912 202c0ae17e1 RegCloseKey 14907->14912 14913 202c0ae104c 6 API calls 14908->14913 14910 202c0ae1861 RegOpenKeyExW 14909->14910 14911 202c0ae184a 14909->14911 14916 202c0ae189c RegCloseKey 14910->14916 14917 202c0ae1885 14910->14917 14915 202c0ae104c 6 API calls 14911->14915 14912->14904 14914 202c0ae181c RegCloseKey 14913->14914 14914->14909 14918 202c0ae1857 RegCloseKey 14915->14918 14916->14888 14919 202c0ae104c 6 API calls 14917->14919 14918->14910 14920 202c0ae1892 RegCloseKey 14919->14920 14920->14916 14921->14879 14922->14881 14923->14883 14924->14885 14926 202c0ae148a RegCloseKey 14925->14926 14927 202c0ae1327 GetProcessHeap HeapAlloc 14925->14927 14926->14889 14928 202c0ae1476 GetProcessHeap HeapFree 14927->14928 14929 202c0ae1352 RegEnumValueW 14927->14929 14928->14926 14930 202c0ae13a5 14929->14930 14930->14928 14930->14929 14931 202c0ae152c 2 API calls 14930->14931 14932 202c0ae141e lstrlenW GetProcessHeap HeapAlloc StrCpyW 14930->14932 14933 202c0ae13d3 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14930->14933 14931->14930 14932->14930 14933->14932 14935 202c0ae10bf 14934->14935 14936 202c0ae11b5 RegCloseKey 14934->14936 14935->14936 14937 202c0ae10cf RegEnumValueW 14935->14937 14938 202c0ae114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14935->14938 14936->14892 14937->14935 14938->14935 14939 202c0ae253c 14941 202c0ae25bb 14939->14941 14940 202c0ae27aa 14941->14940 14942 202c0ae261d GetFileType 14941->14942 14943 202c0ae2641 14942->14943 14944 202c0ae262b StrCpyW 14942->14944 14955 202c0ae1a40 GetFinalPathNameByHandleW 14943->14955 14945 202c0ae2650 14944->14945 14949 202c0ae265a 14945->14949 14953 202c0ae26ff 14945->14953 14948 202c0ae3844 StrCmpNIW 14948->14953 14949->14940 14960 202c0ae3844 14949->14960 14963 202c0ae3044 StrCmpIW 14949->14963 14967 202c0ae1cac 14949->14967 14952 202c0ae3044 4 API calls 14952->14953 14953->14940 14953->14948 14953->14952 14954 202c0ae1cac 2 API calls 14953->14954 14954->14953 14956 202c0ae1a6a StrCmpNIW 14955->14956 14957 202c0ae1aa9 14955->14957 14956->14957 14958 202c0ae1a84 lstrlenW 14956->14958 14957->14945 14958->14957 14959 202c0ae1a96 StrCpyW 14958->14959 14959->14957 14961 202c0ae3851 StrCmpNIW 14960->14961 14962 202c0ae3866 14960->14962 14961->14962 14962->14949 14964 202c0ae308d PathCombineW 14963->14964 14965 202c0ae3076 StrCpyW StrCatW 14963->14965 14966 202c0ae3096 14964->14966 14965->14966 14966->14949 14968 202c0ae1ccc 14967->14968 14969 202c0ae1cc3 14967->14969 14968->14949 14970 202c0ae152c 2 API calls 14969->14970 14970->14968 14971 202c0aed6cc 14972 202c0aed6dd __free_lconv_num 14971->14972 14973 202c0aed72e 14972->14973 14974 202c0aed712 HeapAlloc 14972->14974 14977 202c0aed6ac 14973->14977 14974->14972 14976 202c0aed72c 14974->14976 14980 202c0aecfa0 14977->14980 14979 202c0aed6b5 14979->14976 14983 202c0aecfb5 __vcrt_InitializeCriticalSectionEx 14980->14983 14981 202c0aecfe1 FlsSetValue 14982 202c0aecff3 14981->14982 14986 202c0aecfd1 _CallSETranslator 14981->14986 14996 202c0aed6cc 14982->14996 14983->14981 14983->14986 14986->14979 14987 202c0aed020 FlsSetValue 14990 202c0aed03e 14987->14990 14991 202c0aed02c FlsSetValue 14987->14991 14988 202c0aed010 FlsSetValue 14989 202c0aed019 14988->14989 15002 202c0aed744 14989->15002 15007 202c0aecb94 14990->15007 14991->14989 14995 202c0aed744 __free_lconv_num 2 API calls 14995->14986 14997 202c0aed6dd __free_lconv_num 14996->14997 14998 202c0aed72e 14997->14998 14999 202c0aed712 HeapAlloc 14997->14999 15000 202c0aed6ac __free_lconv_num 5 API calls 14998->15000 14999->14997 15001 202c0aed002 14999->15001 15000->15001 15001->14987 15001->14988 15003 202c0aed77a 15002->15003 15004 202c0aed749 HeapFree 15002->15004 15003->14986 15004->15003 15005 202c0aed764 __vcrt_InitializeCriticalSectionEx __free_lconv_num 15004->15005 15006 202c0aed6ac __free_lconv_num 5 API calls 15005->15006 15006->15003 15008 202c0aecc46 __free_lconv_num 15007->15008 15011 202c0aecaec 15008->15011 15010 202c0aecc5b 15010->14995 15012 202c0aecb08 15011->15012 15015 202c0aecd7c 15012->15015 15014 202c0aecb1e 15014->15010 15016 202c0aecdc4 Concurrency::details::SchedulerProxy::DeleteThis 15015->15016 15017 202c0aecd98 Concurrency::details::SchedulerProxy::DeleteThis 15015->15017 15016->15014 15017->15016 15019 202c0af07b4 15017->15019 15020 202c0af0850 15019->15020 15024 202c0af07d7 15019->15024 15021 202c0af08a3 15020->15021 15023 202c0aed744 __free_lconv_num 6 API calls 15020->15023 15085 202c0af0954 15021->15085 15026 202c0af0874 15023->15026 15024->15020 15025 202c0af0816 15024->15025 15030 202c0aed744 __free_lconv_num 6 API calls 15024->15030 15028 202c0af0838 15025->15028 15035 202c0aed744 __free_lconv_num 6 API calls 15025->15035 15027 202c0aed744 __free_lconv_num 6 API calls 15026->15027 15031 202c0af0888 15027->15031 15029 202c0aed744 __free_lconv_num 6 API calls 15028->15029 15032 202c0af0844 15029->15032 15033 202c0af080a 15030->15033 15034 202c0aed744 __free_lconv_num 6 API calls 15031->15034 15037 202c0aed744 __free_lconv_num 6 API calls 15032->15037 15045 202c0af2fc8 15033->15045 15040 202c0af0897 15034->15040 15041 202c0af082c 15035->15041 15036 202c0af090e 15037->15020 15038 202c0aed744 6 API calls __free_lconv_num 15043 202c0af08af 15038->15043 15044 202c0aed744 __free_lconv_num 6 API calls 15040->15044 15073 202c0af30d4 15041->15073 15043->15036 15043->15038 15044->15021 15046 202c0af2fd1 15045->15046 15071 202c0af30cc 15045->15071 15047 202c0aed744 __free_lconv_num 6 API calls 15046->15047 15048 202c0af2feb 15046->15048 15047->15048 15050 202c0af2ffd 15048->15050 15051 202c0aed744 __free_lconv_num 6 API calls 15048->15051 15049 202c0af300f 15053 202c0af3021 15049->15053 15054 202c0aed744 __free_lconv_num 6 API calls 15049->15054 15050->15049 15052 202c0aed744 __free_lconv_num 6 API calls 15050->15052 15051->15050 15052->15049 15055 202c0af3033 15053->15055 15056 202c0aed744 __free_lconv_num 6 API calls 15053->15056 15054->15053 15057 202c0af3045 15055->15057 15058 202c0aed744 __free_lconv_num 6 API calls 15055->15058 15056->15055 15059 202c0af3057 15057->15059 15061 202c0aed744 __free_lconv_num 6 API calls 15057->15061 15058->15057 15060 202c0af3069 15059->15060 15062 202c0aed744 __free_lconv_num 6 API calls 15059->15062 15063 202c0af307b 15060->15063 15064 202c0aed744 __free_lconv_num 6 API calls 15060->15064 15061->15059 15062->15060 15065 202c0af308d 15063->15065 15066 202c0aed744 __free_lconv_num 6 API calls 15063->15066 15064->15063 15067 202c0af30a2 15065->15067 15068 202c0aed744 __free_lconv_num 6 API calls 15065->15068 15066->15065 15069 202c0af30b7 15067->15069 15070 202c0aed744 __free_lconv_num 6 API calls 15067->15070 15068->15067 15069->15071 15072 202c0aed744 __free_lconv_num 6 API calls 15069->15072 15070->15069 15071->15025 15072->15071 15074 202c0af30d9 15073->15074 15082 202c0af313a 15073->15082 15075 202c0af30f2 15074->15075 15076 202c0aed744 __free_lconv_num 6 API calls 15074->15076 15077 202c0af3104 15075->15077 15078 202c0aed744 __free_lconv_num 6 API calls 15075->15078 15076->15075 15079 202c0af3116 15077->15079 15080 202c0aed744 __free_lconv_num 6 API calls 15077->15080 15078->15077 15081 202c0aed744 __free_lconv_num 6 API calls 15079->15081 15083 202c0af3128 15079->15083 15080->15079 15081->15083 15082->15028 15083->15082 15084 202c0aed744 __free_lconv_num 6 API calls 15083->15084 15084->15082 15086 202c0af0959 15085->15086 15087 202c0af0985 15085->15087 15086->15087 15091 202c0af3174 15086->15091 15087->15043 15090 202c0aed744 __free_lconv_num 6 API calls 15090->15087 15092 202c0af317d 15091->15092 15126 202c0af097d 15091->15126 15127 202c0af3140 15092->15127 15095 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15096 202c0af31a6 15095->15096 15097 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15096->15097 15098 202c0af31b4 15097->15098 15099 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15098->15099 15100 202c0af31c2 15099->15100 15101 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15100->15101 15102 202c0af31d1 15101->15102 15103 202c0aed744 __free_lconv_num 6 API calls 15102->15103 15104 202c0af31dd 15103->15104 15105 202c0aed744 __free_lconv_num 6 API calls 15104->15105 15106 202c0af31e9 15105->15106 15107 202c0aed744 __free_lconv_num 6 API calls 15106->15107 15108 202c0af31f5 15107->15108 15109 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15108->15109 15110 202c0af3203 15109->15110 15111 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15110->15111 15112 202c0af3211 15111->15112 15113 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15112->15113 15114 202c0af321f 15113->15114 15115 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15114->15115 15116 202c0af322d 15115->15116 15117 202c0af3140 Concurrency::details::SchedulerProxy::DeleteThis 6 API calls 15116->15117 15118 202c0af323c 15117->15118 15119 202c0aed744 __free_lconv_num 6 API calls 15118->15119 15120 202c0af3248 15119->15120 15121 202c0aed744 __free_lconv_num 6 API calls 15120->15121 15122 202c0af3254 15121->15122 15123 202c0aed744 __free_lconv_num 6 API calls 15122->15123 15124 202c0af3260 15123->15124 15125 202c0aed744 __free_lconv_num 6 API calls 15124->15125 15125->15126 15126->15090 15128 202c0af3167 15127->15128 15130 202c0af3156 15127->15130 15128->15095 15129 202c0aed744 __free_lconv_num 6 API calls 15129->15130 15130->15128 15130->15129

          Executed Functions

          Function 00000202C0AE253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 5 202c0ae253c-202c0ae25c0 call 202c0b02cc0 8 202c0ae27d8-202c0ae27fb 5->8 9 202c0ae25c6-202c0ae25c9 5->9 9->8 10 202c0ae25cf-202c0ae25dd 9->10 10->8 11 202c0ae25e3-202c0ae2629 call 202c0ae8c60 * 3 GetFileType 10->11 18 202c0ae2641-202c0ae264b call 202c0ae1a40 11->18 19 202c0ae262b-202c0ae263f StrCpyW 11->19 20 202c0ae2650-202c0ae2654 18->20 19->20 22 202c0ae26ff-202c0ae2704 20->22 23 202c0ae265a-202c0ae2673 call 202c0ae30a8 call 202c0ae3844 20->23 24 202c0ae2707-202c0ae270c 22->24 36 202c0ae26aa-202c0ae26f4 call 202c0b02cc0 23->36 37 202c0ae2675-202c0ae26a4 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 23->37 26 202c0ae270e-202c0ae2711 24->26 27 202c0ae2729 24->27 26->27 29 202c0ae2713-202c0ae2716 26->29 31 202c0ae272c-202c0ae2745 call 202c0ae30a8 call 202c0ae3844 27->31 29->27 32 202c0ae2718-202c0ae271b 29->32 48 202c0ae2787-202c0ae2789 31->48 49 202c0ae2747-202c0ae2776 call 202c0ae30a8 call 202c0ae3044 call 202c0ae1cac 31->49 32->27 35 202c0ae271d-202c0ae2720 32->35 35->27 39 202c0ae2722-202c0ae2727 35->39 36->8 46 202c0ae26fa 36->46 37->8 37->36 39->27 39->31 46->23 50 202c0ae27aa-202c0ae27ad 48->50 51 202c0ae278b-202c0ae27a5 48->51 49->48 69 202c0ae2778-202c0ae2783 49->69 55 202c0ae27af-202c0ae27b5 50->55 56 202c0ae27b7-202c0ae27ba 50->56 51->24 55->8 59 202c0ae27bc-202c0ae27bf 56->59 60 202c0ae27d5 56->60 59->60 63 202c0ae27c1-202c0ae27c4 59->63 60->8 63->60 65 202c0ae27c6-202c0ae27c9 63->65 65->60 67 202c0ae27cb-202c0ae27ce 65->67 67->60 68 202c0ae27d0-202c0ae27d3 67->68 68->8 68->60 69->8 70 202c0ae2785 69->70 70->24
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction ID: 383afa285ac380fd55eaa2c4cb7d261a7defb1f4293108ecd3c580df2b121f06
          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction Fuzzy Hash: 517190362047C1C6F625DF2998CC3AE7794F389B84F560127DFAA53B8ADA35CA598700
          Function 00000202C0AE202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 71 202c0ae202c-202c0ae2057 call 202c0b02d00 73 202c0ae205d-202c0ae2066 71->73 74 202c0ae206f-202c0ae2072 73->74 75 202c0ae2068-202c0ae206c 73->75 76 202c0ae2078-202c0ae207b 74->76 77 202c0ae2223-202c0ae2243 74->77 75->74 78 202c0ae2081-202c0ae2093 76->78 79 202c0ae2173-202c0ae2176 76->79 78->77 80 202c0ae2099-202c0ae20a5 78->80 81 202c0ae2178-202c0ae2192 call 202c0ae2f04 79->81 82 202c0ae21e7-202c0ae21ea 79->82 83 202c0ae20a7-202c0ae20b7 80->83 84 202c0ae20d3-202c0ae20de call 202c0ae1bbc 80->84 81->77 91 202c0ae2198-202c0ae21ae 81->91 82->77 85 202c0ae21ec-202c0ae21ff call 202c0ae2f04 82->85 83->84 87 202c0ae20b9-202c0ae20d1 StrCmpNIW 83->87 92 202c0ae20ff-202c0ae2111 84->92 97 202c0ae20e0-202c0ae20f8 call 202c0ae1bf4 84->97 85->77 96 202c0ae2201-202c0ae2209 85->96 87->84 87->92 91->77 95 202c0ae21b0-202c0ae21cc 91->95 98 202c0ae2121-202c0ae2123 92->98 99 202c0ae2113-202c0ae2115 92->99 100 202c0ae21d0-202c0ae21e3 95->100 96->77 103 202c0ae220b-202c0ae2213 96->103 97->92 113 202c0ae20fa-202c0ae20fd 97->113 101 202c0ae212a 98->101 102 202c0ae2125-202c0ae2128 98->102 105 202c0ae211c-202c0ae211f 99->105 106 202c0ae2117-202c0ae211a 99->106 100->100 108 202c0ae21e5 100->108 107 202c0ae212d-202c0ae2130 101->107 102->107 109 202c0ae2216-202c0ae2221 103->109 105->107 106->107 111 202c0ae213e-202c0ae2141 107->111 112 202c0ae2132-202c0ae2138 107->112 108->77 109->77 109->109 111->77 114 202c0ae2147-202c0ae214b 111->114 112->80 112->111 113->107 115 202c0ae214d-202c0ae2150 114->115 116 202c0ae2162-202c0ae216e 114->116 115->77 117 202c0ae2156-202c0ae215b 115->117 116->77 117->114 118 202c0ae215d 117->118 118->77
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: S$dialer
          • API String ID: 756756679-3873981283
          • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
          • Instruction ID: 7d0801e181e7e1027f0f2556f8cd6da4d5c454e321737ababf7947f23bb56196
          • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
          • Instruction Fuzzy Hash: 5651AC32B107A4C6FB61CF29E88C6AD63E5F704784F069123DFA512B86DB35C969C300
          Function 00000202C0AE1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: FinalHandleNamePathlstrlen
          • String ID: \\?\
          • API String ID: 2719912262-4282027825
          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction ID: 8c3d5dbfacf504bca622ea7f657326f4a67cd1e3c1ec290e5004b19a988dad2d
          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction Fuzzy Hash: BCF01922304781D2FB608B21E8CC76D6765F748BC8F958123DB994B966DA2DC68DCB00
          Function 00000202C0AE328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: 435a5f88e7c6a6dd218e0f6004eb37f2790bd4aa4d5b291e1e8191fef771e2ad
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: A8119672618782D2F760D721F8CDB6D2294BB54748F528127ABB6497A3EF78C46C8240
          Function 00000202C0AE1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 00000202C0AE1628: GetProcessHeap.KERNEL32 ref: 00000202C0AE1633
            • Part of subcall function 00000202C0AE1628: HeapAlloc.KERNEL32 ref: 00000202C0AE1642
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16B2
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE16DF
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE16F9
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1719
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1734
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1754
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE176F
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE178F
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17AA
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17CA
          • Sleep.KERNEL32 ref: 00000202C0AE1AD7
          • SleepEx.KERNELBASE ref: 00000202C0AE1ADD
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE17E5
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1805
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1820
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1840
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE185B
            • Part of subcall function 00000202C0AE1628: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE187B
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE1896
            • Part of subcall function 00000202C0AE1628: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A0
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: 1519724245a59a03f973eddcebe70884a6cccd966baeab2eab41fd8751cf1259
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: ED31C071200BE1C1FF509B26DACD3AD53A5AB84FC4F0654239FA987697FE14C879C210
          Function 00000202C0AB273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 176 202c0ab273c-202c0ab27a4 call 202c0ab29d4 * 4 185 202c0ab27aa-202c0ab27ad 176->185 186 202c0ab29b2 176->186 185->186 187 202c0ab27b3-202c0ab27b6 185->187 188 202c0ab29b4-202c0ab29d0 186->188 187->186 189 202c0ab27bc-202c0ab27bf 187->189 189->186 190 202c0ab27c5-202c0ab27e6 189->190 190->186 192 202c0ab27ec-202c0ab280c 190->192 193 202c0ab280e-202c0ab2836 192->193 194 202c0ab2838-202c0ab283f 192->194 193->193 193->194 195 202c0ab28df-202c0ab28e6 194->195 196 202c0ab2845-202c0ab2852 194->196 197 202c0ab28ec-202c0ab2901 195->197 198 202c0ab2992-202c0ab29b0 195->198 196->195 199 202c0ab2858-202c0ab286a LoadLibraryA 196->199 197->198 200 202c0ab2907 197->200 198->188 201 202c0ab286c-202c0ab2878 199->201 202 202c0ab28ca-202c0ab28d2 199->202 205 202c0ab290d-202c0ab2921 200->205 206 202c0ab28c5-202c0ab28c8 201->206 202->199 203 202c0ab28d4-202c0ab28d9 202->203 203->195 208 202c0ab2923-202c0ab2934 205->208 209 202c0ab2982-202c0ab298c 205->209 206->202 207 202c0ab287a-202c0ab287d 206->207 210 202c0ab287f-202c0ab28a5 207->210 211 202c0ab28a7-202c0ab28b7 207->211 213 202c0ab293f-202c0ab2943 208->213 214 202c0ab2936-202c0ab293d 208->214 209->198 209->205 215 202c0ab28ba-202c0ab28c1 210->215 211->215 217 202c0ab294d-202c0ab2951 213->217 218 202c0ab2945-202c0ab294b 213->218 216 202c0ab2970-202c0ab2980 214->216 215->206 216->208 216->209 219 202c0ab2963-202c0ab2967 217->219 220 202c0ab2953-202c0ab2961 217->220 218->216 219->216 222 202c0ab2969-202c0ab296c 219->222 220->216 222->216
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: e9c472418be9705004432d1361e805bb540b7ad58247b10c253449de9ed0d722
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: 8161DF72B01790C7EB648F15908C76DB3A2FB54BA4F598127DF5D0778ADA38D86AC700
          Function 00000202C0AED6CC Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 223 202c0aed6cc-202c0aed6db 224 202c0aed6dd-202c0aed6e9 223->224 225 202c0aed6eb-202c0aed6fb 223->225 224->225 226 202c0aed72e-202c0aed739 call 202c0aed6ac 224->226 227 202c0aed712-202c0aed72a HeapAlloc 225->227 231 202c0aed73b-202c0aed740 226->231 229 202c0aed6fd-202c0aed704 call 202c0af0720 227->229 230 202c0aed72c 227->230 229->226 235 202c0aed706-202c0aed710 call 202c0aeb85c 229->235 230->231 235->226 235->227
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: AllocHeap
          • String ID:
          • API String ID: 4292702814-0
          • Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
          • Instruction ID: f1c622e14429a0b520057bbb946f3f429c66e82a7f768f9b6ab0a37ff79ad3e0
          • Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
          • Instruction Fuzzy Hash: E4F0E998311780C1FE546B6699CD39D22845F88BC0F0E5437CF9A867D3EE1CC4AC8620

          Non-executed Functions

          Function 00000202C0AE2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 489 202c0ae2b2c-202c0ae2ba5 call 202c0b02ce0 492 202c0ae2ee0-202c0ae2f03 489->492 493 202c0ae2bab-202c0ae2bb1 489->493 493->492 494 202c0ae2bb7-202c0ae2bba 493->494 494->492 495 202c0ae2bc0-202c0ae2bc3 494->495 495->492 496 202c0ae2bc9-202c0ae2bd9 GetModuleHandleA 495->496 497 202c0ae2bed 496->497 498 202c0ae2bdb-202c0ae2beb GetProcAddress 496->498 499 202c0ae2bf0-202c0ae2c0e 497->499 498->499 499->492 501 202c0ae2c14-202c0ae2c33 StrCmpNIW 499->501 501->492 502 202c0ae2c39-202c0ae2c3d 501->502 502->492 503 202c0ae2c43-202c0ae2c4d 502->503 503->492 504 202c0ae2c53-202c0ae2c5a 503->504 504->492 505 202c0ae2c60-202c0ae2c73 504->505 506 202c0ae2c75-202c0ae2c81 505->506 507 202c0ae2c83 505->507 508 202c0ae2c86-202c0ae2c8a 506->508 507->508 509 202c0ae2c8c-202c0ae2c98 508->509 510 202c0ae2c9a 508->510 511 202c0ae2c9d-202c0ae2ca7 509->511 510->511 512 202c0ae2d9d-202c0ae2da1 511->512 513 202c0ae2cad-202c0ae2cb0 511->513 516 202c0ae2da7-202c0ae2daa 512->516 517 202c0ae2ed2-202c0ae2eda 512->517 514 202c0ae2cc2-202c0ae2ccc 513->514 515 202c0ae2cb2-202c0ae2cbf call 202c0ae199c 513->515 519 202c0ae2d00-202c0ae2d0a 514->519 520 202c0ae2cce-202c0ae2cdb 514->520 515->514 521 202c0ae2dac-202c0ae2db8 call 202c0ae199c 516->521 522 202c0ae2dbb-202c0ae2dc5 516->522 517->492 517->505 527 202c0ae2d0c-202c0ae2d19 519->527 528 202c0ae2d3a-202c0ae2d3d 519->528 520->519 526 202c0ae2cdd-202c0ae2cea 520->526 521->522 523 202c0ae2dc7-202c0ae2dd4 522->523 524 202c0ae2df5-202c0ae2df8 522->524 523->524 533 202c0ae2dd6-202c0ae2de3 523->533 534 202c0ae2dfa-202c0ae2e03 call 202c0ae1bbc 524->534 535 202c0ae2e05-202c0ae2e12 lstrlenW 524->535 536 202c0ae2ced-202c0ae2cf3 526->536 527->528 537 202c0ae2d1b-202c0ae2d28 527->537 530 202c0ae2d3f-202c0ae2d49 call 202c0ae1bbc 528->530 531 202c0ae2d4b-202c0ae2d58 lstrlenW 528->531 530->531 544 202c0ae2d93-202c0ae2d98 530->544 539 202c0ae2d5a-202c0ae2d64 531->539 540 202c0ae2d7b-202c0ae2d8d call 202c0ae3844 531->540 541 202c0ae2de6-202c0ae2dec 533->541 534->535 552 202c0ae2e4a-202c0ae2e55 534->552 545 202c0ae2e14-202c0ae2e1e 535->545 546 202c0ae2e35-202c0ae2e3f call 202c0ae3844 535->546 543 202c0ae2cf9-202c0ae2cfe 536->543 536->544 547 202c0ae2d2b-202c0ae2d31 537->547 539->540 550 202c0ae2d66-202c0ae2d79 call 202c0ae152c 539->550 540->544 555 202c0ae2e42-202c0ae2e44 540->555 551 202c0ae2dee-202c0ae2df3 541->551 541->552 543->519 543->536 544->555 545->546 556 202c0ae2e20-202c0ae2e33 call 202c0ae152c 545->556 546->555 547->544 557 202c0ae2d33-202c0ae2d38 547->557 550->540 550->544 551->524 551->541 559 202c0ae2ecc-202c0ae2ed0 552->559 560 202c0ae2e57-202c0ae2e5b 552->560 555->517 555->552 556->546 556->552 557->528 557->547 559->517 564 202c0ae2e5d-202c0ae2e61 560->564 565 202c0ae2e63-202c0ae2e7d call 202c0ae85c0 560->565 564->565 568 202c0ae2e80-202c0ae2e83 564->568 565->568 571 202c0ae2ea6-202c0ae2ea9 568->571 572 202c0ae2e85-202c0ae2ea3 call 202c0ae85c0 568->572 571->559 574 202c0ae2eab-202c0ae2ec9 call 202c0ae85c0 571->574 572->571 574->559
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
          • API String ID: 2119608203-3850299575
          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction ID: 629c2a77cc7c689ebc2a82fae016c29b45818ce3604cad8590d8ad8b42d26791
          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction Fuzzy Hash: 8BB18B62210BA0C6FB688F25C8CC7AD67A5F744B88F565017EF9953796EB35CC68C340
          Function 00000202C0AE7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction ID: 43f65ee015122b04127526cc5c334c21e5a52d8fe7862f76cef395083f707644
          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction Fuzzy Hash: 74311972205B80CAFB609F60E8887ED6364F784744F45442BDB8E57A9AEF39C658C710
          Function 00000202C0AED2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction ID: 3629953f5db9c1b5f8070e01c3cc1c8c2a667b2e639c3edd282c0df2f16cc2f9
          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction Fuzzy Hash: FF314F36214B80C6EB60CF25E88879E73A4F789758F550127EB9D47BA6EF38C559CB00
          Function 00000202C0AE1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
          • API String ID: 106492572-2879589442
          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction ID: 1d03e476145ce09beb9e97f2b7c5aab0935724522098279c66d9844aa9511552
          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction Fuzzy Hash: F2710636210B50C6FB109F25E8DCA9D23A9FB84F88F425123DB9E47B6ADE39C458C744
          Function 00000202C0AE12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
          • String ID: d
          • API String ID: 2005889112-2564639436
          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction ID: a5c0dd0dd48098ab404cbb16107d584fe92d72ef17c22032ec6d5acc94b81fb7
          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction Fuzzy Hash: 2C513876200B84C6EB50CF62E48C35EB7A5F788F89F458126DB890776ADF39C059CB00
          Function 00000202C0AE1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CurrentThread$AddressHandleModuleProc
          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
          • API String ID: 4175298099-1975688563
          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction ID: 90a0736ddaf8fe37476ff4478ca91d660d6ffa8bbfea73cfc67e31501e438409
          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction Fuzzy Hash: 5031A2A5100B8AE0FE15EF69E8DD7DC2321F704748F835423D7A9021679F79866ED391
          Function 00000202C0AB6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 331 202c0ab6910-202c0ab6916 332 202c0ab6951-202c0ab695b 331->332 333 202c0ab6918-202c0ab691b 331->333 334 202c0ab6a78-202c0ab6a8d 332->334 335 202c0ab691d-202c0ab6920 333->335 336 202c0ab6945-202c0ab6984 call 202c0ab6fc0 333->336 340 202c0ab6a9c-202c0ab6ab6 call 202c0ab6e54 334->340 341 202c0ab6a8f 334->341 338 202c0ab6922-202c0ab6925 335->338 339 202c0ab6938 __scrt_dllmain_crt_thread_attach 335->339 354 202c0ab698a-202c0ab699f call 202c0ab6e54 336->354 355 202c0ab6a52 336->355 345 202c0ab6931-202c0ab6936 call 202c0ab6f04 338->345 346 202c0ab6927-202c0ab6930 338->346 343 202c0ab693d-202c0ab6944 339->343 352 202c0ab6aef-202c0ab6b20 call 202c0ab7190 340->352 353 202c0ab6ab8-202c0ab6aed call 202c0ab6f7c call 202c0ab6e1c call 202c0ab7318 call 202c0ab7130 call 202c0ab7154 call 202c0ab6fac 340->353 347 202c0ab6a91-202c0ab6a9b 341->347 345->343 363 202c0ab6b31-202c0ab6b37 352->363 364 202c0ab6b22-202c0ab6b28 352->364 353->347 366 202c0ab6a6a-202c0ab6a77 call 202c0ab7190 354->366 367 202c0ab69a5-202c0ab69b6 call 202c0ab6ec4 354->367 358 202c0ab6a54-202c0ab6a69 355->358 369 202c0ab6b7e-202c0ab6b94 call 202c0ab268c 363->369 370 202c0ab6b39-202c0ab6b43 363->370 364->363 368 202c0ab6b2a-202c0ab6b2c 364->368 366->334 384 202c0ab69b8-202c0ab69dc call 202c0ab72dc call 202c0ab6e0c call 202c0ab6e38 call 202c0abac0c 367->384 385 202c0ab6a07-202c0ab6a11 call 202c0ab7130 367->385 374 202c0ab6c1f-202c0ab6c2c 368->374 387 202c0ab6bcc-202c0ab6bce 369->387 388 202c0ab6b96-202c0ab6b98 369->388 375 202c0ab6b4f-202c0ab6b5d call 202c0ac5780 370->375 376 202c0ab6b45-202c0ab6b4d 370->376 381 202c0ab6b63-202c0ab6b78 call 202c0ab6910 375->381 398 202c0ab6c15-202c0ab6c1d 375->398 376->381 381->369 381->398 384->385 434 202c0ab69de-202c0ab69e5 __scrt_dllmain_after_initialize_c 384->434 385->355 407 202c0ab6a13-202c0ab6a1f call 202c0ab7180 385->407 396 202c0ab6bd0-202c0ab6bd3 387->396 397 202c0ab6bd5-202c0ab6bea call 202c0ab6910 387->397 388->387 395 202c0ab6b9a-202c0ab6bbc call 202c0ab268c call 202c0ab6a78 388->395 395->387 428 202c0ab6bbe-202c0ab6bc6 call 202c0ac5780 395->428 396->397 396->398 397->398 416 202c0ab6bec-202c0ab6bf6 397->416 398->374 418 202c0ab6a21-202c0ab6a2b call 202c0ab7098 407->418 419 202c0ab6a45-202c0ab6a50 407->419 422 202c0ab6c01-202c0ab6c11 call 202c0ac5780 416->422 423 202c0ab6bf8-202c0ab6bff 416->423 418->419 433 202c0ab6a2d-202c0ab6a3b 418->433 419->358 422->398 423->398 428->387 433->419 434->385 435 202c0ab69e7-202c0ab6a04 call 202c0ababc8 434->435 435->385
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 14de66892ba18830acab2e245ab1e6cb8a15d62160b2822f01b591de40b948de
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: 1381EE31600701CAFB50AB66A4CD39D66E8EB85780F57842BAB48977B7DF3DC88D8700
          Function 00000202C0AECE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetLastError.KERNEL32 ref: 00000202C0AECE37
          • FlsGetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE4C
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE6D
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECE9A
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEAB
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECEBC
          • SetLastError.KERNEL32 ref: 00000202C0AECED7
          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF0D
          • FlsSetValue.KERNEL32(?,?,00000001,00000202C0AEECCC,?,?,?,?,00000202C0AEBF9F,?,?,?,?,?,00000202C0AE7AB0), ref: 00000202C0AECF2C
            • Part of subcall function 00000202C0AED6CC: HeapAlloc.KERNEL32 ref: 00000202C0AED721
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF54
            • Part of subcall function 00000202C0AED744: HeapFree.KERNEL32 ref: 00000202C0AED75A
            • Part of subcall function 00000202C0AED744: GetLastError.KERNEL32 ref: 00000202C0AED764
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF65
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000202C0AF0A6B,?,?,?,00000202C0AF045C,?,?,?,00000202C0AEC84F), ref: 00000202C0AECF76
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Value$ErrorLast$Heap$AllocFree
          • String ID:
          • API String ID: 570795689-0
          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction ID: 4882f9c6545ddba956175daa0b1033055c58a1b9921f799def37e079ec50fdf9
          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction Fuzzy Hash: 754197603013C4D6FE68A73555DD36D2242AB44BB4F174B27ABBB077E7EE38886A4600
          Function 00000202C0AE2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
          • API String ID: 2171963597-1373409510
          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction ID: a0d3f3940cedbe8f49a02ff4fcf1ce97ef5dd93de91068aee362f87148ae0ba9
          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction Fuzzy Hash: 31213832614B40C2FB208B25E48C75E67A5F789BA4F514217EB9A03BA9CF3DC54DCB00
          Function 00000202C0AEA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction ID: dc69ca82dc18b6d9c62c9d97f6a4348578a3add946f7b447ab90ca90604d3949
          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction Fuzzy Hash: 12E16A72600B80CAFB60DB65948C39D77A4F7A6B98F120117EFA957B97CB34D4A9C700
          Function 00000202C0AB9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 587 202c0ab9944-202c0ab99ac call 202c0aba814 590 202c0ab9e13-202c0ab9e1b call 202c0abbb48 587->590 591 202c0ab99b2-202c0ab99b5 587->591 591->590 592 202c0ab99bb-202c0ab99c1 591->592 594 202c0ab9a90-202c0ab9aa2 592->594 595 202c0ab99c7-202c0ab99cb 592->595 597 202c0ab9d63-202c0ab9d67 594->597 598 202c0ab9aa8-202c0ab9aac 594->598 595->594 599 202c0ab99d1-202c0ab99dc 595->599 600 202c0ab9da0-202c0ab9daa call 202c0ab8a34 597->600 601 202c0ab9d69-202c0ab9d70 597->601 598->597 602 202c0ab9ab2-202c0ab9abd 598->602 599->594 603 202c0ab99e2-202c0ab99e7 599->603 600->590 614 202c0ab9dac-202c0ab9dcb call 202c0ab6d40 600->614 601->590 604 202c0ab9d76-202c0ab9d9b call 202c0ab9e1c 601->604 602->597 606 202c0ab9ac3-202c0ab9aca 602->606 603->594 607 202c0ab99ed-202c0ab99f7 call 202c0ab8a34 603->607 604->600 610 202c0ab9ad0-202c0ab9b07 call 202c0ab8e10 606->610 611 202c0ab9c94-202c0ab9ca0 606->611 607->614 618 202c0ab99fd-202c0ab9a28 call 202c0ab8a34 * 2 call 202c0ab9124 607->618 610->611 623 202c0ab9b0d-202c0ab9b15 610->623 611->600 615 202c0ab9ca6-202c0ab9caa 611->615 620 202c0ab9cac-202c0ab9cb8 call 202c0ab90e4 615->620 621 202c0ab9cba-202c0ab9cc2 615->621 655 202c0ab9a2a-202c0ab9a2e 618->655 656 202c0ab9a48-202c0ab9a52 call 202c0ab8a34 618->656 620->621 635 202c0ab9cdb-202c0ab9ce3 620->635 621->600 622 202c0ab9cc8-202c0ab9cd5 call 202c0ab8cb4 621->622 622->600 622->635 628 202c0ab9b19-202c0ab9b4b 623->628 632 202c0ab9b51-202c0ab9b5c 628->632 633 202c0ab9c87-202c0ab9c8e 628->633 632->633 636 202c0ab9b62-202c0ab9b7b 632->636 633->611 633->628 637 202c0ab9ce9-202c0ab9ced 635->637 638 202c0ab9df6-202c0ab9e12 call 202c0ab8a34 * 2 call 202c0abbaa8 635->638 640 202c0ab9b81-202c0ab9bc6 call 202c0ab90f8 * 2 636->640 641 202c0ab9c74-202c0ab9c79 636->641 642 202c0ab9d00 637->642 643 202c0ab9cef-202c0ab9cfe call 202c0ab90e4 637->643 638->590 668 202c0ab9c04-202c0ab9c0a 640->668 669 202c0ab9bc8-202c0ab9bee call 202c0ab90f8 call 202c0aba038 640->669 647 202c0ab9c84 641->647 651 202c0ab9d03-202c0ab9d0d call 202c0aba8ac 642->651 643->651 647->633 651->600 666 202c0ab9d13-202c0ab9d61 call 202c0ab8d44 call 202c0ab8f50 651->666 655->656 660 202c0ab9a30-202c0ab9a3b 655->660 656->594 672 202c0ab9a54-202c0ab9a74 call 202c0ab8a34 * 2 call 202c0aba8ac 656->672 660->656 665 202c0ab9a3d-202c0ab9a42 660->665 665->590 665->656 666->600 673 202c0ab9c0c-202c0ab9c10 668->673 674 202c0ab9c7b 668->674 688 202c0ab9bf0-202c0ab9c02 669->688 689 202c0ab9c15-202c0ab9c72 call 202c0ab9870 669->689 693 202c0ab9a8b 672->693 694 202c0ab9a76-202c0ab9a80 call 202c0aba99c 672->694 673->640 679 202c0ab9c80 674->679 679->647 688->668 688->669 689->679 693->594 697 202c0ab9df0-202c0ab9df5 call 202c0abbaa8 694->697 698 202c0ab9a86-202c0ab9def call 202c0ab86ac call 202c0aba3f4 call 202c0ab88a0 694->698 697->638 698->697
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: 181cfaa8d1e203509729981359315e3b225e44fdda2c096569e0a7ba0a0bf46d
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: E5E17A72604B80CAFB60DB69D48839D7BA4F755B98F12011BEF8957B9ACB34C499C704
          Function 00000202C0AEF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: api-ms-$ext-ms-
          • API String ID: 3013587201-537541572
          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction ID: 26dcd2d441800ec49dab0db58e17c16847a3beddbc1f683c45a4dffa8db80317
          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction Fuzzy Hash: 2A41F422311B90D1FA16CB56A88C75E2395F748BA0F0A45279F6E877D6EE3DC45D8300
          Function 00000202C0AE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
          • String ID: d
          • API String ID: 3743429067-2564639436
          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction ID: a80658ec44f4b8303e4c6cbc6e08df687ba0206d03e3ba62d1abb9220ce3f758
          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction Fuzzy Hash: B6415E73214B84C6F760CF21E48879E77A5F388B98F45822ADB8907B59DF39C599CB40
          Function 00000202C0AED068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FlsGetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED087
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0A6
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0CE
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0DF
          • FlsSetValue.KERNEL32(?,?,?,00000202C0AEC7DE,?,?,?,?,?,?,?,?,00000202C0AECF9D,?,?,00000001), ref: 00000202C0AED0F0
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Value
          • String ID: 1%$Y%
          • API String ID: 3702945584-1395475152
          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction ID: 363b9827668d8b761d31e44ad5a3e4dbf29d2bfe1cda884ffc1cc8260375dec9
          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction Fuzzy Hash: D111AB607043C4C6FE68973555DD37D6141AB447F4F1A4727EAFA077DBDE28C86A8600
          Function 00000202C0AE7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID:
          • API String ID: 190073905-0
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 14979f1a24b322753f854ca5a4dead1d4ee237c3b69154d6c2c35d4c8e247c5d
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: CE81F4617007C1C6FB54AB65A8CD39D2390BB85B84F174427EBE9477A7EB38CA6D8700
          Function 00000202C0AE9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: api-ms-
          • API String ID: 2559590344-2084034818
          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction ID: 93692ba9be4b391852265e8ab40df330be3080cd4f0ad2a801a0759650363b03
          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction Fuzzy Hash: A731A722212B80D1FE15DB42A48C75D2294B748BA0F5B49279FBE07792DF39C5AD8304
          Function 00000202C0AF3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction ID: b26ab6e85d4882431b05eb7ffbdc71b03f0f6e90507cbc4b46897213533c190b
          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction Fuzzy Hash: 91116D22314B40C6F7508B52E89C71D77A4F788FE8F154227EA5E877A6CF39C8188744
          Function 00000202C0AE3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModule
          • String ID: wr
          • API String ID: 1092925422-2678910430
          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction ID: bcb637cd16c44afa16a89db43d108bf5c410f3b34640b7b1e1fa2b494dd30d53
          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction Fuzzy Hash: E1115726304B81C2FB149B21E48C26D72B4FB88B85F06412BDF99037AAEF3EC509C704
          Function 00000202C0AE5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Thread$Current$Context
          • String ID:
          • API String ID: 1666949209-0
          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction ID: dbc3b65819fd6533e59164d32a3bb8f97f2c88b353aa9b524f2c9543e34d3ae7
          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction Fuzzy Hash: 30D18776205B88C6EA70DB1AE49835E77A0F388B88F110517EADE47BA6DF3CC555CB40
          Function 00000202C0AE2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: dialer
          • API String ID: 756756679-3528709123
          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction ID: 539d7fa312dabe0a02a4a36991552fccd56336bf33b53f387f86ad28829e058b
          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction Fuzzy Hash: 18319D22701B91C2FA14CF16A98C72DA7A0FB44B84F0A41279F9847B67EF35C4B98740
          Function 00000202C0AECFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction ID: c83c6b407707b4dbc6b3b7b82b2caed50328515e1eb0a43fe36386d7293909be
          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction Fuzzy Hash: 0A1163203013C0C6FE68A73555DD72D6242AB987F4F164727EAB7477E7EE68C86A8700
          Function 00000202C0AE199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
          • String ID:
          • API String ID: 517849248-0
          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction ID: c1f12f185a365d98643c548e91b1e72bf4effc7dbd05845da70183f29bcaf82d
          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction Fuzzy Hash: DD010532301B80C2FA649B52A89C75963A9B788FC4F894137DF9A43766DE39C989C740
          Function 00000202C0AE36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
          • String ID:
          • API String ID: 449555515-0
          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction ID: 164501a6415bffd66fe917e88f769ddc3ad1f1b40aa64bea97b79c9247d2f77e
          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction Fuzzy Hash: B5012DB6611B40C2FB249B21E88C71E73A4BB45B86F154527CF9907766EF3EC55C8704
          Function 00000202C0AE8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
          • Instruction ID: 4b0a6f3e062a47a2f3e77ad4f28d0830188973ba44af3f5408a27d7634b4296d
          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
          • Instruction Fuzzy Hash: 6751BF32201B81CAFB94CF15E88CB5D3795F344B88F528227DBA64774AEB35C859C708
          Function 00000202C0AE3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CombinePath
          • String ID: \\.\pipe\
          • API String ID: 3422762182-91387939
          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction ID: 748eaec06fdd8304175141e91d7fcb10eea3299cf276c1654e8c92baf0a6311d
          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction Fuzzy Hash: 6DF01C66718B84C2FA148B53B99C11D6665AB48FD0F0A9233EF5A4BB2ADF3DC45D8700
          Function 00000202C0AEBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction ID: b1dae043e590163143f4e82ec39ab210fa29368e4bf0a17308b2a9fdf74dbffb
          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction Fuzzy Hash: 65F06262211B45C1FB108B24E8CC35E6360EB88765F55021BCB6A452F6DF3DC55C8700
          Function 00000202C0AE50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction ID: cdd9b78ec5eaf04cb1b2f14923f4cedba8257b9bf05445ea44050982a578b50b
          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction Fuzzy Hash: 6C02A432219B84C6EB60CB55F49875EB7A1F384794F110117EBDE87BAADB78C498CB00
          Function 00000202C0AE5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction ID: 76b413ec14e38a6ac9e88e25468b0616ac705ba1cdb0ca70ff7d6d8fad0dbab9
          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction Fuzzy Hash: 6061B676619B80C6F660CB15F48871E77A0F388794F110517EBDE47BAADB78C968CB40
          Function 00000202C0AF4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: aadaf6c08f9748136de9f6cbceaa287ca2a5a32013c1ebda6f4ef6558c209bf0
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: EE119E23A10B54A9F7641568E8DE36D11406B683F8F0A0727AB76076EB8B2AC8CD424C
          Function 00000202C0AC3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 2438009d4eccd0bfdc5c9a2303f4341fa76b055f83bc79e43529a95e1e4287f6
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: 5B112533A5CF09C9FAA42128E4CE37D10D07B59370F4B863BAB76163E7CA6AC84C4201
          Function 00000202C0ABF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: 26cf979074d90fcf05d85e544fcdcf7579b7cc95cef60043f929738aa5a5c4dc
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: F2610536600760C6FA69DB69E5CC76E6AA0F789780F5B8917CB0A177A7DB34C84DC300
          Function 00000202C0AEAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 558256b13703980bb35bc78ab76fb44dce15fdc78b8fdb1fb2b32ce49efec02f
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 36614832600B84CAFB20DF65D48839D77A0F399B88F154217EF9917B9ADB78D5A9C700
          Function 00000202C0AEAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 97304d35c4b486749e002e92b9cf81982149fd581c5d11b448b14438c7f928ed
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 44514C721007C0CAFB648B2595CC35D77A0F766B95F1A4217DBE947B96CB38E4A9CB00
          Function 00000202C0ABA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 19c43cd71e60161d93812c77d0e4ac8737510cff6eeb5711627b4654a467fa8f
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 44516D36104780CAFB748B25959C39C7BA0F365B94F1A8217DB998BBD7CB39D499C700
          Function 00000202C0AB8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 8446a618bbd1140fecb175adc7a255fff733e8375c6260d7fd1f59283cc66251
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 1151AB32601700CAFB29CF29E48CB5D3795F354B98F568227DB164378AEB35D889C704
          Function 00000202C0AB83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: 90803dd6b9b29f9c4154e969358d487dae67566bd5ce1f620f43925fcc542657
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 7F316A32201740D6FB299F29E88C75D7BA4F340B98F168117AF5A07786DB39C948C704
          Function 00000202C0AF2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 2718003287-0
          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction ID: 5415e984cde6a1f954e745032577872c235aef40fdbcb0d3a10d64624b9653db
          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction Fuzzy Hash: 99D1BC73B14B80C9F721CFA9D48829C3BA1F354B98F158217CF5A97B9ADA39C54AC740
          Function 00000202C0AE14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$Process$Free
          • String ID:
          • API String ID: 3168794593-0
          • Opcode ID: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
          • Instruction ID: e1a4700da16e8d3ef1b17da53b22238d79ed5d8b917823312ea25b365b8a4f34
          • Opcode Fuzzy Hash: fccdced75e0e166058a65fb9f01cb5bc762ae8e924348a52df6b038ca287fb4d
          • Instruction Fuzzy Hash: 1E117977500B90C6F714DF62A88C14DB7A4F788F81F0A4127EB4903766DE39C0598744
          Function 00000202C0AF2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction ID: 7750c07c3da3ab5777ee1fb19e88fe5ee8ba8c540cdc789170c23b37d6888931
          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction Fuzzy Hash: D9918A73610B50C9FB61DF6594CC7AD2BA0B744B88F56410BDF4A67A96DB3AC88BC700
          Function 00000202C0AE7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction ID: c1e121f40b66a15715f8d269b70c98ee374ca54bb48e74cdb6f3174d14493375
          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction Fuzzy Hash: 34111C22710B01C9FB00CB60E8983AC33A4F719B58F450E22DB6D467A5DB78C5988380
          Function 00000202C0AB9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: f3028f0bacb26f4c6116040a1e45f79bacc9d5a175de68b6d573a429fff7c7f3
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: B7614532A00B84CAFB24DF65D4883AD77A0F748B98F154217EF4917B9ADB38D599C704
          Function 00000202C0AE2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction ID: 3514571e2c1d6cd3889b28a5e79674fb4b07f5075b2e224e86b20f94a4d05b12
          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction Fuzzy Hash: 2B5180322087C1C1F6649B29A5DC3BEA791F385B80F560127DFEA03B9BDA39C52D8750
          Function 00000202C0AF26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction ID: b84669cd5d919c91a09ffca97e8587df6a0950af1a2baa035680203c31bd1311
          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction Fuzzy Hash: 93418E63614B80C6EB209F25E8883AEA7A0F798794F524023EF4D87795EB39C44AC740
          Function 00000202C0AE94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction ID: 149d407967b934cd8ed689359ce0485475af0033eaf3f8f7976efa754672e473
          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction Fuzzy Hash: 8F112B36214B8082EB618B15E48835D77E5F788B94F594222EFCC077A9DF3DC569CB04
          Function 00000202C0AB7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: 8da40ad284d153a9b89d1544e12ba7a913fe1935213764a8cba5128ad5ea2d85
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: A1E08661641B44D0EF018F31E88829C33A4DB58B64F9A91239A5C06312FA38D1EDC300
          Function 00000202C0AB73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001F.00000002.3107721527.00000202C0AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ab0000_lsass.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: Locator'$riptor at (
          • API String ID: 592178966-4215709766
          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction ID: 5205816057d34bf06f4ea810c880042c8f0231ff55e9ce8539c58bb0b426eeb2
          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction Fuzzy Hash: 30E08661601F44C0EF058F31D88419C73A4E758B54F8A9123DA4C06312EA38D1E9C300
          Function 00000202C0AE1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID:
          • API String ID: 756756679-0
          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction ID: 0bfdd2f4f70d0c77588d297d632a834cc4e271defd7936f82574c36193d19b8d
          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction Fuzzy Hash: 6C119A26601B94C1FA44CB66A88C22D63A0FBC8FC0F1A412BDF8D83766DF39C45AC300
          Function 00000202C0AE1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001F.00000002.3107960596.00000202C0AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_31_2_202c0ae0000_lsass.jbxd
          Similarity
          • API ID: Heap$AllocProcess
          • String ID:
          • API String ID: 1617791916-0
          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction ID: 14bf7bafefd4b55b8bc325b1bb0149ce76066631eeb9ae1ebb85862f094286e6
          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction Fuzzy Hash: 48E03936601704C6FB048B62D84C34A36E5EB89B06F0681268B0907362DF7E8499C750

          Execution Graph

          Execution Coverage:0.7%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:0%
          Total number of Nodes:73
          Total number of Limit Nodes:2
          execution_graph 14854 2a661301abc 14859 2a661301628 GetProcessHeap 14854->14859 14856 2a661301ad2 Sleep SleepEx 14857 2a661301acb 14856->14857 14857->14856 14858 2a661301598 StrCmpIW StrCmpW 14857->14858 14858->14857 14860 2a661301648 __std_exception_copy 14859->14860 14904 2a661301268 GetProcessHeap 14860->14904 14862 2a661301650 14863 2a661301268 2 API calls 14862->14863 14864 2a661301661 14863->14864 14865 2a661301268 2 API calls 14864->14865 14866 2a66130166a 14865->14866 14867 2a661301268 2 API calls 14866->14867 14868 2a661301673 14867->14868 14869 2a66130168e RegOpenKeyExW 14868->14869 14870 2a6613018a6 14869->14870 14871 2a6613016c0 RegOpenKeyExW 14869->14871 14870->14857 14872 2a6613016e9 14871->14872 14873 2a6613016ff RegOpenKeyExW 14871->14873 14908 2a6613012bc RegQueryInfoKeyW 14872->14908 14874 2a66130173a RegOpenKeyExW 14873->14874 14875 2a661301723 14873->14875 14878 2a66130175e 14874->14878 14879 2a661301775 RegOpenKeyExW 14874->14879 14919 2a66130104c RegQueryInfoKeyW 14875->14919 14882 2a6613012bc 13 API calls 14878->14882 14883 2a661301799 14879->14883 14884 2a6613017b0 RegOpenKeyExW 14879->14884 14885 2a66130176b RegCloseKey 14882->14885 14886 2a6613012bc 13 API calls 14883->14886 14887 2a6613017eb RegOpenKeyExW 14884->14887 14888 2a6613017d4 14884->14888 14885->14879 14891 2a6613017a6 RegCloseKey 14886->14891 14889 2a661301826 RegOpenKeyExW 14887->14889 14890 2a66130180f 14887->14890 14892 2a6613012bc 13 API calls 14888->14892 14894 2a66130184a 14889->14894 14895 2a661301861 RegOpenKeyExW 14889->14895 14893 2a66130104c 5 API calls 14890->14893 14891->14884 14896 2a6613017e1 RegCloseKey 14892->14896 14897 2a66130181c RegCloseKey 14893->14897 14898 2a66130104c 5 API calls 14894->14898 14899 2a66130189c RegCloseKey 14895->14899 14900 2a661301885 14895->14900 14896->14887 14897->14889 14901 2a661301857 RegCloseKey 14898->14901 14899->14870 14902 2a66130104c 5 API calls 14900->14902 14901->14895 14903 2a661301892 RegCloseKey 14902->14903 14903->14899 14925 2a661316168 14904->14925 14906 2a661301283 GetProcessHeap 14907 2a6613012ae __std_exception_copy 14906->14907 14907->14862 14909 2a661301327 GetProcessHeap 14908->14909 14910 2a66130148a RegCloseKey 14908->14910 14913 2a66130133e __std_exception_copy 14909->14913 14910->14873 14911 2a661301476 GetProcessHeap HeapFree 14911->14910 14912 2a661301352 RegEnumValueW 14912->14913 14913->14911 14913->14912 14915 2a66130141e lstrlenW GetProcessHeap 14913->14915 14916 2a6613013d3 GetProcessHeap 14913->14916 14917 2a6613013f3 GetProcessHeap HeapFree 14913->14917 14918 2a661301443 StrCpyW 14913->14918 14926 2a66130152c 14913->14926 14915->14913 14916->14913 14917->14915 14918->14913 14920 2a6613011b5 RegCloseKey 14919->14920 14923 2a6613010bf __std_exception_copy 14919->14923 14920->14874 14921 2a6613010cf RegEnumValueW 14921->14923 14922 2a66130114e GetProcessHeap 14922->14923 14923->14920 14923->14921 14923->14922 14924 2a66130116e GetProcessHeap HeapFree 14923->14924 14924->14923 14927 2a66130157c 14926->14927 14930 2a661301546 14926->14930 14927->14913 14928 2a66130155d StrCmpIW 14928->14930 14929 2a661301565 StrCmpW 14929->14930 14930->14927 14930->14928 14930->14929 14931 2a6612d273c 14934 2a6612d276a 14931->14934 14932 2a6612d28d4 14933 2a6612d2858 LoadLibraryA 14933->14934 14934->14932 14934->14933

          Executed Functions

          Function 000002A66130328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: 077229c1eed964279b07ec97370b47b92095969d86f76acc536d4c6ada0caa5e
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: DC11AD70F246408BFB60EB61F98DB6923ECA746F46F8C41249907A3691EF7CC04C8283
          Function 000002A661301ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 000002A661301628: GetProcessHeap.KERNEL32 ref: 000002A661301633
            • Part of subcall function 000002A661301628: HeapAlloc.KERNEL32 ref: 000002A661301642
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016B2
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613016DF
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613016F9
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301719
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301734
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301754
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130176F
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130178F
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017AA
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017CA
          • Sleep.KERNEL32 ref: 000002A661301AD7
          • SleepEx.KERNELBASE ref: 000002A661301ADD
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613017E5
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301805
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301820
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A661301840
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A66130185B
            • Part of subcall function 000002A661301628: RegOpenKeyExW.ADVAPI32 ref: 000002A66130187B
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A661301896
            • Part of subcall function 000002A661301628: RegCloseKey.ADVAPI32 ref: 000002A6613018A0
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: 99b07525fd2711d8e82b8b49fba128a9359a21ce05ef994d83d7f8484eb62716
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: F3314171B00A4593FF509B26DA4D3A963FCAB46FCAF0C54219E0BA7295FF1CC459C292
          Function 000002A661303844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 57 2a661303844-2a66130384f 58 2a661303869-2a661303870 57->58 59 2a661303851-2a661303864 StrCmpNIW 57->59 59->58 60 2a661303866 59->60 60->58
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID:
          • String ID: dialer
          • API String ID: 0-3528709123
          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction ID: 84d7da99e8808b0adfb76846f8b28e16625e6655772c6f218550ef611b4de524
          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction Fuzzy Hash: 59D0A760B512498BFF14DFE688CDA603798EB09F45F8C4034D90213150DF6C8A9D9711
          Function 000002A6612D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: 1627250a6f1587746d6adcb486bc21ae0d1f8d3e6a0bb4f849c2ff22e67d6bd2
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: DC61F0B2F016908BDB548F25D0487ADB3AEFB55FA4F688121DE5907788DF38D89AC701

          Non-executed Functions

          Function 000002A661302B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 367 2a661302b2c-2a661302ba5 call 2a661322ce0 370 2a661302bab-2a661302bb1 367->370 371 2a661302ee0-2a661302f03 367->371 370->371 372 2a661302bb7-2a661302bba 370->372 372->371 373 2a661302bc0-2a661302bc3 372->373 373->371 374 2a661302bc9-2a661302bd9 GetModuleHandleA 373->374 375 2a661302bdb-2a661302beb call 2a661316090 374->375 376 2a661302bed 374->376 378 2a661302bf0-2a661302c0e 375->378 376->378 378->371 381 2a661302c14-2a661302c33 StrCmpNIW 378->381 381->371 382 2a661302c39-2a661302c3d 381->382 382->371 383 2a661302c43-2a661302c4d 382->383 383->371 384 2a661302c53-2a661302c5a 383->384 384->371 385 2a661302c60-2a661302c73 384->385 386 2a661302c83 385->386 387 2a661302c75-2a661302c81 385->387 388 2a661302c86-2a661302c8a 386->388 387->388 389 2a661302c9a 388->389 390 2a661302c8c-2a661302c98 388->390 391 2a661302c9d-2a661302ca7 389->391 390->391 392 2a661302d9d-2a661302da1 391->392 393 2a661302cad-2a661302cb0 391->393 394 2a661302da7-2a661302daa 392->394 395 2a661302ed2-2a661302eda 392->395 396 2a661302cc2-2a661302ccc 393->396 397 2a661302cb2-2a661302cbf call 2a66130199c 393->397 398 2a661302dbb-2a661302dc5 394->398 399 2a661302dac-2a661302db8 call 2a66130199c 394->399 395->371 395->385 401 2a661302cce-2a661302cdb 396->401 402 2a661302d00-2a661302d0a 396->402 397->396 407 2a661302dc7-2a661302dd4 398->407 408 2a661302df5-2a661302df8 398->408 399->398 401->402 403 2a661302cdd-2a661302cea 401->403 404 2a661302d3a-2a661302d3d 402->404 405 2a661302d0c-2a661302d19 402->405 412 2a661302ced-2a661302cf3 403->412 414 2a661302d4b-2a661302d58 lstrlenW 404->414 415 2a661302d3f-2a661302d49 call 2a661301bbc 404->415 405->404 413 2a661302d1b-2a661302d28 405->413 407->408 417 2a661302dd6-2a661302de3 407->417 410 2a661302dfa-2a661302e03 call 2a661301bbc 408->410 411 2a661302e05-2a661302e12 lstrlenW 408->411 410->411 436 2a661302e4a-2a661302e55 410->436 421 2a661302e14-2a661302e1e 411->421 422 2a661302e35-2a661302e3f call 2a661303844 411->422 419 2a661302cf9-2a661302cfe 412->419 420 2a661302d93-2a661302d98 412->420 423 2a661302d2b-2a661302d31 413->423 425 2a661302d5a-2a661302d64 414->425 426 2a661302d7b-2a661302d8d call 2a661303844 414->426 415->414 415->420 427 2a661302de6-2a661302dec 417->427 419->402 419->412 430 2a661302e42-2a661302e44 420->430 421->422 431 2a661302e20-2a661302e33 call 2a66130152c 421->431 422->430 423->420 432 2a661302d33-2a661302d38 423->432 425->426 435 2a661302d66-2a661302d79 call 2a66130152c 425->435 426->420 426->430 427->436 437 2a661302dee-2a661302df3 427->437 430->395 430->436 431->422 431->436 432->404 432->423 435->420 435->426 441 2a661302e57-2a661302e5b 436->441 442 2a661302ecc-2a661302ed0 436->442 437->408 437->427 446 2a661302e5d-2a661302e61 441->446 447 2a661302e63-2a661302e7d call 2a6613085c0 441->447 442->395 446->447 449 2a661302e80-2a661302e83 446->449 447->449 451 2a661302ea6-2a661302ea9 449->451 452 2a661302e85-2a661302ea3 call 2a6613085c0 449->452 451->442 454 2a661302eab-2a661302ec9 call 2a6613085c0 451->454 452->451 454->442
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
          • API String ID: 2119608203-3850299575
          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction ID: 517c12f0b0e1090de60bb0fcc7bf1fefb46beb5eab338aff40a4245cd4b9731a
          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction Fuzzy Hash: 52B17C72B10A9087EB649F35D64C7A963E9F746F86F485016EE0A63B94DF39CC48C381
          Function 000002A661307D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction ID: cc74eacb843f1603229d41cad126e5c04d88afadf7cf4452611ec155d591a17a
          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction Fuzzy Hash: E5315072705B808AEB609F60E8483ED73A8F785B44F484429DA8E67B94EF7CC54DC710
          Function 000002A66130D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction ID: 36f9f4375d1256616007857bae393de0df9f8980b3b202d925a5ac7eb32d36a2
          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction Fuzzy Hash: 4A316F32714F8086DB60CF25E84839E73A8F78AB55F580125EA9E53B68DF7CC159CB41
          Function 000002A661301628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
          • API String ID: 106492572-2879589442
          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction ID: c27f832fced2d29170b0e4fb301a485cb6098ecabde165e8eb95b814a7a813c5
          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction Fuzzy Hash: BA71F476B10E5087EB10DF65E89D69933B8FB8AF8DF081121DA4F67A68DF28C548C341
          Function 000002A6613012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
          • String ID: d
          • API String ID: 2005889112-2564639436
          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction ID: 5c01c19bc0298f85c8339ea94e196dd5b5f1323890ee4be88120aa0ba9bb59bc
          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction Fuzzy Hash: F0512776A14B8487EB50CFA2E44D35AB7B9F78AF89F094124DA4A27728DF7CC049C741
          Function 000002A661301D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentThread$AddressHandleModuleProc
          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
          • API String ID: 4175298099-1975688563
          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction ID: 147c2e2ec541b53145e726b289546c28288565d736413d3e5244b9f1f05d4738
          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction Fuzzy Hash: 8A31A064B10A5AA3EA04EBA5ED5E6D423A9B717F49F8C4113940B331659F3CC24DC3D2
          Function 000002A6612D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 209 2a6612d6910-2a6612d6916 210 2a6612d6951-2a6612d695b 209->210 211 2a6612d6918-2a6612d691b 209->211 212 2a6612d6a78-2a6612d6a8d 210->212 213 2a6612d6945-2a6612d6984 call 2a6612d6fc0 211->213 214 2a6612d691d-2a6612d6920 211->214 218 2a6612d6a8f 212->218 219 2a6612d6a9c-2a6612d6ab6 call 2a6612d6e54 212->219 232 2a6612d6a52 213->232 233 2a6612d698a-2a6612d699f call 2a6612d6e54 213->233 216 2a6612d6922-2a6612d6925 214->216 217 2a6612d6938 __scrt_dllmain_crt_thread_attach 214->217 224 2a6612d6931-2a6612d6936 call 2a6612d6f04 216->224 225 2a6612d6927-2a6612d6930 216->225 222 2a6612d693d-2a6612d6944 217->222 220 2a6612d6a91-2a6612d6a9b 218->220 230 2a6612d6aef-2a6612d6b20 call 2a6612d7190 219->230 231 2a6612d6ab8-2a6612d6aed call 2a6612d6f7c call 2a6612d6e1c call 2a6612d7318 call 2a6612d7130 call 2a6612d7154 call 2a6612d6fac 219->231 224->222 241 2a6612d6b22-2a6612d6b28 230->241 242 2a6612d6b31-2a6612d6b37 230->242 231->220 236 2a6612d6a54-2a6612d6a69 232->236 244 2a6612d69a5-2a6612d69b6 call 2a6612d6ec4 233->244 245 2a6612d6a6a-2a6612d6a77 call 2a6612d7190 233->245 241->242 246 2a6612d6b2a-2a6612d6b2c 241->246 247 2a6612d6b7e-2a6612d6b94 call 2a6612d268c 242->247 248 2a6612d6b39-2a6612d6b43 242->248 259 2a6612d6a07-2a6612d6a11 call 2a6612d7130 244->259 260 2a6612d69b8-2a6612d69dc call 2a6612d72dc call 2a6612d6e0c call 2a6612d6e38 call 2a6612dac0c 244->260 245->212 253 2a6612d6c1f-2a6612d6c2c 246->253 266 2a6612d6bcc-2a6612d6bce 247->266 267 2a6612d6b96-2a6612d6b98 247->267 254 2a6612d6b45-2a6612d6b4d 248->254 255 2a6612d6b4f-2a6612d6b5d call 2a6612e5780 248->255 262 2a6612d6b63-2a6612d6b78 call 2a6612d6910 254->262 255->262 276 2a6612d6c15-2a6612d6c1d 255->276 259->232 280 2a6612d6a13-2a6612d6a1f call 2a6612d7180 259->280 260->259 312 2a6612d69de-2a6612d69e5 __scrt_dllmain_after_initialize_c 260->312 262->247 262->276 274 2a6612d6bd5-2a6612d6bea call 2a6612d6910 266->274 275 2a6612d6bd0-2a6612d6bd3 266->275 267->266 273 2a6612d6b9a-2a6612d6bbc call 2a6612d268c call 2a6612d6a78 267->273 273->266 306 2a6612d6bbe-2a6612d6bc6 call 2a6612e5780 273->306 274->276 294 2a6612d6bec-2a6612d6bf6 274->294 275->274 275->276 276->253 299 2a6612d6a45-2a6612d6a50 280->299 300 2a6612d6a21-2a6612d6a2b call 2a6612d7098 280->300 296 2a6612d6c01-2a6612d6c11 call 2a6612e5780 294->296 297 2a6612d6bf8-2a6612d6bff 294->297 296->276 297->276 299->236 300->299 311 2a6612d6a2d-2a6612d6a3b 300->311 306->266 311->299 312->259 313 2a6612d69e7-2a6612d6a04 call 2a6612dabc8 312->313 313->259
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: e87bf346922b52b2af9168f1f418e053012b6a09ee5fcf7955fafdcfd6fac762
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: 0D81CE21F106818BFA54AB66D48D399329DAF87F80F5C8125DA4987796EF3CC9CD8703
          Function 000002A66130CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetLastError.KERNEL32 ref: 000002A66130CE37
          • FlsGetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE4C
          • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE6D
          • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CE9A
          • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEAB
          • FlsSetValue.KERNEL32(?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CEBC
          • SetLastError.KERNEL32 ref: 000002A66130CED7
          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF0D
          • FlsSetValue.KERNEL32(?,?,00000001,000002A66130ECCC,?,?,?,?,000002A66130BF9F,?,?,?,?,?,000002A661307AB0), ref: 000002A66130CF2C
            • Part of subcall function 000002A66130D6CC: HeapAlloc.KERNEL32 ref: 000002A66130D721
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF54
            • Part of subcall function 000002A66130D744: HeapFree.KERNEL32 ref: 000002A66130D75A
            • Part of subcall function 000002A66130D744: GetLastError.KERNEL32 ref: 000002A66130D764
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF65
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002A661310A6B,?,?,?,000002A66131045C,?,?,?,000002A66130C84F), ref: 000002A66130CF76
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Value$ErrorLast$Heap$AllocFree
          • String ID:
          • API String ID: 570795689-0
          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction ID: a3ebcece3df98fd1e9725f906f8bf8db5f5c64855dc8a79f9fd7b15e885684d0
          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction Fuzzy Hash: 77417420F0128443FA68A735595D36922DD5B47FB2F1C4764A93B376E6DF2C980D8393
          Function 000002A661302244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
          • API String ID: 2171963597-1373409510
          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction ID: 9e913e5ef9d9d4dd90f3ca067dd4efb44e8ac8cefc28dc1332a14b226ca3e093
          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction Fuzzy Hash: 6C213A72B18A9083EB10CB65E54D35A73A4F78ABA5F580215EA5A13AA8CF7CC149CB41
          Function 000002A66130A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 588 2a66130a544-2a66130a5ac call 2a66130b414 591 2a66130a5b2-2a66130a5b5 588->591 592 2a66130aa13-2a66130aa1b call 2a66130c748 588->592 591->592 593 2a66130a5bb-2a66130a5c1 591->593 595 2a66130a5c7-2a66130a5cb 593->595 596 2a66130a690-2a66130a6a2 593->596 595->596 600 2a66130a5d1-2a66130a5dc 595->600 598 2a66130a6a8-2a66130a6ac 596->598 599 2a66130a963-2a66130a967 596->599 598->599 603 2a66130a6b2-2a66130a6bd 598->603 601 2a66130a969-2a66130a970 599->601 602 2a66130a9a0-2a66130a9aa call 2a661309634 599->602 600->596 604 2a66130a5e2-2a66130a5e7 600->604 601->592 605 2a66130a976-2a66130a99b call 2a66130aa1c 601->605 602->592 614 2a66130a9ac-2a66130a9cb call 2a661307940 602->614 603->599 607 2a66130a6c3-2a66130a6ca 603->607 604->596 608 2a66130a5ed-2a66130a5f7 call 2a661309634 604->608 605->602 611 2a66130a6d0-2a66130a707 call 2a661309a10 607->611 612 2a66130a894-2a66130a8a0 607->612 608->614 618 2a66130a5fd-2a66130a628 call 2a661309634 * 2 call 2a661309d24 608->618 611->612 623 2a66130a70d-2a66130a715 611->623 612->602 615 2a66130a8a6-2a66130a8aa 612->615 620 2a66130a8ba-2a66130a8c2 615->620 621 2a66130a8ac-2a66130a8b8 call 2a661309ce4 615->621 656 2a66130a648-2a66130a652 call 2a661309634 618->656 657 2a66130a62a-2a66130a62e 618->657 620->602 627 2a66130a8c8-2a66130a8d5 call 2a6613098b4 620->627 621->620 636 2a66130a8db-2a66130a8e3 621->636 629 2a66130a719-2a66130a74b 623->629 627->602 627->636 633 2a66130a887-2a66130a88e 629->633 634 2a66130a751-2a66130a75c 629->634 633->612 633->629 634->633 637 2a66130a762-2a66130a77b 634->637 638 2a66130a9f6-2a66130aa12 call 2a661309634 * 2 call 2a66130c6a8 636->638 639 2a66130a8e9-2a66130a8ed 636->639 641 2a66130a781-2a66130a7c6 call 2a661309cf8 * 2 637->641 642 2a66130a874-2a66130a879 637->642 638->592 643 2a66130a8ef-2a66130a8fe call 2a661309ce4 639->643 644 2a66130a900 639->644 669 2a66130a7c8-2a66130a7ee call 2a661309cf8 call 2a66130ac38 641->669 670 2a66130a804-2a66130a80a 641->670 648 2a66130a884 642->648 652 2a66130a903-2a66130a90d call 2a66130b4ac 643->652 644->652 648->633 652->602 667 2a66130a913-2a66130a961 call 2a661309944 call 2a661309b50 652->667 656->596 673 2a66130a654-2a66130a674 call 2a661309634 * 2 call 2a66130b4ac 656->673 657->656 661 2a66130a630-2a66130a63b 657->661 661->656 666 2a66130a63d-2a66130a642 661->666 666->592 666->656 667->602 689 2a66130a7f0-2a66130a802 669->689 690 2a66130a815-2a66130a872 call 2a66130a470 669->690 674 2a66130a87b 670->674 675 2a66130a80c-2a66130a810 670->675 694 2a66130a676-2a66130a680 call 2a66130b59c 673->694 695 2a66130a68b 673->695 679 2a66130a880 674->679 675->641 679->648 689->669 689->670 690->679 698 2a66130a686-2a66130a9ef call 2a6613092ac call 2a66130aff4 call 2a6613094a0 694->698 699 2a66130a9f0-2a66130a9f5 call 2a66130c6a8 694->699 695->596 698->699 699->638
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction ID: f9dc5a9824cbe41745e6e6afb53450f4abea2dc5f6e99ba2920a5b912b4b268f
          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction Fuzzy Hash: AEE19F72B047448BEB20DF25A44C39D7BE8F746B99F084115DE8A67BA5CF38C189C782
          Function 000002A6612D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 467 2a6612d9944-2a6612d99ac call 2a6612da814 470 2a6612d9e13-2a6612d9e1b call 2a6612dbb48 467->470 471 2a6612d99b2-2a6612d99b5 467->471 471->470 472 2a6612d99bb-2a6612d99c1 471->472 474 2a6612d9a90-2a6612d9aa2 472->474 475 2a6612d99c7-2a6612d99cb 472->475 477 2a6612d9d63-2a6612d9d67 474->477 478 2a6612d9aa8-2a6612d9aac 474->478 475->474 479 2a6612d99d1-2a6612d99dc 475->479 482 2a6612d9da0-2a6612d9daa call 2a6612d8a34 477->482 483 2a6612d9d69-2a6612d9d70 477->483 478->477 480 2a6612d9ab2-2a6612d9abd 478->480 479->474 481 2a6612d99e2-2a6612d99e7 479->481 480->477 485 2a6612d9ac3-2a6612d9aca 480->485 481->474 486 2a6612d99ed-2a6612d99f7 call 2a6612d8a34 481->486 482->470 493 2a6612d9dac-2a6612d9dcb call 2a6612d6d40 482->493 483->470 487 2a6612d9d76-2a6612d9d9b call 2a6612d9e1c 483->487 489 2a6612d9c94-2a6612d9ca0 485->489 490 2a6612d9ad0-2a6612d9b07 call 2a6612d8e10 485->490 486->493 501 2a6612d99fd-2a6612d9a28 call 2a6612d8a34 * 2 call 2a6612d9124 486->501 487->482 489->482 494 2a6612d9ca6-2a6612d9caa 489->494 490->489 505 2a6612d9b0d-2a6612d9b15 490->505 498 2a6612d9cba-2a6612d9cc2 494->498 499 2a6612d9cac-2a6612d9cb8 call 2a6612d90e4 494->499 498->482 504 2a6612d9cc8-2a6612d9cd5 call 2a6612d8cb4 498->504 499->498 511 2a6612d9cdb-2a6612d9ce3 499->511 535 2a6612d9a2a-2a6612d9a2e 501->535 536 2a6612d9a48-2a6612d9a52 call 2a6612d8a34 501->536 504->482 504->511 509 2a6612d9b19-2a6612d9b4b 505->509 513 2a6612d9b51-2a6612d9b5c 509->513 514 2a6612d9c87-2a6612d9c8e 509->514 516 2a6612d9df6-2a6612d9e12 call 2a6612d8a34 * 2 call 2a6612dbaa8 511->516 517 2a6612d9ce9-2a6612d9ced 511->517 513->514 518 2a6612d9b62-2a6612d9b7b 513->518 514->489 514->509 516->470 522 2a6612d9cef-2a6612d9cfe call 2a6612d90e4 517->522 523 2a6612d9d00 517->523 524 2a6612d9c74-2a6612d9c79 518->524 525 2a6612d9b81-2a6612d9bc6 call 2a6612d90f8 * 2 518->525 531 2a6612d9d03-2a6612d9d0d call 2a6612da8ac 522->531 523->531 527 2a6612d9c84 524->527 548 2a6612d9c04-2a6612d9c0a 525->548 549 2a6612d9bc8-2a6612d9bee call 2a6612d90f8 call 2a6612da038 525->549 527->514 531->482 546 2a6612d9d13-2a6612d9d61 call 2a6612d8d44 call 2a6612d8f50 531->546 535->536 540 2a6612d9a30-2a6612d9a3b 535->540 536->474 552 2a6612d9a54-2a6612d9a74 call 2a6612d8a34 * 2 call 2a6612da8ac 536->552 540->536 545 2a6612d9a3d-2a6612d9a42 540->545 545->470 545->536 546->482 556 2a6612d9c7b 548->556 557 2a6612d9c0c-2a6612d9c10 548->557 567 2a6612d9c15-2a6612d9c72 call 2a6612d9870 549->567 568 2a6612d9bf0-2a6612d9c02 549->568 573 2a6612d9a8b 552->573 574 2a6612d9a76-2a6612d9a80 call 2a6612da99c 552->574 558 2a6612d9c80 556->558 557->525 558->527 567->558 568->548 568->549 573->474 577 2a6612d9df0-2a6612d9df5 call 2a6612dbaa8 574->577 578 2a6612d9a86-2a6612d9def call 2a6612d86ac call 2a6612da3f4 call 2a6612d88a0 574->578 577->516 578->577
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: 681959dd6542599d6789764f186a42efd8a6d505218f830932f82b8ebb8010d4
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: C1E17C32F04B808BEB609B65D45839D77ACFB56B98F181115EE8957B99CF38C0E9C702
          Function 000002A66130F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: api-ms-$ext-ms-
          • API String ID: 3013587201-537541572
          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction ID: fa6adfc857896f79626ba7455a121a59232fbacac11bf9aa969e94737a29d1b3
          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction Fuzzy Hash: 2241E122B15A0083EA16DB56A80C75533DDBB46FE1F0E41259D0BB7784EF3CC44D838A
          Function 000002A66130104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 739 2a66130104c-2a6613010b9 RegQueryInfoKeyW 740 2a6613010bf-2a6613010c9 739->740 741 2a6613011b5-2a6613011d0 739->741 740->741 742 2a6613010cf-2a66130111f RegEnumValueW 740->742 743 2a6613011a5-2a6613011af 742->743 744 2a661301125-2a66130112a 742->744 743->741 743->742 744->743 745 2a66130112c-2a661301135 744->745 746 2a661301147-2a66130114c 745->746 747 2a661301137 745->747 749 2a661301199-2a6613011a3 746->749 750 2a66130114e-2a661301193 GetProcessHeap call 2a661316168 GetProcessHeap HeapFree 746->750 748 2a66130113b-2a66130113f 747->748 748->743 751 2a661301141-2a661301145 748->751 749->743 750->749 751->746 751->748
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
          • String ID: d
          • API String ID: 3743429067-2564639436
          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction ID: 29549edc3a05bb9f30fb41ffd792d5d1f480f0e7d2fd4d10c68227b69ff2f9b1
          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction Fuzzy Hash: 2B418B72614B80C7E764CF61E44839A77B5F389F89F488129DA8A17B58DF3CC489CB41
          Function 000002A66130D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FlsGetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D087
          • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0A6
          • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0CE
          • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0DF
          • FlsSetValue.KERNEL32(?,?,?,000002A66130C7DE,?,?,?,?,?,?,?,?,000002A66130CF9D,?,?,00000001), ref: 000002A66130D0F0
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Value
          • String ID: 1%$Y%
          • API String ID: 3702945584-1395475152
          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction ID: bc4377a1b8938ee1d589c6b188f15fe87120af383a10576ee3c01281e8991c6e
          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction Fuzzy Hash: F2118620F0428443FA68A735595D36962DD5B46FF1F1C4324993B277DADF2CC40A8686
          Function 000002A661307510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID:
          • API String ID: 190073905-0
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 94d9e67a34e61d90d8dc91a526529cd9d217a7a82295564c3aa49440afe65ca8
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: 79810230F0064187FA50AB69984D39966ECAB87F82F1C44249A8B73396DF3DC84D8783
          Function 000002A661309DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: api-ms-
          • API String ID: 2559590344-2084034818
          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction ID: 50e13fa17c3bf59197d400e801c98b0be272adff0d23520052f25ab3404dd5bc
          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction Fuzzy Hash: 3F319021B12A40A3EE11DF46A80C76562DCB74AFA1F5D05259D1F6B790DF3DC849C392
          Function 000002A661313DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction ID: ff65df3e6d8c9de4419cb773b33199b337b810cada23280e1cd4933ea371c746
          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction Fuzzy Hash: 8A116D32B14B8087E7509B52E84D31976B8F78AFE4F084224EA5F97794CF7CC8188781
          Function 000002A661303790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModule
          • String ID: wr
          • API String ID: 1092925422-2678910430
          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction ID: 025d1bc40c232432275dae4ecc1318edf57f0e1ebcf64f5229914e418f725714
          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction Fuzzy Hash: F8115B76B04B8187EF149B62E40C66976B8FB8AF85F480029DE8E17794EF3DC609C705
          Function 000002A661305B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Thread$Current$Context
          • String ID:
          • API String ID: 1666949209-0
          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction ID: 5f5900bbcb72c6ae03449aabeaeaebc51276a3d35255987f9de81e93377eb069
          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction Fuzzy Hash: 3BD1B836604B8882EA70DB0AE49835A77F4F389F85F144216EACE57BA5CF3DC545CB81
          Function 000002A661302F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: dialer
          • API String ID: 756756679-3528709123
          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction ID: 0dbaea95a655bbe900e3289c597c93d81e3b199630ae2b61a37e5e2c9be7583f
          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction Fuzzy Hash: AA31BF32B01B5183EA10DF66A64C76A67E8FB46FC5F0C40249E4A17B55EF3CC4A98381
          Function 000002A66130CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction ID: 0c3f37101a929da6b2ab2e1659a4edb589a4527edbf683f148d599b530f189ca
          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction Fuzzy Hash: A4116020B0028443FA64A7315A5D72962DE6B86FF1F1C4724A937676D6DF6C84098783
          Function 000002A66130199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
          • String ID:
          • API String ID: 517849248-0
          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction ID: 471f3759c9f5d2bef42bfea3fd4cb3963e2dd95c959e6c4d1128e52080657580
          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction Fuzzy Hash: C4015771B00A8083EA50DB92A85C35AA3A9F789FC5F884035DE8A63764DF7CC98DC741
          Function 000002A6613036C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
          • String ID:
          • API String ID: 449555515-0
          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction ID: 79ca0cd446847db94c87b220a4133f292dc0ecc6b103301cedece9ec62c6ad04
          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction Fuzzy Hash: B8011BB5B15B8087EB249B62E80D71972B8BB46F86F080424CA4A27754EF7DC50CC742
          Function 000002A661309005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 077875c1ecc3ba653c40cf27df437926aa55189474758356bf14258b29207a20
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: AC517C32B0160087EB18DF15E84CB5937DAF346F99F198528DA5B63788EF79C849C782
          Function 000002A661308FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: ba38e771323935cd7c4c993903e564a77b026bca2c24c40e091b995464114721
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 39315432B0064087E714DF12E84CB1977A9F386F89F0A8418EA5B23789DF79C948C786
          Function 000002A661301A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: FinalHandleNamePathlstrlen
          • String ID: \\?\
          • API String ID: 2719912262-4282027825
          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction ID: b1b7e669e6661b3feae12b7b33b5b685191a7800304716cf001d880ba287570f
          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction Fuzzy Hash: 07F08C72B0468083FB208B60E88C35A63B9F749F88F888024DA4A57964DF6CC68DCB01
          Function 000002A661303044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CombinePath
          • String ID: \\.\pipe\
          • API String ID: 3422762182-91387939
          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction ID: cf77e8b58ec68dbf932fe7d168add0dfe5d0c02535d993d737ff7324a50749b0
          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction Fuzzy Hash: 65F08CA0B04BC083EA008B93B90D119B2A9AB4AFC0F0C8430EE4B27B28DF7CC44D8701
          Function 000002A66130BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction ID: e21ae87d0ac0485e57b5ed7f78d9bcfc49820b6887902ab70198c3f652ea4012
          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction Fuzzy Hash: 24F06275B1164583EF108B64E84D3597368EB86F61F5C4619CA6B5B1E8CF6CC14DC341
          Function 000002A6613050D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction ID: 9fa3ce34b8c865c90ad51e3620c2008df4696012e5c82a0db968548b5f0cb8e8
          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction Fuzzy Hash: 1002E832A19B8487EB60CB55F49835AB7E4F3C5B91F140015EA8E97BA8DF7DC488CB41
          Function 000002A661305710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction ID: 94fa4eeebce64f2b49e1f32bc3357c48cfb3c794009292f3f2d6159d2374f774
          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction Fuzzy Hash: AE61F636A19B44C7E7608B15E44C31AB7E8F389B85F580115EA8E57BA8DF7CC548CF82
          Function 000002A661314104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 66361736f5e8a90f3f2d0b71ac309b0d3cb3498acf01c0f7b7fefb88f4f0f5d8
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: F211A022F10A5123F6641568E95F369354C6B7BBBCF5C0634E977277E6CF2CC84A8202
          Function 000002A6612E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 22cd65d3b8f6dd6f7d9b94902791a143805ac03df98696b6fd4da49aabfe5191
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: F2118F22F10AD113FA649539F44D36911CD7B5FB76E4C8638A966073F68F2CCACD4202
          Function 000002A6612DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: 0bf1e752806efdf3d6918c8cb5621e3440e718aefe77ceb97043c9c5cc2f889e
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: 80618E66F0024047FB658B75E54C32B66ADEB87F40F5D4519CA4A177A8DF3CC9CE820A
          Function 000002A66130AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: af1233a52f56241061660763b27a88547fce862d6649db4ccb4df901e0d389cc
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 86614932B00B848AEB20DF65E44839D77E4F345B89F084215EE4A27BA8DF78C599C781
          Function 000002A66130AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 71553aecd4e6c0be1a45bd4f8553e36c14cf70e2545c3f161416fa0a9a176b52
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 7F519272B002808BEB648F25A49C35977E8F356F86F1C4119DA8A67BE5CF7CD458C782
          Function 000002A6612DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 9e9e64640e33ee222bca170c8ee76b8c2aa3a2d202631a961c3e70975ee64d6a
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: CE515B32E042808BEBA48B26D44CB5877ADFB56F84F1C5116DA9987AE5CF7CD4D88702
          Function 000002A6612D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 8201e1b19b336b27b06942c19ab8646d026c506d3e7787226ca7cd4a84cb06ae
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 4751AF32F112008BEB14CB15E40CB59379DFB52F98F9AA124DA064378CEF38D9C89706
          Function 000002A6612D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: cefbc8a046af985220aa2329bd1f73024f30a7703efedaf0860a35be415e2574
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 94317A35B1168097E7149B21E84C75937ACFB42F88F5A9018EE5A03788DF3CC988D706
          Function 000002A661312058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 2718003287-0
          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction ID: daab32c25a9fadadc3e1a32652520a2a78c62dababe1d4e9fdec7867a8e6883d
          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction Fuzzy Hash: 7AD1E332B14A808AE711CFB5D54939C3BB9F356B98F284215DE5AB7B99DF38C40AC341
          Function 000002A6613014A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$Free
          • String ID:
          • API String ID: 3168794593-0
          • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction ID: 921e1a85b60784aa0bba0433d9b0249e05675eea00effd83e5fc34bb76f58227
          • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction Fuzzy Hash: D5118BB6A00AD0C7E714DFA2A80D25977B8F78AF85F084035EA4A23726DF7CC058C741
          Function 000002A661312980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction ID: f98e1d8c780189fb48322b240abb3135e65948d30303f15e17900ffbada13fd6
          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction Fuzzy Hash: 85918E72B1065486FB609F75994E3AD3BA8B747F98F284109DE0B77694DF38C48AC702
          Function 000002A661307960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction ID: 1cc862d301829f27dd78957ba1fd8c5096fa0c01cbaac4e6f591e442f6dc95cb
          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction Fuzzy Hash: 14111F32B10F418AEB409B60E8593A833B8F719B58F480D21DA6E57794DF7CC1988381
          Function 000002A66130253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction ID: a77167060b87a4fc452a4d9a47af32d2e27e7869f2a7b79b94de1e5e43e7598e
          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction Fuzzy Hash: 3571A436B0078147EA25DE35994C3AA67E8F386F95F580016DD0B63B89DF39C54DC782
          Function 000002A6612D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 4c1e01fd7d14f6ffb4a4eaa44a0f6dfd295677d667dd27de79d18e1f6fb3ebd9
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 21614832F00B848AEB20DF65D48879D77A8FB45B88F084216EF4917B99DF38D199C701
          Function 000002A661302330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction ID: 8b65ca84562374e5dcff84955426101dcfa6df48021d4bc966f847153521bb2b
          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction Fuzzy Hash: 03519232B0478183E664DA39A65C3AAA6E9F386F41F4A0125DD5B33B59DF3DC50C87C2
          Function 000002A6613126F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction ID: 435cc8df130a4e77d3710c788b2ddf4808abbc3271533ea666418ec5651f9c6f
          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction Fuzzy Hash: E941E672B14A8087DB20DF25E94D3AA77A4F38AB94F584021EE4E97784DF7CC405C741
          Function 000002A6613094A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction ID: b3e6afc7812eff5d23d9e2531ddbd3c8dde3b3595130f4102b15f64d21df9287
          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction Fuzzy Hash: 5A115832604B8082EB218F15E448359B7E8FB89F94F1D4220EE8E17B68DF3CC555CB40
          Function 000002A6612D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: 0f3f6b22aa811685f5e546128debed61f89d1e56892167602ce41c22e1950124
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: FDE04F65B50B8591DB028F62E8482D833A89B5AB64B489122D95C07311EB3CD2EDC301
          Function 000002A6612D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000020.00000002.3089296987.000002A6612D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a6612d0000_svchost.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: Locator'$riptor at (
          • API String ID: 592178966-4215709766
          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction ID: 93a3ced56bc647de6299b8a1905d2a6032edb69f7bc4320d41604ef82ca62c1f
          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction Fuzzy Hash: AEE08666F10B4481DF028F71E4441D87368EB5AF54B8C9122C95C07311EF3CD2E9C301
          Function 000002A661301BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID:
          • API String ID: 756756679-0
          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction ID: 72cf71b4c8bcd0622c645fc165e77207b5f5e2b8a8cfb2fde8c47a753de635a3
          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction Fuzzy Hash: FC115B75B01B8482EA04DB66A80D22A73E9EB8AFC5F1C4028DE4E67765DFBCC446C341
          Function 000002A661301268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000020.00000002.3090317443.000002A661300000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_32_2_2a661300000_svchost.jbxd
          Similarity
          • API ID: Heap$AllocProcess
          • String ID:
          • API String ID: 1617791916-0
          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction ID: b5369b631e5731d7a483f2840394a7dd6d44661382897b8f9f01a4c4ceb7f075
          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction Fuzzy Hash: 18E065B5B01A4487EB088FA2D80D34A36E5FB8AF06F09C024CD0A07361DFFD8499CB91

          Execution Graph

          Execution Coverage:1.7%
          Dynamic/Decrypted Code Coverage:95.3%
          Signature Coverage:0%
          Total number of Nodes:127
          Total number of Limit Nodes:16
          execution_graph 14881 2baaedd3ab9 14886 2baaedd3a06 14881->14886 14882 2baaedd3a70 14883 2baaedd3a56 VirtualQuery 14883->14882 14883->14886 14884 2baaedd3a8a VirtualAlloc 14884->14882 14885 2baaedd3abb GetLastError 14884->14885 14885->14882 14885->14886 14886->14882 14886->14883 14886->14884 14887 2baaedd28c8 14889 2baaedd290e 14887->14889 14888 2baaedd2970 14889->14888 14891 2baaedd3844 14889->14891 14892 2baaedd3866 14891->14892 14893 2baaedd3851 StrCmpNIW 14891->14893 14892->14889 14893->14892 14894 2baaeda273c 14895 2baaeda276a 14894->14895 14896 2baaeda27c5 VirtualAlloc 14895->14896 14899 2baaeda28d4 14895->14899 14898 2baaeda27ec 14896->14898 14896->14899 14897 2baaeda2858 LoadLibraryA 14897->14898 14898->14897 14898->14899 14900 2baaedd5cf0 14901 2baaedd5cfd 14900->14901 14902 2baaedd5d09 14901->14902 14909 2baaedd5e1a 14901->14909 14903 2baaedd5d3e 14902->14903 14904 2baaedd5d8d 14902->14904 14905 2baaedd5d66 SetThreadContext 14903->14905 14905->14904 14906 2baaedd5efe 14908 2baaedd5f1e 14906->14908 14922 2baaedd43e0 14906->14922 14907 2baaedd5e41 VirtualProtect FlushInstructionCache 14907->14909 14918 2baaedd4df0 GetCurrentProcess 14908->14918 14909->14906 14909->14907 14912 2baaedd5f23 14913 2baaedd5f77 14912->14913 14914 2baaedd5f37 ResumeThread 14912->14914 14926 2baaedd7940 14913->14926 14915 2baaedd5f6b 14914->14915 14915->14912 14917 2baaedd5fbf 14919 2baaedd4e0c 14918->14919 14920 2baaedd4e53 14919->14920 14921 2baaedd4e22 VirtualProtect FlushInstructionCache 14919->14921 14920->14912 14921->14919 14924 2baaedd43fc 14922->14924 14923 2baaedd445f 14923->14908 14924->14923 14925 2baaedd4412 VirtualFree 14924->14925 14925->14924 14927 2baaedd7949 14926->14927 14928 2baaedd7954 14927->14928 14929 2baaedd812c IsProcessorFeaturePresent 14927->14929 14928->14917 14930 2baaedd8144 14929->14930 14933 2baaedd8320 RtlCaptureContext 14930->14933 14932 2baaedd8157 14932->14917 14934 2baaedd833a RtlLookupFunctionEntry 14933->14934 14935 2baaedd8389 14934->14935 14936 2baaedd8350 RtlVirtualUnwind 14934->14936 14935->14932 14936->14934 14936->14935 14937 2baaedd554d 14939 2baaedd5554 14937->14939 14938 2baaedd55bb 14939->14938 14940 2baaedd5637 VirtualProtect 14939->14940 14941 2baaedd5663 GetLastError 14940->14941 14942 2baaedd5671 14940->14942 14941->14942 14943 2baaedd1abc 14948 2baaedd1628 GetProcessHeap 14943->14948 14945 2baaedd1ad2 Sleep SleepEx 14946 2baaedd1acb 14945->14946 14946->14945 14947 2baaedd1598 StrCmpIW StrCmpW 14946->14947 14947->14946 14949 2baaedd1648 _invalid_parameter_noinfo 14948->14949 14993 2baaedd1268 GetProcessHeap 14949->14993 14951 2baaedd1650 14952 2baaedd1268 2 API calls 14951->14952 14953 2baaedd1661 14952->14953 14954 2baaedd1268 2 API calls 14953->14954 14955 2baaedd166a 14954->14955 14956 2baaedd1268 2 API calls 14955->14956 14957 2baaedd1673 14956->14957 14958 2baaedd168e RegOpenKeyExW 14957->14958 14959 2baaedd18a6 14958->14959 14960 2baaedd16c0 RegOpenKeyExW 14958->14960 14959->14946 14961 2baaedd16e9 14960->14961 14962 2baaedd16ff RegOpenKeyExW 14960->14962 15004 2baaedd12bc RegQueryInfoKeyW 14961->15004 14964 2baaedd1723 14962->14964 14965 2baaedd173a RegOpenKeyExW 14962->14965 14997 2baaedd104c RegQueryInfoKeyW 14964->14997 14966 2baaedd1775 RegOpenKeyExW 14965->14966 14967 2baaedd175e 14965->14967 14972 2baaedd1799 14966->14972 14973 2baaedd17b0 RegOpenKeyExW 14966->14973 14971 2baaedd12bc 13 API calls 14967->14971 14974 2baaedd176b RegCloseKey 14971->14974 14975 2baaedd12bc 13 API calls 14972->14975 14976 2baaedd17d4 14973->14976 14977 2baaedd17eb RegOpenKeyExW 14973->14977 14974->14966 14978 2baaedd17a6 RegCloseKey 14975->14978 14979 2baaedd12bc 13 API calls 14976->14979 14980 2baaedd1826 RegOpenKeyExW 14977->14980 14981 2baaedd180f 14977->14981 14978->14973 14984 2baaedd17e1 RegCloseKey 14979->14984 14982 2baaedd1861 RegOpenKeyExW 14980->14982 14983 2baaedd184a 14980->14983 14985 2baaedd104c 5 API calls 14981->14985 14988 2baaedd1885 14982->14988 14989 2baaedd189c RegCloseKey 14982->14989 14987 2baaedd104c 5 API calls 14983->14987 14984->14977 14986 2baaedd181c RegCloseKey 14985->14986 14986->14980 14990 2baaedd1857 RegCloseKey 14987->14990 14991 2baaedd104c 5 API calls 14988->14991 14989->14959 14990->14982 14992 2baaedd1892 RegCloseKey 14991->14992 14992->14989 15015 2baaede6168 14993->15015 14995 2baaedd1283 GetProcessHeap 14996 2baaedd12ae _invalid_parameter_noinfo 14995->14996 14996->14951 14998 2baaedd11b5 RegCloseKey 14997->14998 14999 2baaedd10bf 14997->14999 14998->14965 14999->14998 15000 2baaedd10cf RegEnumValueW 14999->15000 15002 2baaedd1125 _invalid_parameter_noinfo 15000->15002 15001 2baaedd114e GetProcessHeap 15001->15002 15002->14998 15002->15000 15002->15001 15003 2baaedd116e GetProcessHeap HeapFree 15002->15003 15003->15002 15005 2baaedd1327 GetProcessHeap 15004->15005 15006 2baaedd148a RegCloseKey 15004->15006 15012 2baaedd133e _invalid_parameter_noinfo 15005->15012 15006->14962 15007 2baaedd1476 GetProcessHeap HeapFree 15007->15006 15008 2baaedd1352 RegEnumValueW 15008->15012 15010 2baaedd13d3 GetProcessHeap 15010->15012 15011 2baaedd141e lstrlenW GetProcessHeap 15011->15012 15012->15007 15012->15008 15012->15010 15012->15011 15013 2baaedd1443 StrCpyW 15012->15013 15014 2baaedd13f3 GetProcessHeap HeapFree 15012->15014 15016 2baaedd152c 15012->15016 15013->15012 15014->15011 15017 2baaedd157c 15016->15017 15020 2baaedd1546 15016->15020 15017->15012 15018 2baaedd1565 StrCmpW 15018->15020 15019 2baaedd155d StrCmpIW 15019->15020 15020->15017 15020->15018 15020->15019

          Executed Functions

          Function 000002BAAEDD1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
          • API String ID: 106492572-2879589442
          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction ID: 1cd993aa2e4ca2ca68512b5fa9006a8bf35805f96022a16a3de0c38e9af3347a
          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction Fuzzy Hash: 03713936311A10CAEB50EF75E8986AD33B5FB84B98F201116DE8E97B68DF38C544C361
          Function 000002BAAEDD3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModule
          • String ID: wr
          • API String ID: 1092925422-2678910430
          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction ID: 462342938f27d681e7f45fad441101ff68967ea814c45b17604f347c0a4b5bf3
          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction Fuzzy Hash: 7411353A705B8182EF689B21E44C26973B1FB88B95F64002ADEDD87B94EF3DC505C725
          Function 000002BAAEDD5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 59 2baaedd5b30-2baaedd5b57 60 2baaedd5b59-2baaedd5b68 59->60 61 2baaedd5b6b-2baaedd5b76 GetCurrentThreadId 59->61 60->61 62 2baaedd5b78-2baaedd5b7d 61->62 63 2baaedd5b82-2baaedd5b89 61->63 66 2baaedd5faf-2baaedd5fc6 call 2baaedd7940 62->66 64 2baaedd5b9b-2baaedd5baf 63->64 65 2baaedd5b8b-2baaedd5b96 call 2baaedd5960 63->65 69 2baaedd5bbe-2baaedd5bc4 64->69 65->66 72 2baaedd5c95-2baaedd5cb6 69->72 73 2baaedd5bca-2baaedd5bd3 69->73 77 2baaedd5e1f-2baaedd5e30 call 2baaedd74bf 72->77 78 2baaedd5cbc-2baaedd5cdc GetThreadContext 72->78 75 2baaedd5bd5-2baaedd5c18 call 2baaedd85c0 73->75 76 2baaedd5c1a-2baaedd5c8d call 2baaedd4510 call 2baaedd44b0 call 2baaedd4470 73->76 88 2baaedd5c90 75->88 76->88 92 2baaedd5e35-2baaedd5e3b 77->92 81 2baaedd5ce2-2baaedd5d03 78->81 82 2baaedd5e1a 78->82 81->82 91 2baaedd5d09-2baaedd5d12 81->91 82->77 88->69 94 2baaedd5d92-2baaedd5da3 91->94 95 2baaedd5d14-2baaedd5d25 91->95 96 2baaedd5efe-2baaedd5f0e 92->96 97 2baaedd5e41-2baaedd5e98 VirtualProtect FlushInstructionCache 92->97 106 2baaedd5e15 94->106 107 2baaedd5da5-2baaedd5dc3 94->107 102 2baaedd5d27-2baaedd5d3c 95->102 103 2baaedd5d8d 95->103 100 2baaedd5f1e-2baaedd5f2a call 2baaedd4df0 96->100 101 2baaedd5f10-2baaedd5f17 96->101 104 2baaedd5ec9-2baaedd5ef9 call 2baaedd78ac 97->104 105 2baaedd5e9a-2baaedd5ea4 97->105 121 2baaedd5f2f-2baaedd5f35 100->121 101->100 110 2baaedd5f19 call 2baaedd43e0 101->110 102->103 112 2baaedd5d3e-2baaedd5d88 call 2baaedd3970 SetThreadContext 102->112 103->106 104->92 105->104 113 2baaedd5ea6-2baaedd5ec1 call 2baaedd4390 105->113 107->106 108 2baaedd5dc5-2baaedd5e10 call 2baaedd3900 call 2baaedd74dd 107->108 108->106 110->100 112->103 113->104 125 2baaedd5f77-2baaedd5f95 121->125 126 2baaedd5f37-2baaedd5f75 ResumeThread call 2baaedd78ac 121->126 128 2baaedd5f97-2baaedd5fa6 125->128 129 2baaedd5fa9 125->129 126->121 128->129 129->66
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Thread$Current$Context
          • String ID:
          • API String ID: 1666949209-0
          • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
          • Instruction ID: 495d57ed8553111e4e128e1b6255c028dc87b89d2567e538d286b7ba3df4ff32
          • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
          • Instruction Fuzzy Hash: 71D1A936209B88C6DA70DB1AE49835A77B0F7C8B84F200516EACD87BA9DF3DC551CB51
          Function 000002BAAEDD50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 131 2baaedd50d0-2baaedd50fc 132 2baaedd50fe-2baaedd5106 131->132 133 2baaedd510d-2baaedd5116 131->133 132->133 134 2baaedd5127-2baaedd5130 133->134 135 2baaedd5118-2baaedd5120 133->135 136 2baaedd5132-2baaedd513a 134->136 137 2baaedd5141-2baaedd514a 134->137 135->134 136->137 138 2baaedd5156-2baaedd5161 GetCurrentThreadId 137->138 139 2baaedd514c-2baaedd5151 137->139 141 2baaedd5163-2baaedd5168 138->141 142 2baaedd516d-2baaedd5174 138->142 140 2baaedd56d3-2baaedd56da 139->140 141->140 143 2baaedd5176-2baaedd517c 142->143 144 2baaedd5181-2baaedd518a 142->144 143->140 145 2baaedd5196-2baaedd51a2 144->145 146 2baaedd518c-2baaedd5191 144->146 147 2baaedd51a4-2baaedd51c9 145->147 148 2baaedd51ce-2baaedd5225 call 2baaedd56e0 * 2 145->148 146->140 147->140 153 2baaedd5227-2baaedd522e 148->153 154 2baaedd523a-2baaedd5243 148->154 155 2baaedd5236 153->155 156 2baaedd5230 153->156 157 2baaedd5255-2baaedd525e 154->157 158 2baaedd5245-2baaedd5252 154->158 155->154 160 2baaedd52a6-2baaedd52aa 155->160 159 2baaedd52b0-2baaedd52b6 156->159 161 2baaedd5273-2baaedd5298 call 2baaedd7870 157->161 162 2baaedd5260-2baaedd5270 157->162 158->157 163 2baaedd52b8-2baaedd52d4 call 2baaedd4390 159->163 164 2baaedd52e5-2baaedd52eb 159->164 160->159 171 2baaedd529e 161->171 172 2baaedd532d-2baaedd5342 call 2baaedd3cc0 161->172 162->161 163->164 174 2baaedd52d6-2baaedd52de 163->174 166 2baaedd5315-2baaedd5328 164->166 167 2baaedd52ed-2baaedd530c call 2baaedd78ac 164->167 166->140 167->166 171->160 178 2baaedd5344-2baaedd534c 172->178 179 2baaedd5351-2baaedd535a 172->179 174->164 178->160 180 2baaedd536c-2baaedd53ba call 2baaedd8c60 179->180 181 2baaedd535c-2baaedd5369 179->181 184 2baaedd53c2-2baaedd53ca 180->184 181->180 185 2baaedd54d7-2baaedd54df 184->185 186 2baaedd53d0-2baaedd54bb call 2baaedd7440 184->186 187 2baaedd5523-2baaedd552b 185->187 188 2baaedd54e1-2baaedd54f4 call 2baaedd4590 185->188 198 2baaedd54bf-2baaedd54ce call 2baaedd4060 186->198 199 2baaedd54bd 186->199 191 2baaedd5537-2baaedd5546 187->191 192 2baaedd552d-2baaedd5535 187->192 200 2baaedd54f6 188->200 201 2baaedd54f8-2baaedd5521 188->201 196 2baaedd5548 191->196 197 2baaedd554f 191->197 192->191 195 2baaedd5554-2baaedd5561 192->195 203 2baaedd5563 195->203 204 2baaedd5564-2baaedd55b9 call 2baaedd85c0 195->204 196->197 197->195 208 2baaedd54d2 198->208 209 2baaedd54d0 198->209 199->185 200->187 201->185 203->204 210 2baaedd55c8-2baaedd5661 call 2baaedd4510 call 2baaedd4470 VirtualProtect 204->210 211 2baaedd55bb-2baaedd55c3 204->211 208->184 209->185 216 2baaedd5663-2baaedd5668 GetLastError 210->216 217 2baaedd5671-2baaedd56d1 210->217 216->217 217->140
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
          • Instruction ID: debfef5cb2b2f1efafcd3bde8b349a94f9ea710e3e20d61597c4b0ade23fd8dd
          • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
          • Instruction Fuzzy Hash: 9402D83221AB84C6EB60DB59E49435ABBB1F3C4794F204416EACE87BA9DF7CC454CB11
          Function 000002BAAEDD39E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Virtual$AllocQuery
          • String ID:
          • API String ID: 31662377-0
          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
          • Instruction ID: e57386cb4ae447fc151b5581e62860c8597a884605dd7c21122e93a40e2eb5d5
          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
          • Instruction Fuzzy Hash: 4131242231BB8481EA71DB19E09939E77B4F388784F201526F5CD86BA9DF7DC540CB16
          Function 000002BAAEDD328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: d9976a28d3edefbc484b26820ec4384613920bc9bede386f6cfe404f3c3adaa6
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: E911803161274082FB60AB25FA8D76933B4E754B44F70512AD9CEC5595EF78C144C273
          Function 000002BAAEDD4DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
          • String ID:
          • API String ID: 3733156554-0
          • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
          • Instruction ID: a094a045ce428c8382e8de798b1b9a6c7c6ee4977feabb25ddd08a1ad637c0c8
          • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
          • Instruction Fuzzy Hash: 6EF03A26219B04C0D631DB01E48934EBBB0F388BD4F240116FACD83BA9CB3CC690CB21
          Function 000002BAAEDA273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 265 2baaeda273c-2baaeda27a4 call 2baaeda29d4 * 4 274 2baaeda29b2 265->274 275 2baaeda27aa-2baaeda27ad 265->275 277 2baaeda29b4-2baaeda29d0 274->277 275->274 276 2baaeda27b3-2baaeda27b6 275->276 276->274 278 2baaeda27bc-2baaeda27bf 276->278 278->274 279 2baaeda27c5-2baaeda27e6 VirtualAlloc 278->279 279->274 280 2baaeda27ec-2baaeda280c 279->280 281 2baaeda2838-2baaeda283f 280->281 282 2baaeda280e-2baaeda2836 280->282 283 2baaeda2845-2baaeda2852 281->283 284 2baaeda28df-2baaeda28e6 281->284 282->281 282->282 283->284 287 2baaeda2858-2baaeda286a LoadLibraryA 283->287 285 2baaeda2992-2baaeda29b0 284->285 286 2baaeda28ec-2baaeda2901 284->286 285->277 286->285 288 2baaeda2907 286->288 289 2baaeda286c-2baaeda2878 287->289 290 2baaeda28ca-2baaeda28d2 287->290 293 2baaeda290d-2baaeda2921 288->293 294 2baaeda28c5-2baaeda28c8 289->294 290->287 291 2baaeda28d4-2baaeda28d9 290->291 291->284 296 2baaeda2982-2baaeda298c 293->296 297 2baaeda2923-2baaeda2934 293->297 294->290 295 2baaeda287a-2baaeda287d 294->295 301 2baaeda28a7-2baaeda28b7 295->301 302 2baaeda287f-2baaeda28a5 295->302 296->285 296->293 299 2baaeda2936-2baaeda293d 297->299 300 2baaeda293f-2baaeda2943 297->300 303 2baaeda2970-2baaeda2980 299->303 304 2baaeda2945-2baaeda294b 300->304 305 2baaeda294d-2baaeda2951 300->305 306 2baaeda28ba-2baaeda28c1 301->306 302->306 303->296 303->297 304->303 307 2baaeda2963-2baaeda2967 305->307 308 2baaeda2953-2baaeda2961 305->308 306->294 307->303 310 2baaeda2969-2baaeda296c 307->310 308->303 310->303
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: AllocLibraryLoadVirtual
          • String ID:
          • API String ID: 3550616410-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: eb3719fafc7ec8463c302ea4e313405cb53f27c6a32c8c03131f423db2fe9aad
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: 46612532B0169087DB64CF2AD40872DB3B2FB54FA4F688525DE9D07788DB38D962C721
          Function 000002BAAEDD1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 000002BAAEDD1628: GetProcessHeap.KERNEL32 ref: 000002BAAEDD1633
            • Part of subcall function 000002BAAEDD1628: HeapAlloc.KERNEL32 ref: 000002BAAEDD1642
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD16B2
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD16DF
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD16F9
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1719
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD1734
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1754
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD176F
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD178F
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD17AA
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD17CA
          • Sleep.KERNEL32 ref: 000002BAAEDD1AD7
          • SleepEx.KERNELBASE ref: 000002BAAEDD1ADD
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD17E5
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1805
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD1820
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD1840
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD185B
            • Part of subcall function 000002BAAEDD1628: RegOpenKeyExW.ADVAPI32 ref: 000002BAAEDD187B
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD1896
            • Part of subcall function 000002BAAEDD1628: RegCloseKey.ADVAPI32 ref: 000002BAAEDD18A0
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: 028ec452a4f0b78a77d2aa10aed9f1aa3cfbe43c61dc3217750bbde5e745066d
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: F1310E613026418AFF50DB26DAD93A933B4EB85BC0F25542B9E8DC76D6FF24C851C232

          Non-executed Functions

          Function 000002BAAEDD2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 573 2baaedd2b2c-2baaedd2ba5 call 2baaedf2ce0 576 2baaedd2ee0-2baaedd2f03 573->576 577 2baaedd2bab-2baaedd2bb1 573->577 577->576 578 2baaedd2bb7-2baaedd2bba 577->578 578->576 579 2baaedd2bc0-2baaedd2bc3 578->579 579->576 580 2baaedd2bc9-2baaedd2bd9 GetModuleHandleA 579->580 581 2baaedd2bdb-2baaedd2beb call 2baaede6090 580->581 582 2baaedd2bed 580->582 583 2baaedd2bf0-2baaedd2c0e 581->583 582->583 583->576 587 2baaedd2c14-2baaedd2c33 StrCmpNIW 583->587 587->576 588 2baaedd2c39-2baaedd2c3d 587->588 588->576 589 2baaedd2c43-2baaedd2c4d 588->589 589->576 590 2baaedd2c53-2baaedd2c5a 589->590 590->576 591 2baaedd2c60-2baaedd2c73 590->591 592 2baaedd2c83 591->592 593 2baaedd2c75-2baaedd2c81 591->593 594 2baaedd2c86-2baaedd2c8a 592->594 593->594 595 2baaedd2c9a 594->595 596 2baaedd2c8c-2baaedd2c98 594->596 597 2baaedd2c9d-2baaedd2ca7 595->597 596->597 598 2baaedd2d9d-2baaedd2da1 597->598 599 2baaedd2cad-2baaedd2cb0 597->599 602 2baaedd2da7-2baaedd2daa 598->602 603 2baaedd2ed2-2baaedd2eda 598->603 600 2baaedd2cc2-2baaedd2ccc 599->600 601 2baaedd2cb2-2baaedd2cbf call 2baaedd199c 599->601 605 2baaedd2cce-2baaedd2cdb 600->605 606 2baaedd2d00-2baaedd2d0a 600->606 601->600 607 2baaedd2dbb-2baaedd2dc5 602->607 608 2baaedd2dac-2baaedd2db8 call 2baaedd199c 602->608 603->576 603->591 605->606 612 2baaedd2cdd-2baaedd2cea 605->612 613 2baaedd2d3a-2baaedd2d3d 606->613 614 2baaedd2d0c-2baaedd2d19 606->614 609 2baaedd2dc7-2baaedd2dd4 607->609 610 2baaedd2df5-2baaedd2df8 607->610 608->607 609->610 616 2baaedd2dd6-2baaedd2de3 609->616 617 2baaedd2e05-2baaedd2e12 lstrlenW 610->617 618 2baaedd2dfa-2baaedd2e03 call 2baaedd1bbc 610->618 619 2baaedd2ced-2baaedd2cf3 612->619 621 2baaedd2d3f-2baaedd2d49 call 2baaedd1bbc 613->621 622 2baaedd2d4b-2baaedd2d58 lstrlenW 613->622 614->613 620 2baaedd2d1b-2baaedd2d28 614->620 624 2baaedd2de6-2baaedd2dec 616->624 630 2baaedd2e35-2baaedd2e3f call 2baaedd3844 617->630 631 2baaedd2e14-2baaedd2e1e 617->631 618->617 636 2baaedd2e4a-2baaedd2e55 618->636 628 2baaedd2cf9-2baaedd2cfe 619->628 629 2baaedd2d93-2baaedd2d98 619->629 632 2baaedd2d2b-2baaedd2d31 620->632 621->622 621->629 625 2baaedd2d7b-2baaedd2d8d call 2baaedd3844 622->625 626 2baaedd2d5a-2baaedd2d64 622->626 635 2baaedd2dee-2baaedd2df3 624->635 624->636 625->629 640 2baaedd2e42-2baaedd2e44 625->640 626->625 637 2baaedd2d66-2baaedd2d79 call 2baaedd152c 626->637 628->606 628->619 629->640 630->640 631->630 641 2baaedd2e20-2baaedd2e33 call 2baaedd152c 631->641 632->629 642 2baaedd2d33-2baaedd2d38 632->642 635->610 635->624 644 2baaedd2e57-2baaedd2e5b 636->644 645 2baaedd2ecc-2baaedd2ed0 636->645 637->625 637->629 640->603 640->636 641->630 641->636 642->613 642->632 650 2baaedd2e63-2baaedd2e7d call 2baaedd85c0 644->650 651 2baaedd2e5d-2baaedd2e61 644->651 645->603 654 2baaedd2e80-2baaedd2e83 650->654 651->650 651->654 657 2baaedd2ea6-2baaedd2ea9 654->657 658 2baaedd2e85-2baaedd2ea3 call 2baaedd85c0 654->658 657->645 660 2baaedd2eab-2baaedd2ec9 call 2baaedd85c0 657->660 658->657 660->645
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
          • API String ID: 2119608203-3850299575
          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction ID: 244459b2691c9ea1546b74905166c69a74a720a8b5835bd8b698fe6183e793f5
          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction Fuzzy Hash: 0BB1D232212A5086EBA5CF29D4887AD73B9FB44B94F245017EE8D97794EF35CC40C7A1
          Function 000002BAAEDD7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction ID: f6c8eb9593b9122dbc2720b69259074f0fe4044569e8aa2285e5cf620b589d8b
          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction Fuzzy Hash: 8D316272205B80CAEB609F61E8887ED7374F784744F54442ADB8E97B94EF38C548C721
          Function 000002BAAEDDD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction ID: 9edfd3bd37e08e8e69f0fca97c81255803323914939902e9cdf50607b9e637f6
          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction Fuzzy Hash: 92318336215F8086DB60CF25E88839E73B4F789758F640226EADD43B99DF38C555CB11
          Function 000002BAAEDD12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
          • String ID: d
          • API String ID: 2005889112-2564639436
          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction ID: ec81597e3f60307067323c4174b85f0f24e223b8e3f291c95bdd44fbf5461747
          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction Fuzzy Hash: 22515A36201B848AEB51CF62E44C39AB7B1F789F99F644129DA9E47758DF3CC049CB11
          Function 000002BAAEDD1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CurrentThread$AddressHandleModuleProc
          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
          • API String ID: 4175298099-1975688563
          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction ID: 939a712cbb25611334bf524d7ded25ea8778c7245202bd4b8ee26e49628c4f30
          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction Fuzzy Hash: 6531B265602A4AA1EA04EFB9EC9D7E43331F744788FF05413E4DD86576AF388249C372
          Function 000002BAAEDA6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 415 2baaeda6910-2baaeda6916 416 2baaeda6918-2baaeda691b 415->416 417 2baaeda6951-2baaeda695b 415->417 419 2baaeda6945-2baaeda6984 call 2baaeda6fc0 416->419 420 2baaeda691d-2baaeda6920 416->420 418 2baaeda6a78-2baaeda6a8d 417->418 424 2baaeda6a9c-2baaeda6ab6 call 2baaeda6e54 418->424 425 2baaeda6a8f 418->425 437 2baaeda6a52 419->437 438 2baaeda698a-2baaeda699f call 2baaeda6e54 419->438 422 2baaeda6922-2baaeda6925 420->422 423 2baaeda6938 __scrt_dllmain_crt_thread_attach 420->423 428 2baaeda6927-2baaeda6930 422->428 429 2baaeda6931-2baaeda6936 call 2baaeda6f04 422->429 426 2baaeda693d-2baaeda6944 423->426 435 2baaeda6ab8-2baaeda6aed call 2baaeda6f7c call 2baaeda6e1c call 2baaeda7318 call 2baaeda7130 call 2baaeda7154 call 2baaeda6fac 424->435 436 2baaeda6aef-2baaeda6b20 call 2baaeda7190 424->436 430 2baaeda6a91-2baaeda6a9b 425->430 429->426 435->430 447 2baaeda6b22-2baaeda6b28 436->447 448 2baaeda6b31-2baaeda6b37 436->448 441 2baaeda6a54-2baaeda6a69 437->441 450 2baaeda69a5-2baaeda69b6 call 2baaeda6ec4 438->450 451 2baaeda6a6a-2baaeda6a77 call 2baaeda7190 438->451 447->448 452 2baaeda6b2a-2baaeda6b2c 447->452 453 2baaeda6b39-2baaeda6b43 448->453 454 2baaeda6b7e-2baaeda6b94 call 2baaeda268c 448->454 468 2baaeda69b8-2baaeda69dc call 2baaeda72dc call 2baaeda6e0c call 2baaeda6e38 call 2baaedaac0c 450->468 469 2baaeda6a07-2baaeda6a11 call 2baaeda7130 450->469 451->418 458 2baaeda6c1f-2baaeda6c2c 452->458 459 2baaeda6b45-2baaeda6b4d 453->459 460 2baaeda6b4f-2baaeda6b5d call 2baaedb5780 453->460 476 2baaeda6b96-2baaeda6b98 454->476 477 2baaeda6bcc-2baaeda6bce 454->477 465 2baaeda6b63-2baaeda6b78 call 2baaeda6910 459->465 460->465 480 2baaeda6c15-2baaeda6c1d 460->480 465->454 465->480 468->469 518 2baaeda69de-2baaeda69e5 __scrt_dllmain_after_initialize_c 468->518 469->437 490 2baaeda6a13-2baaeda6a1f call 2baaeda7180 469->490 476->477 485 2baaeda6b9a-2baaeda6bbc call 2baaeda268c call 2baaeda6a78 476->485 478 2baaeda6bd5-2baaeda6bea call 2baaeda6910 477->478 479 2baaeda6bd0-2baaeda6bd3 477->479 478->480 499 2baaeda6bec-2baaeda6bf6 478->499 479->478 479->480 480->458 485->477 511 2baaeda6bbe-2baaeda6bc6 call 2baaedb5780 485->511 507 2baaeda6a45-2baaeda6a50 490->507 508 2baaeda6a21-2baaeda6a2b call 2baaeda7098 490->508 504 2baaeda6bf8-2baaeda6bff 499->504 505 2baaeda6c01-2baaeda6c11 call 2baaedb5780 499->505 504->480 505->480 507->441 508->507 517 2baaeda6a2d-2baaeda6a3b 508->517 511->477 517->507 518->469 519 2baaeda69e7-2baaeda6a04 call 2baaedaabc8 518->519 519->469
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 32cdc5dd754b9265ed1b62c1cf3c1166db28a6efdf1a5dfff2fed84b291f1566
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: EE81E021700241C6FA90AF26944D39933F1EB89B80F748425AAED477D6EB39CB65C723
          Function 000002BAAEDDCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetLastError.KERNEL32 ref: 000002BAAEDDCE37
          • FlsGetValue.KERNEL32(?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCE4C
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCE6D
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCE9A
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCEAB
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCEBC
          • SetLastError.KERNEL32 ref: 000002BAAEDDCED7
          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCF0D
          • FlsSetValue.KERNEL32(?,?,00000001,000002BAAEDDECCC,?,?,?,?,000002BAAEDDBF9F,?,?,?,?,?,000002BAAEDD7AB0), ref: 000002BAAEDDCF2C
            • Part of subcall function 000002BAAEDDD6CC: HeapAlloc.KERNEL32 ref: 000002BAAEDDD721
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCF54
            • Part of subcall function 000002BAAEDDD744: HeapFree.KERNEL32 ref: 000002BAAEDDD75A
            • Part of subcall function 000002BAAEDDD744: GetLastError.KERNEL32 ref: 000002BAAEDDD764
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCF65
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000002BAAEDE0A6B,?,?,?,000002BAAEDE045C,?,?,?,000002BAAEDDC84F), ref: 000002BAAEDDCF76
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Value$ErrorLast$Heap$AllocFree
          • String ID:
          • API String ID: 570795689-0
          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction ID: 3ccf6e0709a1f3939a3e4219f7cf81b36719bbc4f8e4627ee42f2d96a96075ef
          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction Fuzzy Hash: BE41506034324441FA69A73595DE36D33B69F857B4F340B2AA9BEC66E7DF289401C233
          Function 000002BAAEDD2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
          • API String ID: 2171963597-1373409510
          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction ID: 4a7d29512c951e66723afc66f0934404ee38fd8be82791d03fa9e4942a9561b4
          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction Fuzzy Hash: 6B213832614B50C2EB10CB25E44C36A73B0F789BA4F600215EAAD42AA8CF3CC549CB12
          Function 000002BAAEDDA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction ID: 97ac89eda0f4d41870f5a33cb62d4cc70552d40d9aacd6e715e466f0260c4aa3
          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction Fuzzy Hash: DBE18D72606B808AEB20DF65D4C839D77B0F745B98F644116EECD9BB99DB38C091C722
          Function 000002BAAEDA9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: 11837b641cf7fbaa2370180d18065cadece89f3cd28ec07f1272569ac3389919
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: 07E1C072604B808AEB60DF75E48839D77B0F755B88F205516EECD57B9ACB34C2A1C722
          Function 000002BAAEDDF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: api-ms-$ext-ms-
          • API String ID: 3013587201-537541572
          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction ID: b938e6fe1cc072fc95406c62684ee8ed2aac938f0b4d8fdcfb3a9e21255bc808
          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction Fuzzy Hash: 9841D422312A1095FB26CB56A84C75973B1FB45BE0F69412A9D9EC7785EF38C445C322
          Function 000002BAAEDD104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
          • String ID: d
          • API String ID: 3743429067-2564639436
          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction ID: 4527fdb878b39ff380404acb4f6d429ea2867cef135adaec55ed8b87c47ffa2b
          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction Fuzzy Hash: A8415E33214B84CAE760CF21E44879E77B1F389B98F548129DB8947B98DF38C949CB51
          Function 000002BAAEDDD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FlsGetValue.KERNEL32(?,?,?,000002BAAEDDC7DE,?,?,?,?,?,?,?,?,000002BAAEDDCF9D,?,?,00000001), ref: 000002BAAEDDD087
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDDC7DE,?,?,?,?,?,?,?,?,000002BAAEDDCF9D,?,?,00000001), ref: 000002BAAEDDD0A6
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDDC7DE,?,?,?,?,?,?,?,?,000002BAAEDDCF9D,?,?,00000001), ref: 000002BAAEDDD0CE
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDDC7DE,?,?,?,?,?,?,?,?,000002BAAEDDCF9D,?,?,00000001), ref: 000002BAAEDDD0DF
          • FlsSetValue.KERNEL32(?,?,?,000002BAAEDDC7DE,?,?,?,?,?,?,?,?,000002BAAEDDCF9D,?,?,00000001), ref: 000002BAAEDDD0F0
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Value
          • String ID: 1%$Y%
          • API String ID: 3702945584-1395475152
          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction ID: 8738ab28fb5bdfcabc29799e35b15569d293cbe38d2e5c86f3bf490c726a38e2
          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction Fuzzy Hash: F511862070664441FE68A73599DE37973759B847F4F344726A8BDC7BDADF28C402C222
          Function 000002BAAEDD7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID:
          • API String ID: 190073905-0
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 60be5a92bc921edaab18ab041d9036f64156e0403c08bb193f70be9b86acb5b5
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: BC81A13170274186FB90AB6598CD39977B0AB85780F7444ABAACCC7796EB78C845C733
          Function 000002BAAEDD9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: api-ms-
          • API String ID: 2559590344-2084034818
          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction ID: 2d271a109812e0cd02219ba0ff81bd7c3f94366d3a7574814ab6b3bb59a8bf06
          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction Fuzzy Hash: 1031EC31313A40E1EE12DB42A48876D73B8B748BA0F7986269DAD87394EF79C445C322
          Function 000002BAAEDE3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction ID: 9e84c8d17c864833b5968fc1c0d30da6046e49fe5ea337412b2877d9e4a2ddc4
          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction Fuzzy Hash: 2B114F31310B8086E7508B56E85C32977B0F798FE4F284229EAAE87795DF78C914C755
          Function 000002BAAEDD2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: dialer
          • API String ID: 756756679-3528709123
          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction ID: 7368c5627511974ce6c592d6ec5820cddadcff3283f4e7b6d8f0385999321441
          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction Fuzzy Hash: AC31B022702B5582EA55CF2BE98872A77B0FB45B84F188426DFCC87B55EF34D4A5C321
          Function 000002BAAEDDCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction ID: 07ec1c9d1847f78c436bd1e51b5a4b5dbec743dc23c813cca6f91c12d18d38dd
          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction Fuzzy Hash: 78116D2034324441FA64A731958D3793376AB857B4F344726A8BEC7ADADF288401C222
          Function 000002BAAEDD199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
          • String ID:
          • API String ID: 517849248-0
          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction ID: 60aed782dadc5b069dc523a86edc7bc59bb0d2b8ec44f9c444b0f7433aa82fc4
          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction Fuzzy Hash: D1012931301A4086EB64DB52A89C79973B5F788BC4FA84039DE9D83795DF3CC98AC761
          Function 000002BAAEDD36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
          • String ID:
          • API String ID: 449555515-0
          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction ID: 3623f577a31040c1b0a34627801640556248e395640c6454553d30a511ec9258
          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction Fuzzy Hash: 9F012575212B40C6FB259B26E84C32A73B0BB49B96F240529CE9D477A4EF3DC108C722
          Function 000002BAAEDD8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
          • Instruction ID: ddaf4283981553235795f0f3119c416fd114a24513d0605ace810c1593ce84f8
          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
          • Instruction Fuzzy Hash: FF51D53270260186EB14DF15E88CB5937B5F344B98F318526DE9E87788FBB6D841C712
          Function 000002BAAEDD1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: FinalHandleNamePathlstrlen
          • String ID: \\?\
          • API String ID: 2719912262-4282027825
          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction ID: de20ce3cd4269529b5a8fbe233b4131778806e9920b9a6e7b4448e4c8b6f41f8
          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction Fuzzy Hash: D6F04F3270464192EB708F61F8CC7997770F748B98FA45025DA9D86958DF3CC68ECB21
          Function 000002BAAEDD3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CombinePath
          • String ID: \\.\pipe\
          • API String ID: 3422762182-91387939
          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction ID: dc76776314a8e22c4474720335cb6eca2776261ca974506b193fac0230483d13
          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction Fuzzy Hash: 0CF08C20304B8482EA108F13B94C1297370AB48FD0F288131EEAE47B28DF3CC445C761
          Function 000002BAAEDDBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction ID: 7022d84dda8cd09d996234868e4ce30479781044a66201d75e796aa32b4d8878
          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction Fuzzy Hash: 4FF01D71212A0581FB548B28E88C3697370FB89BA5F64021ADAFE466E8DF2DC549C761
          Function 000002BAAEDD5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
          • Instruction ID: 8aa8bf06385a60f95723af8eec33f5ea12401e3ba5ed0859515c4ce2863a2411
          • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
          • Instruction Fuzzy Hash: 8E61C83651AB84C7E760DB15E48831AB7B0F388794F20051AEACE87BA9DB7CC455CF12
          Function 000002BAAEDE4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 034df8697fa57311cb0a6a49312b8a6844e159fb7dde321fe08df6a19dfe2330
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: 4D11C632A10F5019FEA41668D45D3653B716BBC3F8F784624A9FE4B6D6CB28C841D272
          Function 000002BAAEDB3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: daee234d867c3cea5329f9ec92d076a12b924df16710a29a150e91ede34f0bc3
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: 8911A762610A5152FA541568E45D36A33E0EB58374FB84638A9EE062D7FBE4C845F132
          Function 000002BAAEDAF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: 97fb1626824143654bbe779d900eb1f5637e1533d1f2395c6091a79e8529f199
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: 2B61E53260264042FA659B69E58C36A7BB2F781780F704565CADE177E4DB38CB62C333
          Function 000002BAAEDDAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 0cea8055bac7da24aecb85595c29d01d0b83c433e5f61b29988206598d57853e
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: DD61AA37602B848AEB20DF69D48439D77B0F348B98F248216EF8D5BB98DB78C485C711
          Function 000002BAAEDDAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 0f6892e6efd5d8c85db325a940dea0e39fd7beba25ab0cf3e381c8a0fd27f0b0
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 39518C722062808AEB748F2695C835D77B4F394B85F289217EADD8BBD5DB38D490C712
          Function 000002BAAEDAA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 7115465f893ad9538f91c80ecd4362db5de93305e29ba78ccb391585fe135c5e
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: CA518C32100380CAEB748FA5954835C77B1F355B94F289216DADE8BBD5CB39D6B1CB12
          Function 000002BAAEDA8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: ca5a7434315f0adfa0147800b6b2c82765ba5a1246e9b03322f2a6b9548c4be2
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 4A51CE3AB016008AEB54EF15E44CB1937B6F354B98F708524DE9E63788EB74CE61C726
          Function 000002BAAEDA83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: 600f0b0a36d475cb90ff45834e4e011382e8688b953d0501ae32f59bf4019a20
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 1C31AE3A2017409AEB64EF11E84CB1977B5F340B98F258418EEDF57788DB38CA61C726
          Function 000002BAAEDE2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 2718003287-0
          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction ID: 1aa78f99bc2310a0a83fa0d2f3de95a7b64c2da5291062479281594362375f90
          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction Fuzzy Hash: CFD1DE72B14B80C9E711CFA9D4483AC3BB1F354BA8F248216DE9E97B99EB34C506C751
          Function 000002BAAEDD14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Heap$Process$Free
          • String ID:
          • API String ID: 3168794593-0
          • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction ID: 01c7a9a42e13f3291119e240f2c50e6cd09ae718a3456e9f49d1860386016da5
          • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction Fuzzy Hash: BC118B76900B90CAE716DF62A80C14D77B0F788F81F284029EBAD43756DF38C050C751
          Function 000002BAAEDE2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction ID: 109aa6919e7509f37c65e3f562eb66fa70200a99451ab75da92349135202dbb1
          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction Fuzzy Hash: 1791C072B0065489FB61DF6DD88C3AD3BB4B754B88F344109DE8E67A98DB35C482C722
          Function 000002BAAEDD7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction ID: e83c5aced2cbab5d9ab4939864cf3350499a01659c3d808eeb217a12219ad933
          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction Fuzzy Hash: EE113C32710F018AEB00CF70E8583A833B4F759768F540E25EAAD867A9DF78C198C391
          Function 000002BAAEDD253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction ID: b26adf5c67fa809c3aca0384530728fff6b57fd724efcae949ea225f2cde23db
          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction Fuzzy Hash: 8171D03620178196E7B4DE29D8883EA77B4F389B94F640027DD8E93B89DF35C645C711
          Function 000002BAAEDA9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 6066f6a667c02a3dde5cc671d6705a9dc30413e10d50204c4eb7aca01b800b18
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 53617B37A01B848AEB20DF65E48439D77B0F748B88F248215EF8D17B99DB38D6A5C711
          Function 000002BAAEDD2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction ID: d7996ef35c2d04439c778f8bf06487df3118bf92f04415785cc54e85f131a7b9
          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction Fuzzy Hash: 7551033220638185E6B6CF2DA4DC3AAB771F395780F640126DEDD83B99DB39C505C762
          Function 000002BAAEDE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction ID: b42b4940226e761b1c3358f88f3e66ff5b9a9a933ed92d7f965f00163170ea2d
          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction Fuzzy Hash: 3B41A432715B8086DB20DF69E84C3AA77B0F798794F644025EE8D87798EB3CC541C751
          Function 000002BAAEDD94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction ID: ce0030da33fe075a5b6671e7f0eef1687074b834886efaf8f6c2faa47b7610ec
          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction Fuzzy Hash: 88112832215B8082EB618B15F548359B7E5FB88B94F684221EECD47B69EF7DC551CB00
          Function 000002BAAEDA7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: aecd9389ed42b80ddfab9e11b308651d5f6fd54687e5ebd5b4ac960ee60fca0a
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: DFE0CD61640B44D0EF019F21E8442D833B1DB58B64F58D122DD9C07311FB38D2F9C311
          Function 000002BAAEDA73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000021.00000002.3146137933.000002BAAEDA0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDA0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaeda0000_dwm.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: Locator'$riptor at (
          • API String ID: 592178966-4215709766
          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction ID: f237e3cdf2cc05938838b27189fb35462db56802b89672789935330c5c78283d
          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction Fuzzy Hash: 80E0C261A00B48C0EF029F21E8842A873B1EB68B64F98D122CE8C07311FB38D2F9C311
          Function 000002BAAEDD1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID:
          • API String ID: 756756679-0
          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction ID: 413b1a3a62937081446881fd334529eacc4931115a588d99c59851e8bc3622c4
          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction Fuzzy Hash: 2D11A025702B5485EA05DF6AA84C329B3B1FB89FC0F684129DE8D87766DF79C442C311
          Function 000002BAAEDD1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000021.00000002.3146221400.000002BAAEDD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_33_2_2baaedd0000_dwm.jbxd
          Similarity
          • API ID: Heap$AllocProcess
          • String ID:
          • API String ID: 1617791916-0
          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction ID: ff9df24e8a96a01587be06c6e6e9cd5e66b19ba8cfc68b12000c6566ed7bed90
          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction Fuzzy Hash: 66E06D3560160486EB058F62D80C34E37F1FB89F16F94C028CA9D07391DF7D8499C761

          Execution Graph

          Execution Coverage:0.7%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:0%
          Total number of Nodes:73
          Total number of Limit Nodes:2
          execution_graph 14790 26a8799273c 14792 26a8799276a 14790->14792 14791 26a87992858 LoadLibraryA 14791->14792 14792->14791 14793 26a879928d4 14792->14793 14794 26a879c1abc 14799 26a879c1628 GetProcessHeap 14794->14799 14796 26a879c1ad2 Sleep SleepEx 14797 26a879c1acb 14796->14797 14797->14796 14798 26a879c1598 StrCmpIW StrCmpW 14797->14798 14798->14797 14800 26a879c1648 __std_exception_copy 14799->14800 14844 26a879c1268 GetProcessHeap 14800->14844 14802 26a879c1650 14803 26a879c1268 2 API calls 14802->14803 14804 26a879c1661 14803->14804 14805 26a879c1268 2 API calls 14804->14805 14806 26a879c166a 14805->14806 14807 26a879c1268 2 API calls 14806->14807 14808 26a879c1673 14807->14808 14809 26a879c168e RegOpenKeyExW 14808->14809 14810 26a879c18a6 14809->14810 14811 26a879c16c0 RegOpenKeyExW 14809->14811 14810->14797 14812 26a879c16e9 14811->14812 14813 26a879c16ff RegOpenKeyExW 14811->14813 14848 26a879c12bc RegQueryInfoKeyW 14812->14848 14814 26a879c1723 14813->14814 14815 26a879c173a RegOpenKeyExW 14813->14815 14859 26a879c104c RegQueryInfoKeyW 14814->14859 14819 26a879c1775 RegOpenKeyExW 14815->14819 14820 26a879c175e 14815->14820 14823 26a879c1799 14819->14823 14824 26a879c17b0 RegOpenKeyExW 14819->14824 14822 26a879c12bc 13 API calls 14820->14822 14825 26a879c176b RegCloseKey 14822->14825 14826 26a879c12bc 13 API calls 14823->14826 14827 26a879c17d4 14824->14827 14828 26a879c17eb RegOpenKeyExW 14824->14828 14825->14819 14831 26a879c17a6 RegCloseKey 14826->14831 14832 26a879c12bc 13 API calls 14827->14832 14829 26a879c1826 RegOpenKeyExW 14828->14829 14830 26a879c180f 14828->14830 14835 26a879c1861 RegOpenKeyExW 14829->14835 14836 26a879c184a 14829->14836 14834 26a879c104c 5 API calls 14830->14834 14831->14824 14833 26a879c17e1 RegCloseKey 14832->14833 14833->14828 14837 26a879c181c RegCloseKey 14834->14837 14839 26a879c1885 14835->14839 14840 26a879c189c RegCloseKey 14835->14840 14838 26a879c104c 5 API calls 14836->14838 14837->14829 14841 26a879c1857 RegCloseKey 14838->14841 14842 26a879c104c 5 API calls 14839->14842 14840->14810 14841->14835 14843 26a879c1892 RegCloseKey 14842->14843 14843->14840 14865 26a879d6168 14844->14865 14846 26a879c1283 GetProcessHeap 14847 26a879c12ae __std_exception_copy 14846->14847 14847->14802 14849 26a879c1327 GetProcessHeap 14848->14849 14850 26a879c148a RegCloseKey 14848->14850 14853 26a879c133e __std_exception_copy 14849->14853 14850->14813 14851 26a879c1476 GetProcessHeap HeapFree 14851->14850 14852 26a879c1352 RegEnumValueW 14852->14853 14853->14851 14853->14852 14855 26a879c13d3 GetProcessHeap 14853->14855 14856 26a879c141e lstrlenW GetProcessHeap 14853->14856 14857 26a879c13f3 GetProcessHeap HeapFree 14853->14857 14858 26a879c1443 StrCpyW 14853->14858 14866 26a879c152c 14853->14866 14855->14853 14856->14853 14857->14856 14858->14853 14860 26a879c11b5 RegCloseKey 14859->14860 14863 26a879c10bf __std_exception_copy 14859->14863 14860->14815 14861 26a879c10cf RegEnumValueW 14861->14863 14862 26a879c114e GetProcessHeap 14862->14863 14863->14860 14863->14861 14863->14862 14864 26a879c116e GetProcessHeap HeapFree 14863->14864 14864->14863 14867 26a879c157c 14866->14867 14870 26a879c1546 14866->14870 14867->14853 14868 26a879c1565 StrCmpW 14868->14870 14869 26a879c155d StrCmpIW 14869->14870 14870->14867 14870->14868 14870->14869

          Executed Functions

          Function 0000026A879C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
          • API String ID: 106492572-2879589442
          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction ID: 8b3f40dc757b03efebebe1ec2b21d8ee4b81ef9a05be350be4598fcd48a0c6e5
          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction Fuzzy Hash: 99715D76310E1086EF90DF66E89869D3BB4FB85B88F405111EE4E67B68EF3AC444CB45
          Function 0000026A879C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: bbd561d3a30add4c1150a9458a01d63078364739115671f5aea34e55c8598808
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: 0211807261064182FFE0AB22F90D35D36A4A7D4385FD04124EA0EA3696EFBBC0849F13
          Function 0000026A879C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 0000026A879C1628: GetProcessHeap.KERNEL32 ref: 0000026A879C1633
            • Part of subcall function 0000026A879C1628: HeapAlloc.KERNEL32 ref: 0000026A879C1642
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16B2
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C16DF
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C16F9
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1719
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1734
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1754
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C176F
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C178F
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17AA
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C17CA
          • Sleep.KERNEL32 ref: 0000026A879C1AD7
          • SleepEx.KERNELBASE ref: 0000026A879C1ADD
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C17E5
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1805
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1820
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C1840
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C185B
            • Part of subcall function 0000026A879C1628: RegOpenKeyExW.ADVAPI32 ref: 0000026A879C187B
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C1896
            • Part of subcall function 0000026A879C1628: RegCloseKey.ADVAPI32 ref: 0000026A879C18A0
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: 5eed58e8f7c032d1df488f6ec5371d2936970acb8e97615792f8d803c15a43b0
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: 2931E5F5240A4581FFD0AB26DA493BD73A4ABC4BD0F0454219E09A77DAFF26C491CE1A
          Function 0000026A8799273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 110 26a8799273c-26a879927a4 call 26a879929d4 * 4 119 26a879929b2 110->119 120 26a879927aa-26a879927ad 110->120 121 26a879929b4-26a879929d0 119->121 120->119 122 26a879927b3-26a879927b6 120->122 122->119 123 26a879927bc-26a879927bf 122->123 123->119 124 26a879927c5-26a879927e6 123->124 124->119 126 26a879927ec-26a8799280c 124->126 127 26a87992838-26a8799283f 126->127 128 26a8799280e-26a87992836 126->128 129 26a87992845-26a87992852 127->129 130 26a879928df-26a879928e6 127->130 128->127 128->128 129->130 131 26a87992858-26a8799286a LoadLibraryA 129->131 132 26a87992992-26a879929b0 130->132 133 26a879928ec-26a87992901 130->133 135 26a879928ca-26a879928d2 131->135 136 26a8799286c-26a87992878 131->136 132->121 133->132 134 26a87992907 133->134 137 26a8799290d-26a87992921 134->137 135->131 139 26a879928d4-26a879928d9 135->139 138 26a879928c5-26a879928c8 136->138 141 26a87992923-26a87992934 137->141 142 26a87992982-26a8799298c 137->142 138->135 143 26a8799287a-26a8799287d 138->143 139->130 145 26a87992936-26a8799293d 141->145 146 26a8799293f-26a87992943 141->146 142->132 142->137 147 26a879928a7-26a879928b7 143->147 148 26a8799287f-26a879928a5 143->148 149 26a87992970-26a87992980 145->149 150 26a87992945-26a8799294b 146->150 151 26a8799294d-26a87992951 146->151 152 26a879928ba-26a879928c1 147->152 148->152 149->141 149->142 150->149 153 26a87992963-26a87992967 151->153 154 26a87992953-26a87992961 151->154 152->138 153->149 156 26a87992969-26a8799296c 153->156 154->149 156->149
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: 57387411ffdeb412b963753acb60f61000c0759ef6c355c86f1a01fa76b5fc3d
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: B5613532B016908BFB94CF15D10872DF3A6FB54BA4F588121DF59277C8DA39D892CB01

          Non-executed Functions

          Function 0000026A879C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 363 26a879c2b2c-26a879c2ba5 call 26a879e2ce0 366 26a879c2ee0-26a879c2f03 363->366 367 26a879c2bab-26a879c2bb1 363->367 367->366 368 26a879c2bb7-26a879c2bba 367->368 368->366 369 26a879c2bc0-26a879c2bc3 368->369 369->366 370 26a879c2bc9-26a879c2bd9 GetModuleHandleA 369->370 371 26a879c2bdb-26a879c2beb call 26a879d6090 370->371 372 26a879c2bed 370->372 373 26a879c2bf0-26a879c2c0e 371->373 372->373 373->366 377 26a879c2c14-26a879c2c33 StrCmpNIW 373->377 377->366 378 26a879c2c39-26a879c2c3d 377->378 378->366 379 26a879c2c43-26a879c2c4d 378->379 379->366 380 26a879c2c53-26a879c2c5a 379->380 380->366 381 26a879c2c60-26a879c2c73 380->381 382 26a879c2c83 381->382 383 26a879c2c75-26a879c2c81 381->383 384 26a879c2c86-26a879c2c8a 382->384 383->384 385 26a879c2c9a 384->385 386 26a879c2c8c-26a879c2c98 384->386 387 26a879c2c9d-26a879c2ca7 385->387 386->387 388 26a879c2d9d-26a879c2da1 387->388 389 26a879c2cad-26a879c2cb0 387->389 392 26a879c2da7-26a879c2daa 388->392 393 26a879c2ed2-26a879c2eda 388->393 390 26a879c2cc2-26a879c2ccc 389->390 391 26a879c2cb2-26a879c2cbf call 26a879c199c 389->391 395 26a879c2cce-26a879c2cdb 390->395 396 26a879c2d00-26a879c2d0a 390->396 391->390 397 26a879c2dbb-26a879c2dc5 392->397 398 26a879c2dac-26a879c2db8 call 26a879c199c 392->398 393->366 393->381 395->396 402 26a879c2cdd-26a879c2cea 395->402 403 26a879c2d3a-26a879c2d3d 396->403 404 26a879c2d0c-26a879c2d19 396->404 399 26a879c2dc7-26a879c2dd4 397->399 400 26a879c2df5-26a879c2df8 397->400 398->397 399->400 406 26a879c2dd6-26a879c2de3 399->406 407 26a879c2e05-26a879c2e12 lstrlenW 400->407 408 26a879c2dfa-26a879c2e03 call 26a879c1bbc 400->408 409 26a879c2ced-26a879c2cf3 402->409 411 26a879c2d3f-26a879c2d49 call 26a879c1bbc 403->411 412 26a879c2d4b-26a879c2d58 lstrlenW 403->412 404->403 410 26a879c2d1b-26a879c2d28 404->410 414 26a879c2de6-26a879c2dec 406->414 420 26a879c2e14-26a879c2e1e 407->420 421 26a879c2e35-26a879c2e3f call 26a879c3844 407->421 408->407 426 26a879c2e4a-26a879c2e55 408->426 418 26a879c2cf9-26a879c2cfe 409->418 419 26a879c2d93-26a879c2d98 409->419 422 26a879c2d2b-26a879c2d31 410->422 411->412 411->419 415 26a879c2d5a-26a879c2d64 412->415 416 26a879c2d7b-26a879c2d8d call 26a879c3844 412->416 425 26a879c2dee-26a879c2df3 414->425 414->426 415->416 427 26a879c2d66-26a879c2d79 call 26a879c152c 415->427 416->419 430 26a879c2e42-26a879c2e44 416->430 418->396 418->409 419->430 420->421 431 26a879c2e20-26a879c2e33 call 26a879c152c 420->431 421->430 422->419 432 26a879c2d33-26a879c2d38 422->432 425->400 425->414 434 26a879c2e57-26a879c2e5b 426->434 435 26a879c2ecc-26a879c2ed0 426->435 427->416 427->419 430->393 430->426 431->421 431->426 432->403 432->422 440 26a879c2e63-26a879c2e7d call 26a879c85c0 434->440 441 26a879c2e5d-26a879c2e61 434->441 435->393 444 26a879c2e80-26a879c2e83 440->444 441->440 441->444 447 26a879c2ea6-26a879c2ea9 444->447 448 26a879c2e85-26a879c2ea3 call 26a879c85c0 444->448 447->435 450 26a879c2eab-26a879c2ec9 call 26a879c85c0 447->450 448->447 450->435
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
          • API String ID: 2119608203-3850299575
          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction ID: 28832ac34e84ece53f7b50bb78eaf8a37b486e288825972d32e086a5872c7075
          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction Fuzzy Hash: 42B17A76210A9082EFE8DF25D4487AD77A5FB94B84F445026EE0977798EF36CC80CB42
          Function 0000026A879C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction ID: 938e5285386ac3705a1524c506204be3636963da77c64c4e1ce6b6d8eddc6828
          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction Fuzzy Hash: 50315072205B808AEBA0DF60E8847ED7B64F785744F44442AEB4D67B98EF39C548CB11
          Function 0000026A879CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction ID: d1d1b9292f01f4f5fbfa14a2dc646865464e2607e4ff46e76a86c3c994235719
          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction Fuzzy Hash: DC318132214F8086EBA0DF25E88439E7BA4F7C9798F540126EA9D53B98EF39C545CF01
          Function 0000026A879C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
          • String ID: d
          • API String ID: 2005889112-2564639436
          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction ID: 07cfe981894990384c0c086665b30c926e9edc38e061a20603f020415e03ff94
          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction Fuzzy Hash: 70514A76204B8486EB94CF62E54835EBFA1F78AFD9F048124EA4A57758EF3DC049CB01
          Function 0000026A879C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentThread$AddressHandleModuleProc
          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
          • API String ID: 4175298099-1975688563
          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction ID: dfe63a10a49480e1aef6057fb1ce33c2d81f6763df8e5d6cfa68f1b74ee8636c
          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction Fuzzy Hash: EF31C8B5144A4AA0FE94EF65E85A7EC3B24F784348FC04013954933176AFBEC289CF92
          Function 0000026A87996910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 205 26a87996910-26a87996916 206 26a87996918-26a8799691b 205->206 207 26a87996951-26a8799695b 205->207 209 26a87996945-26a87996984 call 26a87996fc0 206->209 210 26a8799691d-26a87996920 206->210 208 26a87996a78-26a87996a8d 207->208 214 26a87996a9c-26a87996ab6 call 26a87996e54 208->214 215 26a87996a8f 208->215 228 26a87996a52 209->228 229 26a8799698a-26a8799699f call 26a87996e54 209->229 212 26a87996922-26a87996925 210->212 213 26a87996938 __scrt_dllmain_crt_thread_attach 210->213 219 26a87996927-26a87996930 212->219 220 26a87996931-26a87996936 call 26a87996f04 212->220 217 26a8799693d-26a87996944 213->217 226 26a87996ab8-26a87996aed call 26a87996f7c call 26a87996e1c call 26a87997318 call 26a87997130 call 26a87997154 call 26a87996fac 214->226 227 26a87996aef-26a87996b20 call 26a87997190 214->227 221 26a87996a91-26a87996a9b 215->221 220->217 226->221 237 26a87996b22-26a87996b28 227->237 238 26a87996b31-26a87996b37 227->238 232 26a87996a54-26a87996a69 228->232 240 26a879969a5-26a879969b6 call 26a87996ec4 229->240 241 26a87996a6a-26a87996a77 call 26a87997190 229->241 237->238 242 26a87996b2a-26a87996b2c 237->242 243 26a87996b39-26a87996b43 238->243 244 26a87996b7e-26a87996b94 call 26a8799268c 238->244 259 26a87996a07-26a87996a11 call 26a87997130 240->259 260 26a879969b8-26a879969dc call 26a879972dc call 26a87996e0c call 26a87996e38 call 26a8799ac0c 240->260 241->208 248 26a87996c1f-26a87996c2c 242->248 249 26a87996b45-26a87996b4d 243->249 250 26a87996b4f-26a87996b5d call 26a879a5780 243->250 262 26a87996b96-26a87996b98 244->262 263 26a87996bcc-26a87996bce 244->263 256 26a87996b63-26a87996b78 call 26a87996910 249->256 250->256 272 26a87996c15-26a87996c1d 250->272 256->244 256->272 259->228 281 26a87996a13-26a87996a1f call 26a87997180 259->281 260->259 308 26a879969de-26a879969e5 __scrt_dllmain_after_initialize_c 260->308 262->263 269 26a87996b9a-26a87996bbc call 26a8799268c call 26a87996a78 262->269 270 26a87996bd5-26a87996bea call 26a87996910 263->270 271 26a87996bd0-26a87996bd3 263->271 269->263 302 26a87996bbe-26a87996bc6 call 26a879a5780 269->302 270->272 290 26a87996bec-26a87996bf6 270->290 271->270 271->272 272->248 292 26a87996a45-26a87996a50 281->292 293 26a87996a21-26a87996a2b call 26a87997098 281->293 296 26a87996bf8-26a87996bff 290->296 297 26a87996c01-26a87996c11 call 26a879a5780 290->297 292->232 293->292 307 26a87996a2d-26a87996a3b 293->307 296->272 297->272 302->263 307->292 308->259 309 26a879969e7-26a87996a04 call 26a8799abc8 308->309 309->259
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: b047a768bb49e332fa12a0d509f504b7dc68172f8f015219012fb81a31179565
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: DB81D23170524186FBD0EF65944D39D72E1EB87780F588425AA0977796EF3BC9868F03
          Function 0000026A879CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetLastError.KERNEL32 ref: 0000026A879CCE37
          • FlsGetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE4C
          • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE6D
          • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCE9A
          • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEAB
          • FlsSetValue.KERNEL32(?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCEBC
          • SetLastError.KERNEL32 ref: 0000026A879CCED7
          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF0D
          • FlsSetValue.KERNEL32(?,?,00000001,0000026A879CECCC,?,?,?,?,0000026A879CBF9F,?,?,?,?,?,0000026A879C7AB0), ref: 0000026A879CCF2C
            • Part of subcall function 0000026A879CD6CC: HeapAlloc.KERNEL32 ref: 0000026A879CD721
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF54
            • Part of subcall function 0000026A879CD744: HeapFree.KERNEL32 ref: 0000026A879CD75A
            • Part of subcall function 0000026A879CD744: GetLastError.KERNEL32 ref: 0000026A879CD764
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF65
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000026A879D0A6B,?,?,?,0000026A879D045C,?,?,?,0000026A879CC84F), ref: 0000026A879CCF76
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Value$ErrorLast$Heap$AllocFree
          • String ID:
          • API String ID: 570795689-0
          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction ID: fbbfd203b105abf8085660589179a2c6459f60e277cac02fd6d43f7fad114619
          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction Fuzzy Hash: F941B13234164882FEF8A735565E37D36965BC67B0F640724A936377E6EE2BC8019E03
          Function 0000026A879C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
          • API String ID: 2171963597-1373409510
          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction ID: b02012d5428b01c1f3b2143805af3d2ef8a5ba1a4c44cc927d8b5d08adb94f93
          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction Fuzzy Hash: 8C213836618A4082EB50CB25F44836E7BA1F78ABE4F544215EA5913AA8DF7DC189CF02
          Function 0000026A87999944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 463 26a87999944-26a879999ac call 26a8799a814 466 26a87999e13-26a87999e1b call 26a8799bb48 463->466 467 26a879999b2-26a879999b5 463->467 467->466 468 26a879999bb-26a879999c1 467->468 470 26a879999c7-26a879999cb 468->470 471 26a87999a90-26a87999aa2 468->471 470->471 475 26a879999d1-26a879999dc 470->475 473 26a87999d63-26a87999d67 471->473 474 26a87999aa8-26a87999aac 471->474 478 26a87999d69-26a87999d70 473->478 479 26a87999da0-26a87999daa call 26a87998a34 473->479 474->473 476 26a87999ab2-26a87999abd 474->476 475->471 477 26a879999e2-26a879999e7 475->477 476->473 480 26a87999ac3-26a87999aca 476->480 477->471 481 26a879999ed-26a879999f7 call 26a87998a34 477->481 478->466 482 26a87999d76-26a87999d9b call 26a87999e1c 478->482 479->466 489 26a87999dac-26a87999dcb call 26a87996d40 479->489 485 26a87999c94-26a87999ca0 480->485 486 26a87999ad0-26a87999b07 call 26a87998e10 480->486 481->489 497 26a879999fd-26a87999a28 call 26a87998a34 * 2 call 26a87999124 481->497 482->479 485->479 490 26a87999ca6-26a87999caa 485->490 486->485 501 26a87999b0d-26a87999b15 486->501 494 26a87999cba-26a87999cc2 490->494 495 26a87999cac-26a87999cb8 call 26a879990e4 490->495 494->479 500 26a87999cc8-26a87999cd5 call 26a87998cb4 494->500 495->494 507 26a87999cdb-26a87999ce3 495->507 531 26a87999a48-26a87999a52 call 26a87998a34 497->531 532 26a87999a2a-26a87999a2e 497->532 500->479 500->507 505 26a87999b19-26a87999b4b 501->505 509 26a87999c87-26a87999c8e 505->509 510 26a87999b51-26a87999b5c 505->510 512 26a87999df6-26a87999e12 call 26a87998a34 * 2 call 26a8799baa8 507->512 513 26a87999ce9-26a87999ced 507->513 509->485 509->505 510->509 514 26a87999b62-26a87999b7b 510->514 512->466 516 26a87999cef-26a87999cfe call 26a879990e4 513->516 517 26a87999d00 513->517 518 26a87999c74-26a87999c79 514->518 519 26a87999b81-26a87999bc6 call 26a879990f8 * 2 514->519 524 26a87999d03-26a87999d0d call 26a8799a8ac 516->524 517->524 526 26a87999c84 518->526 544 26a87999c04-26a87999c0a 519->544 545 26a87999bc8-26a87999bee call 26a879990f8 call 26a8799a038 519->545 524->479 542 26a87999d13-26a87999d61 call 26a87998d44 call 26a87998f50 524->542 526->509 531->471 548 26a87999a54-26a87999a74 call 26a87998a34 * 2 call 26a8799a8ac 531->548 532->531 536 26a87999a30-26a87999a3b 532->536 536->531 541 26a87999a3d-26a87999a42 536->541 541->466 541->531 542->479 552 26a87999c7b 544->552 553 26a87999c0c-26a87999c10 544->553 563 26a87999c15-26a87999c72 call 26a87999870 545->563 564 26a87999bf0-26a87999c02 545->564 569 26a87999a76-26a87999a80 call 26a8799a99c 548->569 570 26a87999a8b 548->570 554 26a87999c80 552->554 553->519 554->526 563->554 564->544 564->545 573 26a87999a86-26a87999def call 26a879986ac call 26a8799a3f4 call 26a879988a0 569->573 574 26a87999df0-26a87999df5 call 26a8799baa8 569->574 570->471 573->574 574->512
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: 1f6ce65c737b67c16a74770dcca6a547431568ee9d47403595349a7bcceb887e
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: 97E1D572605B408AFBA0DF65D48839D77B4F7A97A8F100116EE8D67B99DB36C091CF02
          Function 0000026A879CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 584 26a879ca544-26a879ca5ac call 26a879cb414 587 26a879ca5b2-26a879ca5b5 584->587 588 26a879caa13-26a879caa1b call 26a879cc748 584->588 587->588 589 26a879ca5bb-26a879ca5c1 587->589 591 26a879ca5c7-26a879ca5cb 589->591 592 26a879ca690-26a879ca6a2 589->592 591->592 596 26a879ca5d1-26a879ca5dc 591->596 594 26a879ca6a8-26a879ca6ac 592->594 595 26a879ca963-26a879ca967 592->595 594->595 599 26a879ca6b2-26a879ca6bd 594->599 597 26a879ca969-26a879ca970 595->597 598 26a879ca9a0-26a879ca9aa call 26a879c9634 595->598 596->592 600 26a879ca5e2-26a879ca5e7 596->600 597->588 601 26a879ca976-26a879ca99b call 26a879caa1c 597->601 598->588 610 26a879ca9ac-26a879ca9cb call 26a879c7940 598->610 599->595 603 26a879ca6c3-26a879ca6ca 599->603 600->592 604 26a879ca5ed-26a879ca5f7 call 26a879c9634 600->604 601->598 607 26a879ca894-26a879ca8a0 603->607 608 26a879ca6d0-26a879ca707 call 26a879c9a10 603->608 604->610 614 26a879ca5fd-26a879ca628 call 26a879c9634 * 2 call 26a879c9d24 604->614 607->598 611 26a879ca8a6-26a879ca8aa 607->611 608->607 619 26a879ca70d-26a879ca715 608->619 616 26a879ca8ba-26a879ca8c2 611->616 617 26a879ca8ac-26a879ca8b8 call 26a879c9ce4 611->617 652 26a879ca648-26a879ca652 call 26a879c9634 614->652 653 26a879ca62a-26a879ca62e 614->653 616->598 623 26a879ca8c8-26a879ca8d5 call 26a879c98b4 616->623 617->616 632 26a879ca8db-26a879ca8e3 617->632 625 26a879ca719-26a879ca74b 619->625 623->598 623->632 629 26a879ca887-26a879ca88e 625->629 630 26a879ca751-26a879ca75c 625->630 629->607 629->625 630->629 633 26a879ca762-26a879ca77b 630->633 634 26a879ca9f6-26a879caa12 call 26a879c9634 * 2 call 26a879cc6a8 632->634 635 26a879ca8e9-26a879ca8ed 632->635 637 26a879ca874-26a879ca879 633->637 638 26a879ca781-26a879ca7c6 call 26a879c9cf8 * 2 633->638 634->588 639 26a879ca8ef-26a879ca8fe call 26a879c9ce4 635->639 640 26a879ca900 635->640 643 26a879ca884 637->643 665 26a879ca7c8-26a879ca7ee call 26a879c9cf8 call 26a879cac38 638->665 666 26a879ca804-26a879ca80a 638->666 648 26a879ca903-26a879ca90d call 26a879cb4ac 639->648 640->648 643->629 648->598 663 26a879ca913-26a879ca961 call 26a879c9944 call 26a879c9b50 648->663 652->592 669 26a879ca654-26a879ca674 call 26a879c9634 * 2 call 26a879cb4ac 652->669 653->652 657 26a879ca630-26a879ca63b 653->657 657->652 662 26a879ca63d-26a879ca642 657->662 662->588 662->652 663->598 685 26a879ca815-26a879ca872 call 26a879ca470 665->685 686 26a879ca7f0-26a879ca802 665->686 670 26a879ca87b 666->670 671 26a879ca80c-26a879ca810 666->671 690 26a879ca676-26a879ca680 call 26a879cb59c 669->690 691 26a879ca68b 669->691 675 26a879ca880 670->675 671->638 675->643 685->675 686->665 686->666 694 26a879ca686-26a879ca9ef call 26a879c92ac call 26a879caff4 call 26a879c94a0 690->694 695 26a879ca9f0-26a879ca9f5 call 26a879cc6a8 690->695 691->592 694->695 695->634
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction ID: 444f81f33de08ab68ee44032b3efa5b7945037919697de8df49d031d9224469b
          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction Fuzzy Hash: E2E1C172604B80CAEFA0DF65D58939D77A0F799BA8F100116EE8967B99CB35C581CF02
          Function 0000026A879CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: api-ms-$ext-ms-
          • API String ID: 3013587201-537541572
          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction ID: e22ce2f0d6908cfb41650f8e3b1f78ec9287b8d585868ecd0f1c06e4ba5b9ad5
          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction Fuzzy Hash: 5D41E633311A0091FE96DB56A80CB5D3BA6F785BE0F5941299D0DAB784EE3AC4458B02
          Function 0000026A879C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 735 26a879c104c-26a879c10b9 RegQueryInfoKeyW 736 26a879c11b5-26a879c11d0 735->736 737 26a879c10bf-26a879c10c9 735->737 737->736 738 26a879c10cf-26a879c111f RegEnumValueW 737->738 739 26a879c11a5-26a879c11af 738->739 740 26a879c1125-26a879c112a 738->740 739->736 739->738 740->739 741 26a879c112c-26a879c1135 740->741 742 26a879c1147-26a879c114c 741->742 743 26a879c1137 741->743 744 26a879c1199-26a879c11a3 742->744 745 26a879c114e-26a879c1193 GetProcessHeap call 26a879d6168 GetProcessHeap HeapFree 742->745 746 26a879c113b-26a879c113f 743->746 744->739 745->744 746->739 747 26a879c1141-26a879c1145 746->747 747->742 747->746
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
          • String ID: d
          • API String ID: 3743429067-2564639436
          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction ID: f1e6073484f6787d024fb048a9424189236bd7d4ebebf72dc42381622d64dea6
          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction Fuzzy Hash: 76417173214B84C6EBA0CF61E44839E7BA1F389B98F448129EA8917758EF3DC585CB01
          Function 0000026A879CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • FlsGetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD087
          • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0A6
          • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0CE
          • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0DF
          • FlsSetValue.KERNEL32(?,?,?,0000026A879CC7DE,?,?,?,?,?,?,?,?,0000026A879CCF9D,?,?,00000001), ref: 0000026A879CD0F0
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Value
          • String ID: 1%$Y%
          • API String ID: 3702945584-1395475152
          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction ID: 7de55e3907eeb61d84b2ec02f2a106e95853d66b6f36fb83176ce734d1449b23
          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction Fuzzy Hash: EC11823170868481FEF8A7395A5E37D715A5BC47F0F644324A839277EAEE6AC5028F02
          Function 0000026A879C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID:
          • API String ID: 190073905-0
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 4ecf39c6d282c13922bf66bcab5b528d166167323d1dc1c22cdb0ae5698a6f63
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: CA81D43160064186FFD0AB2AA94D3AD7B90ABC97C0F5C4425EA4877796EB7BC9458F03
          Function 0000026A879C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: api-ms-
          • API String ID: 2559590344-2084034818
          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction ID: 95f3983436fef2e635cbbbb6f4cfe75cb904a5ec283e5a170f3328164d622b80
          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction Fuzzy Hash: FE312731316A00E1EF92DB46A80875C3BA4B7A9BB0F590525DD2E2B390EF3AC145CB02
          Function 0000026A879D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction ID: b5a7c8e5866d3be681c7c72b6341fd08360724eb52cb5406520433ec029d227b
          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction Fuzzy Hash: A6116D32310B4086E7E0DB56F84831DBEA0F789FE5F444224EA5E97794DF79C8148B41
          Function 0000026A879C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModule
          • String ID: wr
          • API String ID: 1092925422-2678910430
          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction ID: d5baf2fdec3915ccb6d5ba03a26523055d6eaf36c073b9562141c2a23a4540a2
          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction Fuzzy Hash: 91115B36704B4182EF949B62F50826D7AB0FB8ABC5F440029EE8D27794EF3EC505CB06
          Function 0000026A879C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Thread$Current$Context
          • String ID:
          • API String ID: 1666949209-0
          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction ID: d9bcf84c3bd1533dc594d755c904efc893949546bab9f2d4fefad5fd87b2f6ed
          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction Fuzzy Hash: 23D18776208B8882DBB0DB0AE49835E7BA0F3D8B84F540116EA8D57BA9DF7DC541CF41
          Function 0000026A879C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: dialer
          • API String ID: 756756679-3528709123
          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction ID: 8cc78c2e0b9a0818aac4479415df311af9c6568ae4cde8b4077327d37afdd94e
          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction Fuzzy Hash: 2231B032701B5582FA94DF16E54876DBBA4FB85BC0F084020EE4867B55EF36C4A18B42
          Function 0000026A879CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction ID: a51daef424c37a2d87d3f48ae78d9347c480c631925ac01d6e6589b89c5644b5
          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction Fuzzy Hash: E611B13130468082FEF4A735965E33D36666BC97F0F500324A83667BDAEE6BC4018E02
          Function 0000026A879C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
          • String ID:
          • API String ID: 517849248-0
          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction ID: 9a315eb257f643b679e19e597653428afdd5a9ed67b0f0b7c202793297a7241d
          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction Fuzzy Hash: CB016931300A4082EB94DB52A84C35DBBA1F789BC0F884035EE4963755DF3EC989CB01
          Function 0000026A879C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
          • String ID:
          • API String ID: 449555515-0
          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction ID: 0005ef61f3f4758259884e0c528835bf75180136e8c964115b40faba9de71eb2
          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction Fuzzy Hash: AE012D75211B4482EFA4DB62E80D31D7BB0BB86B86F444428DE4D27754EF7EC1488F02
          Function 0000026A879C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 92aa7bb9b2b6dfa6ad1a732484a25b6d845d725c4ad4245d6686fe6e64f0842d
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 2D51BD32701640CEEF94DF15E84DB5D3BA6F3A4BA8F518124DA0767788EB76C981CB06
          Function 0000026A879C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: 1ab68a51141d201d9d3457faa14e522c8d132673c329719a63e2eaa97f42be49
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 4331DF32200680CAEB94DF12E84CB1D7BA5F3A4BE8F458014EE4727789DB3AC941CF06
          Function 0000026A879C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: FinalHandleNamePathlstrlen
          • String ID: \\?\
          • API String ID: 2719912262-4282027825
          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction ID: f116469fb9c2a0e448e9d2de76ad660752bf9178b15ca800e2592a53e1aade34
          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction Fuzzy Hash: 93F03C7230464192EBA0CB21F88875D7F60F789BC8F888021DA4957958DA6EC68DCF05
          Function 0000026A879C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CombinePath
          • String ID: \\.\pipe\
          • API String ID: 3422762182-91387939
          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction ID: 8951257b2819e3fd8c3a1e414e7e6c4bb950c718772d34c177490584403dd16d
          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction Fuzzy Hash: D7F01C75718B8482FA94CF53B91C11DBE65AB89FD0F089131EE4A67B18DF7DC4458B02
          Function 0000026A879CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction ID: 3b089b17eef97f58e315832727781e6d96eaf58a468135795a3cb71de5b836e2
          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction Fuzzy Hash: 19F06271211A0481EF50CF29E44C35D7F20EB867A5F940219DA6A571E4DF2EC544CB02
          Function 0000026A879C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction ID: e84d3f95ef50d0da7100aa3763a05495aa81dff1962d31d5224108d669eafd74
          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction Fuzzy Hash: EF02B632219B8486EBA0CB59E49875EB7A1F3D4794F204015EB8E97BA9DF7DC484CF01
          Function 0000026A879C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction ID: 67d3c669d68eaeb62026641d81c2ba8ade1a21c8528e3319f6dd4d7c6ecb65f5
          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction Fuzzy Hash: EE61EA36519B44C6EBA0DB15E54832EB7A0F3D8784F600115FA8E57BA8DB7EC580CF02
          Function 0000026A879A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: aeaa6a3608324816b59301e751e5f347b5c67f5421315ed83d7c14011e8581c2
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: 9711C232A12F1111FEE4152CE85E36DB9D06B58374F48A738AD7E277E6CA2AC8415E02
          Function 0000026A879D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 951121f1d836c29066c475965dea384ba1a895c4e71a86b8b5a2b369afc9a8fb
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: FC117036A10A9131FAE4D568E85E36D3D516B783F8F280724AD76376F6CA2AC8414E03
          Function 0000026A8799F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: eebbbc8525f68246a3b0a6a29bd4a3cb681badd0c78307970aab721f545df6c1
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: 4861D372604640C2FAF9CB68E54C36EBAA2F785784F544425CA1A377A4DB37C885CF43
          Function 0000026A879CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 91175b491b7fc14e3f1a7658fd3bfdb3fb1216593f4870ebf483384664c1c76e
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 26619D33A00B84CAEB60DF65D48439D7BA1F398BACF084215EF4927B98DB39C595CB41
          Function 0000026A8799A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 24b885a40865372f2d4962931c6dd4c13311282acb065aa2b8f2b100d7f859d2
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: A251A032100380CAFBF48F25954839C77A0F355BA4F189216DB99A7BD5CB3AD490DF02
          Function 0000026A879CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 893e4d8dc827b760fc59cebf5f18d00e76e891684a4649e14e6d9b3ac1800f38
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 2D51BF72100380CAEFB48F65958835D77A4F3D5BA5F188216EB8967BD5CB3AD490DF02
          Function 0000026A87998405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 8bc6e4c2ed6fb3d0b116afd45bb950e03d86cb73ff22765c23392437f1fb0b44
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 8051DD327122009BFB94CF15E488F1C37A9F354B98F568168DA0A67788EB36D885CF07
          Function 0000026A879983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: 6434e668c18de7f899a849f0e788a6f9301be5892d0fc4d1102cc1fdd749815e
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: A1319C32211740AAF794DF11E888F1D77A9F740B98F568018EE5B67788DB3AC945CB06
          Function 0000026A879D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 2718003287-0
          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction ID: 3076751dc3de790d1c224386df8ee1f4e5ab8c71f6f65ab3a3bed05673c9e6dc
          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction Fuzzy Hash: 88D10132B14A8089EB51CFB9D4483AC3FB1F754BD8F108216DE5DA7B99DA3AC446CB41
          Function 0000026A879C14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$Free
          • String ID:
          • API String ID: 3168794593-0
          • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction ID: 8a01ecca636f93bdf911fe9301806ba74427497ad84442dbc2d131ee4094cafd
          • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction Fuzzy Hash: 9F115B76604A91D6E794DFA6A80814D7FA0FB8AFC5F084025EA4963716EE39C451CB41
          Function 0000026A879D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction ID: a659f95e0478c9a379e7c93a59f58379ea217171002cffd52b577c1c22c3c908
          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction Fuzzy Hash: 9391D032700A5085FBA0DF7594883AD3FA0F759B98F644109DE4A77A94DB7EC8C2CB02
          Function 0000026A879C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction ID: 4e80524f35fcef7bad59f85813724d52d64db0f3f33ffe74409acc95bda1e77e
          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction Fuzzy Hash: A4115A32710F018AEB90DF60E8583AC37B4F31A758F440E21EA6D537A4EB78C1988780
          Function 0000026A879C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction ID: 97ea5c88fb40b65250efba85239deb6fe808c8ef7dc44d6fea174178200e4e45
          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction Fuzzy Hash: E671B636200B8186EFB5DF25D8993AE77A4F3C9B84F550026DD0963B89DE36D685CB02
          Function 0000026A87999E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: e083ef4e6a99dc2faf5a08287110857988fabb0183ff147dc1fcf3667f8f1dd1
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 33618B33A05B848AFBA0DFA5D48439D77B0F398B98F044215EF4927B98DB3AD595CB01
          Function 0000026A879C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction ID: a2f76bc1a186076cee4736489c3d4438f40eba79840f7ba633a66ebf323134d9
          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction Fuzzy Hash: EA51C43220478182FFB4DB2AA45C3AEBB91F3D5780F450125DE5A27B99DA3BC585CF42
          Function 0000026A879D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction ID: 5c34eae6179e8718e065711947d23fa5df45d25b207243dff04b03615aa00afe
          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction Fuzzy Hash: 8541A433715A8086DBA0DF25E8483ADBFA1F798794F944021EE4D97794EB7DC441CB41
          Function 0000026A879C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction ID: 516278ab517d9276ea0f4953800809262020678c9f6335137ecd7ce881f65308
          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction Fuzzy Hash: 3D112836214B8082EBA18B15E44835DBBE5FB99BA4F584225EF8C17B68DF3DC551CB00
          Function 0000026A87997356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: 290368697319c93d0959a6d4aceff4e73c937a6d0c9df6ff90baa51795892e9d
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: CFE08671741B4490DF418F21E88469C73A1DBA8B64F889122995C1B311FA38D1E9C702
          Function 0000026A879973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000022.00000002.3074727733.0000026A87990000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A87990000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a87990000_svchost.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: Locator'$riptor at (
          • API String ID: 592178966-4215709766
          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction ID: 57ea791ecea9af06e65d832b1adcba3d40aeefbf742ffe7567ba952dade77035
          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction Fuzzy Hash: 19E08671701B4490DF418F21E48069C7361E7A8B54F889122C94C1B311EA38D1E5C701
          Function 0000026A879C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID:
          • API String ID: 756756679-0
          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction ID: 7016fa5795a79e5502fdc21d921c24760b1a256b601511705076004f3255fffb
          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction Fuzzy Hash: A8119175641B4482EE94DF66A40C22D7BA1FBCAFC0F184025EE4D63766EF3AC442C741
          Function 0000026A879C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000022.00000002.3075789818.0000026A879C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026A879C0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_34_2_26a879c0000_svchost.jbxd
          Similarity
          • API ID: Heap$AllocProcess
          • String ID:
          • API String ID: 1617791916-0
          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction ID: b1c6b37d2b3670007f77e6ad3635e51a98d0f2eb219863f2620388776d6560d5
          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction Fuzzy Hash: 08E06D3560160486EB44CFA2D80C34E3EE1FB8AF86F04C024C90907351DF7EC499CB51

          Execution Graph

          Execution Coverage:0.8%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:0%
          Total number of Nodes:471
          Total number of Limit Nodes:3
          execution_graph 14927 179537ac0e4 14928 179537ac0f9 14927->14928 14929 179537ac0fd 14927->14929 14942 179537aec90 14929->14942 14934 179537ac11b 14973 179537ac158 14934->14973 14935 179537ac10f 14968 179537ad744 14935->14968 14939 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14940 179537ac142 14939->14940 14941 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14940->14941 14941->14928 14943 179537aec9d 14942->14943 14947 179537ac102 14942->14947 14992 179537acefc 14943->14992 14945 179537aeccc 15009 179537ae968 14945->15009 14948 179537af1ec GetEnvironmentStringsW 14947->14948 14949 179537ac107 14948->14949 14950 179537af21c 14948->14950 14949->14934 14949->14935 14951 179537af10c WideCharToMultiByte 14950->14951 14952 179537af26d 14951->14952 14953 179537af274 FreeEnvironmentStringsW 14952->14953 14954 179537aca0c 5 API calls 14952->14954 14953->14949 14955 179537af287 14954->14955 14956 179537af298 14955->14956 14957 179537af28f 14955->14957 14959 179537af10c WideCharToMultiByte 14956->14959 14958 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14957->14958 14960 179537af296 14958->14960 14961 179537af2bb 14959->14961 14960->14953 14962 179537af2c9 14961->14962 14963 179537af2bf 14961->14963 14965 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14962->14965 14964 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14963->14964 14966 179537af2c7 FreeEnvironmentStringsW 14964->14966 14965->14966 14966->14949 14969 179537ad749 HeapFree 14968->14969 14970 179537ad77a 14968->14970 14969->14970 14971 179537ad764 Concurrency::details::SchedulerProxy::DeleteThis 14969->14971 14970->14928 14972 179537ad6ac __std_exception_copy 4 API calls 14971->14972 14972->14970 14974 179537ac17d 14973->14974 14975 179537ad6cc __std_exception_copy 5 API calls 14974->14975 14988 179537ac1b3 14975->14988 14976 179537ac1bb 14977 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14976->14977 14978 179537ac123 14977->14978 14978->14939 14979 179537ac22e 14980 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14979->14980 14980->14978 14981 179537ad6cc __std_exception_copy 5 API calls 14981->14988 14982 179537ac21d 15459 179537ac268 14982->15459 14986 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14986->14976 14987 179537ac253 14990 179537ad590 _invalid_parameter_noinfo 10 API calls 14987->14990 14988->14976 14988->14979 14988->14981 14988->14982 14988->14987 14989 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 14988->14989 15450 179537ac6e8 14988->15450 14989->14988 14991 179537ac266 14990->14991 14993 179537acf28 FlsSetValue 14992->14993 14994 179537acf0d FlsGetValue 14992->14994 14995 179537acf35 14993->14995 14998 179537acf1a 14993->14998 14996 179537acf22 14994->14996 14994->14998 15032 179537ad6cc 14995->15032 14996->14993 14998->14945 15000 179537acf62 FlsSetValue 15003 179537acf80 15000->15003 15004 179537acf6e FlsSetValue 15000->15004 15001 179537acf52 FlsSetValue 15002 179537acf5b 15001->15002 15005 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15002->15005 15036 179537acb94 15003->15036 15004->15002 15005->14998 15008 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15008->14998 15179 179537aebd8 15009->15179 15016 179537ae9d3 15017 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15016->15017 15030 179537ae9ba 15017->15030 15018 179537ae9e2 15018->15018 15198 179537aed0c 15018->15198 15021 179537aeade 15022 179537ad6ac __std_exception_copy 5 API calls 15021->15022 15023 179537aeae3 15022->15023 15025 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15023->15025 15024 179537aeb39 15031 179537aeba0 15024->15031 15209 179537ae498 15024->15209 15025->15030 15026 179537aeaf8 15026->15024 15028 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15026->15028 15027 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15027->15030 15028->15024 15030->14947 15031->15027 15035 179537ad6dd __std_exception_copy 15032->15035 15034 179537acf44 15034->15000 15034->15001 15035->15034 15040 179537ad6ac 15035->15040 15037 179537acc46 __std_exception_copy 15036->15037 15059 179537acaec 15037->15059 15039 179537acc5b 15039->15008 15043 179537acfa0 15040->15043 15042 179537ad6b5 15042->15034 15046 179537acfb5 Concurrency::details::SchedulerProxy::DeleteThis 15043->15046 15044 179537acfe1 FlsSetValue 15045 179537acff3 15044->15045 15049 179537acfd1 _CreateFrameInfo 15044->15049 15047 179537ad6cc __std_exception_copy HeapFree 15045->15047 15046->15044 15046->15049 15048 179537ad002 15047->15048 15050 179537ad020 FlsSetValue 15048->15050 15051 179537ad010 FlsSetValue 15048->15051 15049->15042 15053 179537ad02c FlsSetValue 15050->15053 15054 179537ad03e 15050->15054 15052 179537ad019 15051->15052 15055 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 15052->15055 15053->15052 15056 179537acb94 __std_exception_copy HeapFree 15054->15056 15055->15049 15057 179537ad046 15056->15057 15058 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 15057->15058 15058->15049 15060 179537acb08 15059->15060 15063 179537acd7c 15060->15063 15062 179537acb1e 15062->15039 15064 179537acdc4 Concurrency::details::SchedulerProxy::DeleteThis 15063->15064 15065 179537acd98 Concurrency::details::SchedulerProxy::DeleteThis 15063->15065 15064->15062 15065->15064 15067 179537b07b4 15065->15067 15069 179537b0850 15067->15069 15073 179537b07d7 15067->15073 15068 179537b08a3 15133 179537b0954 15068->15133 15069->15068 15071 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15069->15071 15074 179537b0874 15071->15074 15072 179537b0816 15076 179537b0838 15072->15076 15082 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15072->15082 15073->15069 15073->15072 15077 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15073->15077 15075 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15074->15075 15078 179537b0888 15075->15078 15079 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15076->15079 15080 179537b080a 15077->15080 15081 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15078->15081 15084 179537b0844 15079->15084 15093 179537b2fc8 15080->15093 15088 179537b0897 15081->15088 15089 179537b082c 15082->15089 15083 179537b090e 15090 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15084->15090 15085 179537b08af 15085->15083 15086 179537ad744 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 15085->15086 15086->15085 15091 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15088->15091 15121 179537b30d4 15089->15121 15090->15069 15091->15068 15094 179537b2fd1 15093->15094 15119 179537b30cc 15093->15119 15095 179537b2feb 15094->15095 15096 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15094->15096 15097 179537b2ffd 15095->15097 15098 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15095->15098 15096->15095 15099 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15097->15099 15101 179537b300f 15097->15101 15098->15097 15099->15101 15100 179537b3021 15102 179537b3033 15100->15102 15104 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15100->15104 15101->15100 15103 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15101->15103 15105 179537b3045 15102->15105 15106 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15102->15106 15103->15100 15104->15102 15107 179537b3057 15105->15107 15108 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15105->15108 15106->15105 15109 179537b3069 15107->15109 15110 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15107->15110 15108->15107 15111 179537b307b 15109->15111 15112 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15109->15112 15110->15109 15113 179537b308d 15111->15113 15114 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15111->15114 15112->15111 15115 179537b30a2 15113->15115 15116 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15113->15116 15114->15113 15117 179537b30b7 15115->15117 15118 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15115->15118 15116->15115 15117->15119 15120 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15117->15120 15118->15117 15119->15072 15120->15119 15122 179537b30d9 15121->15122 15131 179537b313a 15121->15131 15123 179537b30f2 15122->15123 15124 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15122->15124 15125 179537b3104 15123->15125 15126 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15123->15126 15124->15123 15127 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15125->15127 15128 179537b3116 15125->15128 15126->15125 15127->15128 15129 179537b3128 15128->15129 15130 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15128->15130 15129->15131 15132 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15129->15132 15130->15129 15131->15076 15132->15131 15134 179537b0985 15133->15134 15135 179537b0959 15133->15135 15134->15085 15135->15134 15139 179537b3174 15135->15139 15138 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15138->15134 15140 179537b097d 15139->15140 15141 179537b317d 15139->15141 15140->15138 15175 179537b3140 15141->15175 15144 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15145 179537b31a6 15144->15145 15146 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15145->15146 15147 179537b31b4 15146->15147 15148 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15147->15148 15149 179537b31c2 15148->15149 15150 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15149->15150 15151 179537b31d1 15150->15151 15152 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15151->15152 15153 179537b31dd 15152->15153 15154 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15153->15154 15155 179537b31e9 15154->15155 15156 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15155->15156 15157 179537b31f5 15156->15157 15158 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15157->15158 15159 179537b3203 15158->15159 15160 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15159->15160 15161 179537b3211 15160->15161 15162 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15161->15162 15163 179537b321f 15162->15163 15164 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15163->15164 15165 179537b322d 15164->15165 15166 179537b3140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15165->15166 15167 179537b323c 15166->15167 15168 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15167->15168 15169 179537b3248 15168->15169 15170 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15169->15170 15171 179537b3254 15170->15171 15172 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15171->15172 15173 179537b3260 15172->15173 15174 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15173->15174 15174->15140 15176 179537b3167 15175->15176 15177 179537b3156 15175->15177 15176->15144 15177->15176 15178 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15177->15178 15178->15177 15182 179537aebfb 15179->15182 15180 179537aec05 15181 179537ae99d 15180->15181 15184 179537acefc 10 API calls 15180->15184 15187 179537ae668 15181->15187 15182->15180 15183 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15182->15183 15183->15180 15185 179537aeccc 15184->15185 15186 179537ae968 45 API calls 15185->15186 15186->15181 15221 179537ae1b4 15187->15221 15190 179537ae688 GetOEMCP 15192 179537ae6af 15190->15192 15191 179537ae69a 15191->15192 15193 179537ae69f GetACP 15191->15193 15192->15030 15194 179537aca0c 15192->15194 15193->15192 15196 179537aca1b __std_exception_copy 15194->15196 15195 179537ad6ac __std_exception_copy 5 API calls 15197 179537aca55 15195->15197 15196->15195 15196->15197 15197->15016 15197->15018 15199 179537ae668 17 API calls 15198->15199 15200 179537aed39 15199->15200 15201 179537aed76 IsValidCodePage 15200->15201 15207 179537aee8f 15200->15207 15208 179537aed90 15200->15208 15203 179537aed87 15201->15203 15201->15207 15205 179537aedb6 GetCPInfo 15203->15205 15203->15208 15204 179537aead5 15204->15021 15204->15026 15205->15207 15205->15208 15295 179537a7940 15207->15295 15284 179537ae780 15208->15284 15211 179537ae4b4 15209->15211 15210 179537ad6ac __std_exception_copy 5 API calls 15212 179537ae550 15210->15212 15211->15210 15214 179537ae4e1 15211->15214 15380 179537ad570 15212->15380 15215 179537ad6ac __std_exception_copy 5 API calls 15214->15215 15218 179537ae593 15214->15218 15216 179537ae5f1 15215->15216 15217 179537ad570 _invalid_parameter_noinfo 28 API calls 15216->15217 15217->15218 15219 179537ae62d 15218->15219 15220 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15218->15220 15219->15031 15220->15219 15222 179537ae1d8 15221->15222 15228 179537ae1d3 15221->15228 15222->15228 15229 179537ace28 15222->15229 15224 179537ae1f3 15264 179537b03fc 15224->15264 15228->15190 15228->15191 15230 179537ace3d Concurrency::details::SchedulerProxy::DeleteThis 15229->15230 15231 179537ace4c FlsGetValue 15230->15231 15232 179537ace69 FlsSetValue 15230->15232 15233 179537ace63 15231->15233 15246 179537ace59 _CreateFrameInfo 15231->15246 15234 179537ace7b 15232->15234 15232->15246 15233->15232 15235 179537ad6cc __std_exception_copy 5 API calls 15234->15235 15236 179537ace8a 15235->15236 15237 179537acea8 FlsSetValue 15236->15237 15238 179537ace98 FlsSetValue 15236->15238 15239 179537aceb4 FlsSetValue 15237->15239 15240 179537acec6 15237->15240 15242 179537acea1 15238->15242 15239->15242 15243 179537acb94 __std_exception_copy 5 API calls 15240->15243 15241 179537acee2 15241->15224 15244 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15242->15244 15245 179537acece 15243->15245 15244->15246 15247 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15245->15247 15246->15241 15248 179537acf28 FlsSetValue 15246->15248 15249 179537acf0d FlsGetValue 15246->15249 15247->15246 15250 179537acf35 15248->15250 15253 179537acf1a 15248->15253 15251 179537acf22 15249->15251 15249->15253 15252 179537ad6cc __std_exception_copy 5 API calls 15250->15252 15251->15248 15254 179537acf44 15252->15254 15253->15224 15255 179537acf62 FlsSetValue 15254->15255 15256 179537acf52 FlsSetValue 15254->15256 15258 179537acf80 15255->15258 15259 179537acf6e FlsSetValue 15255->15259 15257 179537acf5b 15256->15257 15260 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15257->15260 15261 179537acb94 __std_exception_copy 5 API calls 15258->15261 15259->15257 15260->15253 15262 179537acf88 15261->15262 15263 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15262->15263 15263->15253 15265 179537ae216 15264->15265 15266 179537b0411 15264->15266 15268 179537b0468 15265->15268 15266->15265 15272 179537b0a5c 15266->15272 15269 179537b047d 15268->15269 15271 179537b0490 15268->15271 15269->15271 15281 179537aecf0 15269->15281 15271->15228 15273 179537ace28 _invalid_parameter_noinfo 15 API calls 15272->15273 15274 179537b0a6b 15273->15274 15276 179537b0aa4 15274->15276 15277 179537b0acc 15274->15277 15276->15265 15278 179537b0aeb 15277->15278 15279 179537b0ade Concurrency::details::SchedulerProxy::DeleteThis 15277->15279 15278->15276 15279->15278 15280 179537b07b4 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15279->15280 15280->15278 15282 179537ace28 _invalid_parameter_noinfo 15 API calls 15281->15282 15283 179537aecf9 15282->15283 15285 179537ae7bd GetCPInfo 15284->15285 15294 179537ae8b3 15284->15294 15290 179537ae7d0 15285->15290 15285->15294 15286 179537a7940 _log10_special 3 API calls 15288 179537ae952 15286->15288 15288->15207 15302 179537b1544 15290->15302 15294->15286 15296 179537a7949 15295->15296 15297 179537a7954 15296->15297 15298 179537a812c IsProcessorFeaturePresent 15296->15298 15297->15204 15299 179537a8144 15298->15299 15376 179537a8320 RtlCaptureContext 15299->15376 15301 179537a8157 15301->15204 15303 179537ae1b4 15 API calls 15302->15303 15304 179537b1586 15303->15304 15322 179537af07c 15304->15322 15323 179537af085 MultiByteToWideChar 15322->15323 15377 179537a833a capture_previous_context 15376->15377 15378 179537a8389 15377->15378 15379 179537a8350 RtlVirtualUnwind 15377->15379 15378->15301 15379->15377 15379->15378 15383 179537ad408 15380->15383 15384 179537ad433 15383->15384 15391 179537ad4a4 15384->15391 15386 179537ad45a 15387 179537ad47d 15386->15387 15399 179537ac7a0 15386->15399 15389 179537ad492 15387->15389 15390 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15387->15390 15389->15214 15390->15389 15410 179537ad1ec 15391->15410 15393 179537ad4ce _invalid_parameter_noinfo 15394 179537ad4df _invalid_parameter_noinfo 15393->15394 15414 179537ad590 IsProcessorFeaturePresent 15393->15414 15394->15386 15400 179537ac7f8 15399->15400 15401 179537ac7af Concurrency::details::SchedulerProxy::DeleteThis 15399->15401 15400->15387 15402 179537ad068 _invalid_parameter_noinfo 8 API calls 15401->15402 15403 179537ac7de _CreateFrameInfo 15402->15403 15403->15400 15404 179537ac7a0 _invalid_parameter_noinfo 18 API calls 15403->15404 15405 179537ac827 15404->15405 15442 179537b0430 15405->15442 15411 179537ad233 _CreateFrameInfo 15410->15411 15412 179537ad208 Concurrency::details::SchedulerProxy::DeleteThis 15410->15412 15411->15393 15419 179537ad068 15412->15419 15415 179537ad5a3 15414->15415 15433 179537ad2a4 15415->15433 15417 179537ad5be _invalid_parameter_noinfo 15418 179537ad5c4 TerminateProcess 15417->15418 15420 179537ad087 FlsGetValue 15419->15420 15422 179537ad09c 15419->15422 15421 179537ad094 15420->15421 15420->15422 15421->15411 15422->15421 15423 179537ad6cc __std_exception_copy 5 API calls 15422->15423 15424 179537ad0be 15423->15424 15425 179537ad0dc FlsSetValue 15424->15425 15428 179537ad0cc 15424->15428 15426 179537ad0e8 FlsSetValue 15425->15426 15427 179537ad0fa 15425->15427 15426->15428 15429 179537acb94 __std_exception_copy 5 API calls 15427->15429 15431 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15428->15431 15430 179537ad102 15429->15430 15432 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15430->15432 15431->15421 15432->15421 15434 179537ad2de _invalid_parameter_noinfo 15433->15434 15435 179537ad306 RtlCaptureContext 15434->15435 15436 179537ad33b capture_previous_context 15435->15436 15437 179537ad376 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15436->15437 15438 179537ad340 RtlVirtualUnwind 15436->15438 15439 179537ad3c8 _invalid_parameter_noinfo 15437->15439 15438->15437 15440 179537a7940 _log10_special 3 API calls 15439->15440 15441 179537ad3e7 15440->15441 15441->15417 15443 179537b0449 15442->15443 15444 179537ac84f 15442->15444 15443->15444 15445 179537b0a5c _invalid_parameter_noinfo 15 API calls 15443->15445 15446 179537b049c 15444->15446 15445->15444 15447 179537b04b5 15446->15447 15448 179537ac85f 15446->15448 15447->15448 15449 179537aecf0 _invalid_parameter_noinfo 15 API calls 15447->15449 15448->15387 15449->15448 15451 179537ac6ff 15450->15451 15452 179537ac6f5 15450->15452 15453 179537ad6ac __std_exception_copy 5 API calls 15451->15453 15452->15451 15457 179537ac71a 15452->15457 15454 179537ac706 15453->15454 15455 179537ad570 _invalid_parameter_noinfo 28 API calls 15454->15455 15456 179537ac712 15455->15456 15456->14988 15457->15456 15458 179537ad6ac __std_exception_copy 5 API calls 15457->15458 15458->15454 15460 179537ac225 15459->15460 15461 179537ac26d 15459->15461 15460->14986 15462 179537ac296 15461->15462 15463 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15461->15463 15464 179537ad744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 15462->15464 15463->15461 15464->15460 15465 1795377273c 15467 1795377276a 15465->15467 15466 17953772858 LoadLibraryA 15466->15467 15467->15466 15468 179537728d4 15467->15468 15469 179537a1abc 15474 179537a1628 GetProcessHeap 15469->15474 15471 179537a1ad2 Sleep SleepEx 15472 179537a1acb 15471->15472 15472->15471 15473 179537a1598 StrCmpIW StrCmpW 15472->15473 15473->15472 15475 179537a1648 __std_exception_copy 15474->15475 15519 179537a1268 GetProcessHeap 15475->15519 15477 179537a1650 15478 179537a1268 2 API calls 15477->15478 15479 179537a1661 15478->15479 15480 179537a1268 2 API calls 15479->15480 15481 179537a166a 15480->15481 15482 179537a1268 2 API calls 15481->15482 15483 179537a1673 15482->15483 15484 179537a168e RegOpenKeyExW 15483->15484 15485 179537a18a6 15484->15485 15486 179537a16c0 RegOpenKeyExW 15484->15486 15485->15472 15487 179537a16e9 15486->15487 15488 179537a16ff RegOpenKeyExW 15486->15488 15523 179537a12bc RegQueryInfoKeyW 15487->15523 15489 179537a1723 15488->15489 15490 179537a173a RegOpenKeyExW 15488->15490 15534 179537a104c RegQueryInfoKeyW 15489->15534 15493 179537a1775 RegOpenKeyExW 15490->15493 15494 179537a175e 15490->15494 15498 179537a1799 15493->15498 15499 179537a17b0 RegOpenKeyExW 15493->15499 15497 179537a12bc 13 API calls 15494->15497 15500 179537a176b RegCloseKey 15497->15500 15501 179537a12bc 13 API calls 15498->15501 15502 179537a17d4 15499->15502 15503 179537a17eb RegOpenKeyExW 15499->15503 15500->15493 15506 179537a17a6 RegCloseKey 15501->15506 15507 179537a12bc 13 API calls 15502->15507 15504 179537a1826 RegOpenKeyExW 15503->15504 15505 179537a180f 15503->15505 15509 179537a1861 RegOpenKeyExW 15504->15509 15510 179537a184a 15504->15510 15508 179537a104c 5 API calls 15505->15508 15506->15499 15511 179537a17e1 RegCloseKey 15507->15511 15512 179537a181c RegCloseKey 15508->15512 15514 179537a1885 15509->15514 15515 179537a189c RegCloseKey 15509->15515 15513 179537a104c 5 API calls 15510->15513 15511->15503 15512->15504 15516 179537a1857 RegCloseKey 15513->15516 15517 179537a104c 5 API calls 15514->15517 15515->15485 15516->15509 15518 179537a1892 RegCloseKey 15517->15518 15518->15515 15540 179537b6168 15519->15540 15521 179537a1283 GetProcessHeap 15522 179537a12ae __std_exception_copy 15521->15522 15522->15477 15524 179537a1327 GetProcessHeap 15523->15524 15525 179537a148a RegCloseKey 15523->15525 15531 179537a133e __std_exception_copy 15524->15531 15525->15488 15526 179537a1352 RegEnumValueW 15526->15531 15527 179537a1476 GetProcessHeap HeapFree 15527->15525 15529 179537a13d3 GetProcessHeap 15529->15531 15530 179537a141e lstrlenW GetProcessHeap 15530->15531 15531->15526 15531->15527 15531->15529 15531->15530 15532 179537a13f3 GetProcessHeap HeapFree 15531->15532 15533 179537a1443 StrCpyW 15531->15533 15541 179537a152c 15531->15541 15532->15530 15533->15531 15535 179537a11b5 RegCloseKey 15534->15535 15538 179537a10bf __std_exception_copy 15534->15538 15535->15490 15536 179537a10cf RegEnumValueW 15536->15538 15537 179537a114e GetProcessHeap 15537->15538 15538->15535 15538->15536 15538->15537 15539 179537a116e GetProcessHeap HeapFree 15538->15539 15539->15538 15542 179537a157c 15541->15542 15545 179537a1546 15541->15545 15542->15531 15543 179537a1565 StrCmpW 15543->15545 15544 179537a155d StrCmpIW 15544->15545 15545->15542 15545->15543 15545->15544

          Executed Functions

          Function 00000179537A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Heap$AllocProcess
          • String ID:
          • API String ID: 1617791916-0
          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction ID: e4bf16918a7cacbca0db979268ad85abf1fead3538016a29a4f8caa0c503e4bd
          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
          • Instruction Fuzzy Hash: 6AE06D35A0161886EB058F62D82838A37F1FB8AF0AF04C024CA8D47351EF7D8499C750
          Function 00000179537AF1EC Relevance: 4.6, APIs: 3, Instructions: 78COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
          • String ID:
          • API String ID: 3331406755-0
          • Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
          • Instruction ID: e89af08d413403d6e5d7482309db2184f3715486d0e1cd70b0b3824db1cad727
          • Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
          • Instruction Fuzzy Hash: 4C31B431A6876081EA269F226C502DE77B4B786BD8F48422BEA9E43BC5DF38C5458704
          Function 00000179537A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: ca808a076cef636c667c28671c52d662c11ceeea05346f25545d2e4f9369c430
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: 5F116130E3C66482FB629FB1F8557D923B4E76A34DF544127DA4E42B91EF78C04C8610
          Function 00000179537A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 00000179537A1628: GetProcessHeap.KERNEL32 ref: 00000179537A1633
            • Part of subcall function 00000179537A1628: HeapAlloc.KERNEL32 ref: 00000179537A1642
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16B2
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A16DF
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A16F9
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1719
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1734
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1754
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A176F
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A178F
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17AA
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A17CA
          • Sleep.KERNEL32 ref: 00000179537A1AD7
          • SleepEx.KERNELBASE ref: 00000179537A1ADD
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A17E5
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1805
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1820
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A1840
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A185B
            • Part of subcall function 00000179537A1628: RegOpenKeyExW.ADVAPI32 ref: 00000179537A187B
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A1896
            • Part of subcall function 00000179537A1628: RegCloseKey.ADVAPI32 ref: 00000179537A18A0
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: b6c2e1d6c864596a4c04fdf18bbbf5071076cb135f023add6302ffefab344da2
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: 04313271F2866582FF529B36DA413E923F4AB46BC8F8854239E0D873D5FF24C859C610
          Function 00000179537A3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 89 179537a3844-179537a384f 90 179537a3851-179537a3864 StrCmpNIW 89->90 91 179537a3869-179537a3870 89->91 90->91 92 179537a3866 90->92 92->91
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID:
          • String ID: dialer
          • API String ID: 0-3528709123
          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction ID: dbbf6158d5080c7e4a12ec2d32b33ddd1bdad48742ffa41caff3c02827982d81
          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction Fuzzy Hash: 7AD0A770B252558BFF56DFE688D46E02370EB0974CF884032C90802750EB1CD98DA720
          Function 000001795377273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 93 1795377273c-179537727a4 call 179537729d4 * 4 102 179537727aa-179537727ad 93->102 103 179537729b2 93->103 102->103 105 179537727b3-179537727b6 102->105 104 179537729b4-179537729d0 103->104 105->103 106 179537727bc-179537727bf 105->106 106->103 107 179537727c5-179537727e6 106->107 107->103 109 179537727ec-1795377280c 107->109 110 1795377280e-17953772836 109->110 111 17953772838-1795377283f 109->111 110->110 110->111 112 179537728df-179537728e6 111->112 113 17953772845-17953772852 111->113 114 179537728ec-17953772901 112->114 115 17953772992-179537729b0 112->115 113->112 116 17953772858-1795377286a LoadLibraryA 113->116 114->115 117 17953772907 114->117 115->104 118 1795377286c-17953772878 116->118 119 179537728ca-179537728d2 116->119 122 1795377290d-17953772921 117->122 123 179537728c5-179537728c8 118->123 119->116 120 179537728d4-179537728d9 119->120 120->112 124 17953772923-17953772934 122->124 125 17953772982-1795377298c 122->125 123->119 126 1795377287a-1795377287d 123->126 128 1795377293f-17953772943 124->128 129 17953772936-1795377293d 124->129 125->115 125->122 130 1795377287f-179537728a5 126->130 131 179537728a7-179537728b7 126->131 133 1795377294d-17953772951 128->133 134 17953772945-1795377294b 128->134 132 17953772970-17953772980 129->132 135 179537728ba-179537728c1 130->135 131->135 132->124 132->125 136 17953772963-17953772967 133->136 137 17953772953-17953772961 133->137 134->132 135->123 136->132 139 17953772969-1795377296c 136->139 137->132 139->132
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: aa063f8f75c6740ade699a4d29bdcc33ceee5f26798b0015945cd0de14dc5192
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: E6613532F096A087DB56CF15D0007ADB3F2F756BA8F188122CE6D17788DA38D866DB00

          Non-executed Functions

          Function 00000179537A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 399 179537a2b2c-179537a2ba5 call 179537c2ce0 402 179537a2bab-179537a2bb1 399->402 403 179537a2ee0-179537a2f03 399->403 402->403 404 179537a2bb7-179537a2bba 402->404 404->403 405 179537a2bc0-179537a2bc3 404->405 405->403 406 179537a2bc9-179537a2bd9 GetModuleHandleA 405->406 407 179537a2bdb-179537a2beb call 179537b6090 406->407 408 179537a2bed 406->408 410 179537a2bf0-179537a2c0e 407->410 408->410 410->403 413 179537a2c14-179537a2c33 StrCmpNIW 410->413 413->403 414 179537a2c39-179537a2c3d 413->414 414->403 415 179537a2c43-179537a2c4d 414->415 415->403 416 179537a2c53-179537a2c5a 415->416 416->403 417 179537a2c60-179537a2c73 416->417 418 179537a2c83 417->418 419 179537a2c75-179537a2c81 417->419 420 179537a2c86-179537a2c8a 418->420 419->420 421 179537a2c8c-179537a2c98 420->421 422 179537a2c9a 420->422 423 179537a2c9d-179537a2ca7 421->423 422->423 424 179537a2d9d-179537a2da1 423->424 425 179537a2cad-179537a2cb0 423->425 428 179537a2ed2-179537a2eda 424->428 429 179537a2da7-179537a2daa 424->429 426 179537a2cc2-179537a2ccc 425->426 427 179537a2cb2-179537a2cbf call 179537a199c 425->427 431 179537a2d00-179537a2d0a 426->431 432 179537a2cce-179537a2cdb 426->432 427->426 428->403 428->417 433 179537a2dbb-179537a2dc5 429->433 434 179537a2dac-179537a2db8 call 179537a199c 429->434 440 179537a2d0c-179537a2d19 431->440 441 179537a2d3a-179537a2d3d 431->441 432->431 439 179537a2cdd-179537a2cea 432->439 436 179537a2dc7-179537a2dd4 433->436 437 179537a2df5-179537a2df8 433->437 434->433 436->437 445 179537a2dd6-179537a2de3 436->445 446 179537a2e05-179537a2e12 lstrlenW 437->446 447 179537a2dfa-179537a2e03 call 179537a1bbc 437->447 448 179537a2ced-179537a2cf3 439->448 440->441 449 179537a2d1b-179537a2d28 440->449 443 179537a2d4b-179537a2d58 lstrlenW 441->443 444 179537a2d3f-179537a2d49 call 179537a1bbc 441->444 451 179537a2d7b-179537a2d8d call 179537a3844 443->451 452 179537a2d5a-179537a2d64 443->452 444->443 455 179537a2d93-179537a2d98 444->455 453 179537a2de6-179537a2dec 445->453 457 179537a2e14-179537a2e1e 446->457 458 179537a2e35-179537a2e3f call 179537a3844 446->458 447->446 463 179537a2e4a-179537a2e55 447->463 448->455 456 179537a2cf9-179537a2cfe 448->456 459 179537a2d2b-179537a2d31 449->459 451->455 467 179537a2e42-179537a2e44 451->467 452->451 462 179537a2d66-179537a2d79 call 179537a152c 452->462 453->463 464 179537a2dee-179537a2df3 453->464 455->467 456->431 456->448 457->458 468 179537a2e20-179537a2e33 call 179537a152c 457->468 458->467 459->455 469 179537a2d33-179537a2d38 459->469 462->451 462->455 471 179537a2e57-179537a2e5b 463->471 472 179537a2ecc-179537a2ed0 463->472 464->437 464->453 467->428 467->463 468->458 468->463 469->441 469->459 476 179537a2e63-179537a2e7d call 179537a85c0 471->476 477 179537a2e5d-179537a2e61 471->477 472->428 480 179537a2e80-179537a2e83 476->480 477->476 477->480 483 179537a2e85-179537a2ea3 call 179537a85c0 480->483 484 179537a2ea6-179537a2ea9 480->484 483->484 484->472 486 179537a2eab-179537a2ec9 call 179537a85c0 484->486 486->472
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
          • API String ID: 2119608203-3850299575
          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction ID: a68df60460c540e5a9242f56c6b8bfc5263ec75fa9e1868138209c41af1d70d8
          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
          • Instruction Fuzzy Hash: 0BB1BF72A28AA092EB6A8F25C4447E963B5F74AB8CF445017EE4D53B95EF35CCC8C740
          Function 00000179537A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
          • String ID:
          • API String ID: 3140674995-0
          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction ID: 58b78ca673e8f1c025eb56569f683145776f8da21aff7224e17a305cb7f8da99
          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
          • Instruction Fuzzy Hash: FC317072619B908AEB619F60E8503EE7371F785748F44402ADB8D57B94EF38C54CC714
          Function 00000179537AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
          • String ID:
          • API String ID: 1239891234-0
          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction ID: fac0d66ec64c3925cbc38e830e94581c1ed51f6a25e90594bb5b961479521937
          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
          • Instruction Fuzzy Hash: C8315F32618B9096EB61CF25E8503DE73B4F78A758F540126EA9D53B94EF38C659CB00
          Function 00000179537A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
          • API String ID: 106492572-2879589442
          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction ID: 206c1a27e464331c4bd0b9a092aeafa2340499ab111ab09f1a96645441c587cd
          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
          • Instruction Fuzzy Hash: A371F136B18A2485FB11AF66E8A0ADD3374F786B8CF401122DE4E57B69EF38C548C744
          Function 00000179537A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
          • String ID: d
          • API String ID: 2005889112-2564639436
          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction ID: 6227fafc9fbf8ae47cd58b7f6cf4b5d99e6e7defb89df161162dad1074e44a04
          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
          • Instruction Fuzzy Hash: 83517C72A18B9886EB51CF66E45839A77B1F38AF89F444126DE8D47718EF3CC049CB00
          Function 00000179537A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentThread$AddressHandleModuleProc
          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
          • API String ID: 4175298099-1975688563
          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction ID: ba4581b48e2ff6b855cacc301ebdcd167c7a3886c66976a807292e1e89fccdae
          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
          • Instruction Fuzzy Hash: AF315074E299AAA0FE17EF65E8616D46371B70634CFC05023D84D13766AE7C868EC750
          Function 0000017953776910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 241 17953776910-17953776916 242 17953776918-1795377691b 241->242 243 17953776951-1795377695b 241->243 244 1795377691d-17953776920 242->244 245 17953776945-17953776984 call 17953776fc0 242->245 246 17953776a78-17953776a8d 243->246 247 17953776938 __scrt_dllmain_crt_thread_attach 244->247 248 17953776922-17953776925 244->248 261 1795377698a-1795377699f call 17953776e54 245->261 262 17953776a52 245->262 249 17953776a8f 246->249 250 17953776a9c-17953776ab6 call 17953776e54 246->250 256 1795377693d-17953776944 247->256 252 17953776927-17953776930 248->252 253 17953776931-17953776936 call 17953776f04 248->253 254 17953776a91-17953776a9b 249->254 264 17953776aef-17953776b20 call 17953777190 250->264 265 17953776ab8-17953776aed call 17953776f7c call 17953776e1c call 17953777318 call 17953777130 call 17953777154 call 17953776fac 250->265 253->256 273 17953776a6a-17953776a77 call 17953777190 261->273 274 179537769a5-179537769b6 call 17953776ec4 261->274 266 17953776a54-17953776a69 262->266 275 17953776b22-17953776b28 264->275 276 17953776b31-17953776b37 264->276 265->254 273->246 293 179537769b8-179537769dc call 179537772dc call 17953776e0c call 17953776e38 call 1795377ac0c 274->293 294 17953776a07-17953776a11 call 17953777130 274->294 275->276 280 17953776b2a-17953776b2c 275->280 281 17953776b7e-17953776b94 call 1795377268c 276->281 282 17953776b39-17953776b43 276->282 287 17953776c1f-17953776c2c 280->287 302 17953776bcc-17953776bce 281->302 303 17953776b96-17953776b98 281->303 288 17953776b4f-17953776b5d call 17953785780 282->288 289 17953776b45-17953776b4d 282->289 296 17953776b63-17953776b78 call 17953776910 288->296 306 17953776c15-17953776c1d 288->306 289->296 293->294 344 179537769de-179537769e5 __scrt_dllmain_after_initialize_c 293->344 294->262 314 17953776a13-17953776a1f call 17953777180 294->314 296->281 296->306 304 17953776bd0-17953776bd3 302->304 305 17953776bd5-17953776bea call 17953776910 302->305 303->302 311 17953776b9a-17953776bbc call 1795377268c call 17953776a78 303->311 304->305 304->306 305->306 323 17953776bec-17953776bf6 305->323 306->287 311->302 338 17953776bbe-17953776bc6 call 17953785780 311->338 331 17953776a45-17953776a50 314->331 332 17953776a21-17953776a2b call 17953777098 314->332 328 17953776bf8-17953776bff 323->328 329 17953776c01-17953776c11 call 17953785780 323->329 328->306 329->306 331->266 332->331 343 17953776a2d-17953776a3b 332->343 338->302 343->331 344->294 345 179537769e7-17953776a04 call 1795377abc8 344->345 345->294
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: e41be534229163122c3179cc1025da5169d2b8c0ede0d6324f4ee0300e7142a4
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: BB81F772F1C26186F657AB2594413D967F0E78778CF548527AA0C8379FDB38C84D8B08
          Function 00000179537ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetLastError.KERNEL32 ref: 00000179537ACE37
          • FlsGetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE4C
          • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE6D
          • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACE9A
          • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACEAB
          • FlsSetValue.KERNEL32(?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACEBC
          • SetLastError.KERNEL32 ref: 00000179537ACED7
          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF0D
          • FlsSetValue.KERNEL32(?,?,00000001,00000179537AECCC,?,?,?,?,00000179537ABF9F,?,?,?,?,?,00000179537A7AB0), ref: 00000179537ACF2C
            • Part of subcall function 00000179537AD6CC: HeapAlloc.KERNEL32 ref: 00000179537AD721
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF54
            • Part of subcall function 00000179537AD744: HeapFree.KERNEL32 ref: 00000179537AD75A
            • Part of subcall function 00000179537AD744: GetLastError.KERNEL32 ref: 00000179537AD764
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF65
          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000179537B0A6B,?,?,?,00000179537B045C,?,?,?,00000179537AC84F), ref: 00000179537ACF76
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Value$ErrorLast$Heap$AllocFree
          • String ID:
          • API String ID: 570795689-0
          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction ID: 77b7efc725698ca54b94f8a3bbd63b6bf6571e27a76a959dc314b8d8e9e59c42
          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
          • Instruction Fuzzy Hash: FA41D370F2C27951FA2BA73149553E923B15B477BCF1C4737A83E867DADE28C4494200
          Function 00000179537A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
          • API String ID: 2171963597-1373409510
          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction ID: bf197e0ffd1960bdac6007c57ce7df944ff2740a99a669adc726ba4408a275dc
          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
          • Instruction Fuzzy Hash: 06214F32A1876482FB118B25F45479973B1F78ABA8F504216EB9D03BA8DF3CC14DCB04
          Function 0000017953779944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 499 17953779944-179537799ac call 1795377a814 502 17953779e13-17953779e1b call 1795377bb48 499->502 503 179537799b2-179537799b5 499->503 503->502 504 179537799bb-179537799c1 503->504 506 17953779a90-17953779aa2 504->506 507 179537799c7-179537799cb 504->507 509 17953779aa8-17953779aac 506->509 510 17953779d63-17953779d67 506->510 507->506 511 179537799d1-179537799dc 507->511 509->510 512 17953779ab2-17953779abd 509->512 514 17953779da0-17953779daa call 17953778a34 510->514 515 17953779d69-17953779d70 510->515 511->506 513 179537799e2-179537799e7 511->513 512->510 516 17953779ac3-17953779aca 512->516 513->506 517 179537799ed-179537799f7 call 17953778a34 513->517 514->502 525 17953779dac-17953779dcb call 17953776d40 514->525 515->502 518 17953779d76-17953779d9b call 17953779e1c 515->518 521 17953779ad0-17953779b07 call 17953778e10 516->521 522 17953779c94-17953779ca0 516->522 517->525 533 179537799fd-17953779a28 call 17953778a34 * 2 call 17953779124 517->533 518->514 521->522 537 17953779b0d-17953779b15 521->537 522->514 526 17953779ca6-17953779caa 522->526 530 17953779cac-17953779cb8 call 179537790e4 526->530 531 17953779cba-17953779cc2 526->531 530->531 543 17953779cdb-17953779ce3 530->543 531->514 536 17953779cc8-17953779cd5 call 17953778cb4 531->536 567 17953779a2a-17953779a2e 533->567 568 17953779a48-17953779a52 call 17953778a34 533->568 536->514 536->543 541 17953779b19-17953779b4b 537->541 545 17953779c87-17953779c8e 541->545 546 17953779b51-17953779b5c 541->546 548 17953779ce9-17953779ced 543->548 549 17953779df6-17953779e12 call 17953778a34 * 2 call 1795377baa8 543->549 545->522 545->541 546->545 550 17953779b62-17953779b7b 546->550 552 17953779d00 548->552 553 17953779cef-17953779cfe call 179537790e4 548->553 549->502 554 17953779c74-17953779c79 550->554 555 17953779b81-17953779bc6 call 179537790f8 * 2 550->555 560 17953779d03-17953779d0d call 1795377a8ac 552->560 553->560 562 17953779c84 554->562 580 17953779bc8-17953779bee call 179537790f8 call 1795377a038 555->580 581 17953779c04-17953779c0a 555->581 560->514 578 17953779d13-17953779d61 call 17953778d44 call 17953778f50 560->578 562->545 567->568 572 17953779a30-17953779a3b 567->572 568->506 584 17953779a54-17953779a74 call 17953778a34 * 2 call 1795377a8ac 568->584 572->568 577 17953779a3d-17953779a42 572->577 577->502 577->568 578->514 599 17953779bf0-17953779c02 580->599 600 17953779c15-17953779c72 call 17953779870 580->600 588 17953779c0c-17953779c10 581->588 589 17953779c7b 581->589 605 17953779a8b 584->605 606 17953779a76-17953779a80 call 1795377a99c 584->606 588->555 590 17953779c80 589->590 590->562 599->580 599->581 600->590 605->506 609 17953779df0-17953779df5 call 1795377baa8 606->609 610 17953779a86-17953779def call 179537786ac call 1795377a3f4 call 179537788a0 606->610 609->549 610->609
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: c1e37324251eb8afeee7f02a8d197e06ab5e66d9bdec95cbde6af93207a2d4f1
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: 68E18972A0ABA08AEB629B65D4813DD77F0F747B9CF100116EE8D57B9ACB34D499C700
          Function 00000179537AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 620 179537aa544-179537aa5ac call 179537ab414 623 179537aaa13-179537aaa1b call 179537ac748 620->623 624 179537aa5b2-179537aa5b5 620->624 624->623 625 179537aa5bb-179537aa5c1 624->625 627 179537aa5c7-179537aa5cb 625->627 628 179537aa690-179537aa6a2 625->628 627->628 632 179537aa5d1-179537aa5dc 627->632 630 179537aa963-179537aa967 628->630 631 179537aa6a8-179537aa6ac 628->631 633 179537aa969-179537aa970 630->633 634 179537aa9a0-179537aa9aa call 179537a9634 630->634 631->630 635 179537aa6b2-179537aa6bd 631->635 632->628 636 179537aa5e2-179537aa5e7 632->636 633->623 637 179537aa976-179537aa99b call 179537aaa1c 633->637 634->623 646 179537aa9ac-179537aa9cb call 179537a7940 634->646 635->630 639 179537aa6c3-179537aa6ca 635->639 636->628 640 179537aa5ed-179537aa5f7 call 179537a9634 636->640 637->634 643 179537aa894-179537aa8a0 639->643 644 179537aa6d0-179537aa707 call 179537a9a10 639->644 640->646 650 179537aa5fd-179537aa628 call 179537a9634 * 2 call 179537a9d24 640->650 643->634 647 179537aa8a6-179537aa8aa 643->647 644->643 655 179537aa70d-179537aa715 644->655 652 179537aa8ac-179537aa8b8 call 179537a9ce4 647->652 653 179537aa8ba-179537aa8c2 647->653 688 179537aa648-179537aa652 call 179537a9634 650->688 689 179537aa62a-179537aa62e 650->689 652->653 668 179537aa8db-179537aa8e3 652->668 653->634 659 179537aa8c8-179537aa8d5 call 179537a98b4 653->659 661 179537aa719-179537aa74b 655->661 659->634 659->668 665 179537aa751-179537aa75c 661->665 666 179537aa887-179537aa88e 661->666 665->666 669 179537aa762-179537aa77b 665->669 666->643 666->661 670 179537aa9f6-179537aaa12 call 179537a9634 * 2 call 179537ac6a8 668->670 671 179537aa8e9-179537aa8ed 668->671 673 179537aa874-179537aa879 669->673 674 179537aa781-179537aa7c6 call 179537a9cf8 * 2 669->674 670->623 675 179537aa8ef-179537aa8fe call 179537a9ce4 671->675 676 179537aa900 671->676 679 179537aa884 673->679 701 179537aa804-179537aa80a 674->701 702 179537aa7c8-179537aa7ee call 179537a9cf8 call 179537aac38 674->702 684 179537aa903-179537aa90d call 179537ab4ac 675->684 676->684 679->666 684->634 699 179537aa913-179537aa961 call 179537a9944 call 179537a9b50 684->699 688->628 705 179537aa654-179537aa674 call 179537a9634 * 2 call 179537ab4ac 688->705 689->688 693 179537aa630-179537aa63b 689->693 693->688 698 179537aa63d-179537aa642 693->698 698->623 698->688 699->634 706 179537aa87b 701->706 707 179537aa80c-179537aa810 701->707 721 179537aa815-179537aa872 call 179537aa470 702->721 722 179537aa7f0-179537aa802 702->722 726 179537aa676-179537aa680 call 179537ab59c 705->726 727 179537aa68b 705->727 711 179537aa880 706->711 707->674 711->679 721->711 722->701 722->702 730 179537aa686-179537aa9ef call 179537a92ac call 179537aaff4 call 179537a94a0 726->730 731 179537aa9f0-179537aa9f5 call 179537ac6a8 726->731 727->628 730->731 731->670
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction ID: 48bad793c3cf8a064d8991e65e6d6caa703c72e63802b69e7c4d4fa44d5e9957
          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
          • Instruction Fuzzy Hash: DCE18E72A28BA48AEBA2DF65D4803DD77B0F746B9CF100116EE8D57B95CB34C599CB00
          Function 00000179537AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: AddressFreeLibraryProc
          • String ID: api-ms-$ext-ms-
          • API String ID: 3013587201-537541572
          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction ID: 6d28e7484422e4a57a06ac6147cde09464f9819a0b3aea55b6358727e73b2730
          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
          • Instruction Fuzzy Hash: 3C41B532B2DA2091FB17DB66AC147D523B1BB46BA8F1941279D2E87784EF38C44DC324
          Function 00000179537A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
          • String ID: d
          • API String ID: 3743429067-2564639436
          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction ID: 4d0dabdc3bb95f01b52548fecc3f9169e00d7fa873fa5b6aedad960dda8fc516
          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
          • Instruction Fuzzy Hash: 8E416C73618B94C6E761CF21E45479A77B1F389B9CF44812AEB8947B58EF38C489CB00
          Function 00000179537AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FlsGetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD087
          • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0A6
          • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0CE
          • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0DF
          • FlsSetValue.KERNEL32(?,?,?,00000179537AC7DE,?,?,?,?,?,?,?,?,00000179537ACF9D,?,?,00000001), ref: 00000179537AD0F0
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Value
          • String ID: 1%$Y%
          • API String ID: 3702945584-1395475152
          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction ID: b0a3c49dc6ef7a53409216961fbfbc30d008a76d59ac91324fc92d9a86fd0cd9
          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
          • Instruction Fuzzy Hash: C311C870F2C26841FA6B673699613EA63715B473FCF144337A83D477EADE28C54A8200
          Function 00000179537A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID:
          • API String ID: 190073905-0
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 03549ce5a8bfb50d1d2883e7ce9a3f420bf030cad668bfca8cca14f47c08375e
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: CD81B531E2C2E146FB57ABA994513D923F2AB4778CF5444A7EA4CC7796EB38C44D8700
          Function 00000179537A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Library$Load$AddressErrorFreeLastProc
          • String ID: api-ms-
          • API String ID: 2559590344-2084034818
          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction ID: 1c35a6318a95a9f66357ff113d1e6293aa460ab4329f98c61122d8ffc54845e1
          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
          • Instruction Fuzzy Hash: 5731D832B2E664E1EE13DB02A400BD963F4B74BBA8F5905279D5E47791EF38C45D8300
          Function 00000179537B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
          • String ID: CONOUT$
          • API String ID: 3230265001-3130406586
          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction ID: 1d5e788c20f4153e52296bcb8cadabdf0028e11074e208d04bdcdd6a952d3e19
          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
          • Instruction Fuzzy Hash: 1C11C431B18BA482F7518B52E864359B3B4F389FE8F044226EA9E87794EF38C4488744
          Function 00000179537A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModule
          • String ID: wr
          • API String ID: 1092925422-2678910430
          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction ID: 5fea20ec1214d5790932143d42f439680bcd659adb70575157f6ec8973a68838
          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
          • Instruction Fuzzy Hash: 76115E36B1875582FF159F52E4186A963B4FB4AB89F44002ADF8D07B54EF3DC509C714
          Function 00000179537A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Thread$Current$Context
          • String ID:
          • API String ID: 1666949209-0
          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction ID: 24d1bd52570d84dc27a6b3ebe3a983c1cff3cda0c085934ba3b1615b2ee42aa2
          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
          • Instruction Fuzzy Hash: B5D1A876619B9882DA71DB1AE49039A77B0F3C9B98F100117EACD47BA9DF3CC555CB00
          Function 00000179537A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID: dialer
          • API String ID: 756756679-3528709123
          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction ID: 59910d8593d4568c8529067d3d7f690041ca8a68c9534a4d3212bb0acc98c89f
          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
          • Instruction Fuzzy Hash: 12319232B19B65C2FA56DF56E5407AA67B1FB46B88F084022DF8C47B55EF34C4A98700
          Function 00000179537ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Value$ErrorLast
          • String ID:
          • API String ID: 2506987500-0
          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction ID: 8609c7cee23a4da2cb73d7b9a2e9104af3180433e72c296c04d1e0e8fdc5031b
          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
          • Instruction Fuzzy Hash: C811A270B2C26881FA2BA73259653E923715B477FCF144327A83E477DAEE28C5499200
          Function 00000179537A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
          • String ID:
          • API String ID: 517849248-0
          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction ID: 56b2cd84fcc0e7ced0197c83fadfe9882c07905c38d9d912c2a518943b9c5019
          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
          • Instruction Fuzzy Hash: 51016931B08A5482FB11DB52A8A879963B5F789BC8F888036DE8D43754EF3CC98DC704
          Function 00000179537A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
          • String ID:
          • API String ID: 449555515-0
          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction ID: d2470d701e98e81108f06155ee65d957e7b349e728d52e6fd90ae972be3b8938
          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
          • Instruction Fuzzy Hash: DD012D75B1975882FF269B62E86879573B0FB5AB8AF04042ACE8D07754EF3DC50C8704
          Function 00000179537A9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 523c0386b4c626f6db8f57a49f1f760a6df895bac009b115f0e0608c5af323b5
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 0E51B232B2962886EB56DF15E448B9D37B6F347B8CF108126DA0E47788EB75CC59C704
          Function 00000179537A8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
          • String ID: csm$f
          • API String ID: 2395640692-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: 296e92441388b6fc06103b0115ebcdacb288d64441a59e498690bc521cbf3a7d
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 5531E032A2866896E716DF21E84879E37B4F743BCCF148016EE4E43788DB39C968C704
          Function 00000179537A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: FinalHandleNamePathlstrlen
          • String ID: \\?\
          • API String ID: 2719912262-4282027825
          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction ID: de33d0b7403191fafe040a8392dc9819e369d541baf2522363be2d8de6ed28d3
          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
          • Instruction Fuzzy Hash: 65F03C72B1865592FB618F21E8D479A6771F749B8CF848022DA8D46A58EB2CC68DCB00
          Function 00000179537ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction ID: f286dd60a5522db936dfed800217cc6c1f6d92c6ac24c710919bdd42c6a300c2
          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
          • Instruction Fuzzy Hash: 83F09671B2971481FB158B29E8647D96370EB8AB69F54021BCAAE463E4EF3CC44CC300
          Function 00000179537A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CombinePath
          • String ID: \\.\pipe\
          • API String ID: 3422762182-91387939
          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction ID: bfab23f09705f7b99784b468b9aa13085e235c3ca8d88f22da8ea4acb8ae1034
          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
          • Instruction Fuzzy Hash: 55F05E70A18BA482EA418F52B92419A6371EB4EFC8F044032EE8E07B18EE3CC4498714
          Function 00000179537A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction ID: 898435458d9111b53b1cdb683c1f8426028e1d60795762d314f968d6b34372fa
          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
          • Instruction Fuzzy Hash: EE02A73262DB9486E7A1CB55E49039AB7B1F3C5798F104116EACE87BA9DF7CC458CB00
          Function 00000179537A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentThread
          • String ID:
          • API String ID: 2882836952-0
          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction ID: a54e80bb82137fd852d70d2d4b38f9064022f1ae65caaef9bbb60a77a2beb057
          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
          • Instruction Fuzzy Hash: 1061CB3692DB94C6E761CB55E48435AB7B0F389798F10011AEACE47BA8DB7CC458CF00
          Function 0000017953783504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 3cc9218a8b4e95386c2da3f1349016e86a73989eeb7d6784e7c61b0fa2066005
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: F511A73AE1DA3111FA5715FCE4413E993E0EB5B37CF48472BA97E067DACA68C84D4100
          Function 00000179537B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 1a93a27212db14d107c445d7083ca94b3231e77f583d31af7090b27211639dc1
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: 16110632E1CF7821F666156AD4753E513706B7B3BCF080626A97E077D6FB24C8AC5211
          Function 000001795377F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: 7ae5aeff7bedc3f2e07649f4cc5b94845739e1ebc3c2fb1e68247ee672dcd3a0
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: AE619F32E0C66482FA67DB68E6443EE6BF0E78774CF554517CA2E177A4DA34C84AC220
          Function 00000179537AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CallEncodePointerTranslator
          • String ID: MOC$RCC
          • API String ID: 3544855599-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 3a2af3483e4300a1187523e9586c3a768ce971fdbc56a475376103612aa46848
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: CD613632A19B988AEB619F69D4803DD77B0F74AB8CF144216EE4D17B98DB38C599C700
          Function 000001795377A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 8b5f16ec00f45c4a7ced28edb1d3fb9ff7d8c5f0b459b66f842ca35e7ccd5795
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: C2517032908AA0CAFBA68F25954439877F0F39AB98F185117EF5D87BD5CB38D468C700
          Function 00000179537AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 643f0b19000955fd4531acc435b5a4dff8720e58fb8e76c4df4d970b4f056407
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 4F51B072928BA0CAEBB98F25948439D77B0F756B8DF184117DA9D47BD9CB38C468C700
          Function 0000017953778405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction ID: 5ac530eb3dc6006a10c07ebfe96c76d79b6a881cc49be52fd1b4b670004edea5
          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
          • Instruction Fuzzy Hash: 1751BB32A09220AAEB57CF25E405B9837F5F352BDCF518126DA1E43788EB74E949CB04
          Function 00000179537783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: dc1ac7ef7cd5220de1efaa23918da90dfe07c950faa1f83c25e2fd2283a28f24
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: 9831CB32A09660A6E713DF21E845B997BF4F342BDCF058116EE5E03788DB38E949CB04
          Function 00000179537B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: FileWrite$ConsoleErrorLastOutput
          • String ID:
          • API String ID: 2718003287-0
          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction ID: 06d4593c12757a61a920345c0e2df76c0e129f7e16386725fafdea6654bba7a9
          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
          • Instruction Fuzzy Hash: C5D1BF32B19A9489E712CFA9D4503DC3BB1F35AB9CF148216DE5E97B99EB34C50AC340
          Function 00000179537A14A4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$Free
          • String ID:
          • API String ID: 3168794593-0
          • Opcode ID: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction ID: bb6b78b593707857310a3324dd096787fdb4aa97373bc89aca0eb61e411b0d18
          • Opcode Fuzzy Hash: ccd79a5c24cc2b6b77d5d0d776de3086a7ca9ca8278a44c8c605b81f59301eca
          • Instruction Fuzzy Hash: 1D118B36918AA8C6E716DF66A81818977B0F78AF89F084026EBCD43716EE38C458C744
          Function 00000179537B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: ConsoleErrorLastMode
          • String ID:
          • API String ID: 953036326-0
          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction ID: aa35c425ef9fc4d6b2506b4269cbb304a299e5433bf6d60ac2d50f473d078f8f
          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
          • Instruction Fuzzy Hash: D191A032F1966485FB629F6594A03EE2BB0B746B8CF14410BDE4E67B95EF35C48AC700
          Function 00000179537A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
          • String ID:
          • API String ID: 2933794660-0
          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction ID: 9256c04884558f9edc0885e3b789def796bf32de9d9fbb855d04952720b7616f
          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
          • Instruction Fuzzy Hash: A6111C32B14B1989EB008B61E8543E833B4F71A75CF440E22DBAD467A4EB78C1A88380
          Function 00000179537A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction ID: 9464ef761ac9fd1665e8c61fdda8a34e1658d64a02c8beec298f218a00bbb3c3
          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
          • Instruction Fuzzy Hash: AB71D736A287A146E766DF25D8443EA67B4F38678DF44002BDE4E53F89DE35C689C700
          Function 0000017953779E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 4c013e113835d3432451d184c3eefa52352108669f7f627b66b82dfff524006d
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: 0D615433A19B988AEB229F65D4807DD77B0F34AB8CF044616EE4D17B98DB78D199C700
          Function 00000179537A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: FileType
          • String ID: \\.\pipe\
          • API String ID: 3081899298-91387939
          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction ID: 19b6e1f95d14bb4b976e64b46c6a80dd0e96378682549d0fa7c6c0d7907e3b1f
          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
          • Instruction Fuzzy Hash: 1651E732E2C7A181F6769E29A4583EAA7B1F387748F440127DE5D03B59DB39C98CC740
          Function 00000179537B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: ErrorFileLastWrite
          • String ID: U
          • API String ID: 442123175-4171548499
          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction ID: 0369f9cddf07d3ef424b9edaf2e32a6908f06cc7a4d25baa8926a904c7eb2ec1
          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
          • Instruction Fuzzy Hash: DE41C432B19A9482EB21DF25E8543E977B0F799798F504026EE4D87794EF3CC449C744
          Function 00000179537A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: ExceptionFileHeaderRaise
          • String ID: csm
          • API String ID: 2573137834-1018135373
          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction ID: 6bf90dc9676103b16e0bcc020ce2c1a8f578aef3304401d1f88f1bac78d3cb30
          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
          • Instruction Fuzzy Hash: C8112B36619B9482EB628B15E44439A77F5F78AB98F584221EFCC07758EF3CC565CB00
          Function 0000017953777356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: f60bf3152a5179fea1846c11251400d11a437752cd411464d01763722624210a
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: 08E08671A44B5490DF038F61E8502D873B0DB59B68F499223995C46311FA38D1EEC300
          Function 00000179537773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000023.00000002.3072736985.0000017953770000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000017953770000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_17953770000_svchost.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: Locator'$riptor at (
          • API String ID: 592178966-4215709766
          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction ID: 8897af8326f031d2cd0f0d13e8354f59a96aeafc3cb2cafeabf6ee747cc8861e
          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
          • Instruction Fuzzy Hash: 0DE08671A04B5490DF038F61D4501D873B0E759B68F899223C95C06311EA38D1E9C300
          Function 00000179537A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000023.00000002.3073665161.00000179537A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000179537A0000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_35_2_179537a0000_svchost.jbxd
          Similarity
          • API ID: Heap$Process$AllocFree
          • String ID:
          • API String ID: 756756679-0
          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction ID: 2a4f8d57dda99efd85754da4b3249eaba21036bec465e402961c7aa9532c5649
          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
          • Instruction Fuzzy Hash: F0119135A15B6881FA56DB66A4092A973F1FB8AFC8F584026DE8D87765EF38C446C300

          Execution Graph

          Execution Coverage:0.7%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:0%
          Total number of Nodes:73
          Total number of Limit Nodes:2
          execution_graph 14863 2295d53273c 14865 2295d53276a 14863->14865 14864 2295d532858 LoadLibraryA 14864->14865 14865->14864 14866 2295d5328d4 14865->14866 14867 2295d561abc 14872 2295d561628 GetProcessHeap 14867->14872 14869 2295d561acb 14870 2295d561ad2 Sleep SleepEx 14869->14870 14871 2295d561598 StrCmpIW StrCmpW 14869->14871 14870->14869 14871->14869 14873 2295d561648 _invalid_parameter_noinfo 14872->14873 14917 2295d561268 GetProcessHeap 14873->14917 14875 2295d561650 14876 2295d561268 2 API calls 14875->14876 14877 2295d561661 14876->14877 14878 2295d561268 2 API calls 14877->14878 14879 2295d56166a 14878->14879 14880 2295d561268 2 API calls 14879->14880 14881 2295d561673 14880->14881 14882 2295d56168e RegOpenKeyExW 14881->14882 14883 2295d5616c0 RegOpenKeyExW 14882->14883 14884 2295d5618a6 14882->14884 14885 2295d5616ff RegOpenKeyExW 14883->14885 14886 2295d5616e9 14883->14886 14884->14869 14888 2295d56173a RegOpenKeyExW 14885->14888 14889 2295d561723 14885->14889 14921 2295d5612bc RegQueryInfoKeyW 14886->14921 14892 2295d56175e 14888->14892 14893 2295d561775 RegOpenKeyExW 14888->14893 14932 2295d56104c RegQueryInfoKeyW 14889->14932 14895 2295d5612bc 13 API calls 14892->14895 14896 2295d5617b0 RegOpenKeyExW 14893->14896 14897 2295d561799 14893->14897 14901 2295d56176b RegCloseKey 14895->14901 14899 2295d5617eb RegOpenKeyExW 14896->14899 14900 2295d5617d4 14896->14900 14898 2295d5612bc 13 API calls 14897->14898 14902 2295d5617a6 RegCloseKey 14898->14902 14904 2295d56180f 14899->14904 14905 2295d561826 RegOpenKeyExW 14899->14905 14903 2295d5612bc 13 API calls 14900->14903 14901->14893 14902->14896 14906 2295d5617e1 RegCloseKey 14903->14906 14907 2295d56104c 5 API calls 14904->14907 14908 2295d56184a 14905->14908 14909 2295d561861 RegOpenKeyExW 14905->14909 14906->14899 14910 2295d56181c RegCloseKey 14907->14910 14911 2295d56104c 5 API calls 14908->14911 14912 2295d56189c RegCloseKey 14909->14912 14913 2295d561885 14909->14913 14910->14905 14915 2295d561857 RegCloseKey 14911->14915 14912->14884 14914 2295d56104c 5 API calls 14913->14914 14916 2295d561892 RegCloseKey 14914->14916 14915->14909 14916->14912 14938 2295d576168 14917->14938 14919 2295d561283 GetProcessHeap 14920 2295d5612ae _invalid_parameter_noinfo 14919->14920 14920->14875 14922 2295d56148a RegCloseKey 14921->14922 14923 2295d561327 GetProcessHeap 14921->14923 14922->14885 14929 2295d56133e _invalid_parameter_noinfo 14923->14929 14924 2295d561476 GetProcessHeap HeapFree 14924->14922 14925 2295d561352 RegEnumValueW 14925->14929 14927 2295d56141e lstrlenW GetProcessHeap 14927->14929 14928 2295d5613d3 GetProcessHeap 14928->14929 14929->14924 14929->14925 14929->14927 14929->14928 14930 2295d5613f3 GetProcessHeap HeapFree 14929->14930 14931 2295d561443 StrCpyW 14929->14931 14939 2295d56152c 14929->14939 14930->14927 14931->14929 14933 2295d5611b5 RegCloseKey 14932->14933 14936 2295d5610bf _invalid_parameter_noinfo 14932->14936 14933->14888 14934 2295d5610cf RegEnumValueW 14934->14936 14935 2295d56114e GetProcessHeap 14935->14936 14936->14933 14936->14934 14936->14935 14937 2295d56116e GetProcessHeap HeapFree 14936->14937 14937->14936 14940 2295d56157c 14939->14940 14943 2295d561546 14939->14943 14940->14929 14941 2295d56155d StrCmpIW 14941->14943 14942 2295d561565 StrCmpW 14942->14943 14943->14940 14943->14941 14943->14942

          Executed Functions

          Function 000002295D56328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000024.00000002.3072308225.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d560000_svchost.jbxd
          Similarity
          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
          • String ID:
          • API String ID: 1683269324-0
          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction ID: 5031a993dd2e0ffba4341d233f54e6ba6289e794825d97dea3070d57f858cfdc
          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
          • Instruction Fuzzy Hash: A4115E70B11641A2FB62ABE9F80D7692694B754785FE84124FA06815ADEF78C1EAC230
          Function 000002295D561ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 000002295D561628: GetProcessHeap.KERNEL32 ref: 000002295D561633
            • Part of subcall function 000002295D561628: HeapAlloc.KERNEL32 ref: 000002295D561642
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D5616B2
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D5616DF
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D5616F9
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D561719
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D561734
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D561754
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D56176F
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D56178F
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D5617AA
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D5617CA
          • Sleep.KERNEL32 ref: 000002295D561AD7
          • SleepEx.KERNELBASE ref: 000002295D561ADD
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D5617E5
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D561805
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D561820
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D561840
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D56185B
            • Part of subcall function 000002295D561628: RegOpenKeyExW.ADVAPI32 ref: 000002295D56187B
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D561896
            • Part of subcall function 000002295D561628: RegCloseKey.ADVAPI32 ref: 000002295D5618A0
          Memory Dump Source
          • Source File: 00000024.00000002.3072308225.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d560000_svchost.jbxd
          Similarity
          • API ID: CloseOpen$HeapSleep$AllocProcess
          • String ID:
          • API String ID: 1534210851-0
          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction ID: 6be2af435d7cef7a0d730ab2cee6188e533e90339f8f62263b8fc8a1bb8900c5
          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
          • Instruction Fuzzy Hash: 28310F6130264171FF529BAEF6597B953A4AB54BC0F845821FE0A876ADFE10C4F3C230
          Function 000002295D563844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 57 2295d563844-2295d56384f 58 2295d563869-2295d563870 57->58 59 2295d563851-2295d563864 StrCmpNIW 57->59 59->58 60 2295d563866 59->60 60->58
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3072308225.000002295D560000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D560000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d560000_svchost.jbxd
          Similarity
          • API ID:
          • String ID: dialer
          • API String ID: 0-3528709123
          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction ID: 973254c20ed36f436f38bd4d09e2a985cadb20c2f1368670b4733b9c9fac1443
          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
          • Instruction Fuzzy Hash: 06D0A760312205EAFF56DFEE98CCAA02350EB04784FCC4030EA0042258DB1889EFD730
          Function 000002295D53273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction ID: 0e6802290ade3d6c3e0c61d3da31a49d69c5494da3b9c3fb0fa3ef4ed66a3788
          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
          • Instruction Fuzzy Hash: 3361F333B01A9097DB56CF99900872DB392FB54BA4FD88125EE594778CDA38D8E3C720

          Non-executed Functions

          Function 000002295D536910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 209 2295d536910-2295d536916 210 2295d536951-2295d53695b 209->210 211 2295d536918-2295d53691b 209->211 212 2295d536a78-2295d536a8d 210->212 213 2295d53691d-2295d536920 211->213 214 2295d536945-2295d536984 call 2295d536fc0 211->214 218 2295d536a9c-2295d536ab6 call 2295d536e54 212->218 219 2295d536a8f 212->219 216 2295d536922-2295d536925 213->216 217 2295d536938 __scrt_dllmain_crt_thread_attach 213->217 232 2295d53698a-2295d53699f call 2295d536e54 214->232 233 2295d536a52 214->233 223 2295d536931-2295d536936 call 2295d536f04 216->223 224 2295d536927-2295d536930 216->224 221 2295d53693d-2295d536944 217->221 230 2295d536aef-2295d536b20 call 2295d537190 218->230 231 2295d536ab8-2295d536aed call 2295d536f7c call 2295d536e1c call 2295d537318 call 2295d537130 call 2295d537154 call 2295d536fac 218->231 225 2295d536a91-2295d536a9b 219->225 223->221 241 2295d536b22-2295d536b28 230->241 242 2295d536b31-2295d536b37 230->242 231->225 244 2295d536a6a-2295d536a77 call 2295d537190 232->244 245 2295d5369a5-2295d5369b6 call 2295d536ec4 232->245 236 2295d536a54-2295d536a69 233->236 241->242 246 2295d536b2a-2295d536b2c 241->246 247 2295d536b39-2295d536b43 242->247 248 2295d536b7e-2295d536b94 call 2295d53268c 242->248 244->212 263 2295d5369b8-2295d5369dc call 2295d5372dc call 2295d536e0c call 2295d536e38 call 2295d53ac0c 245->263 264 2295d536a07-2295d536a11 call 2295d537130 245->264 252 2295d536c1f-2295d536c2c 246->252 253 2295d536b4f-2295d536b5d call 2295d545780 247->253 254 2295d536b45-2295d536b4d 247->254 266 2295d536bcc-2295d536bce 248->266 267 2295d536b96-2295d536b98 248->267 260 2295d536b63-2295d536b78 call 2295d536910 253->260 276 2295d536c15-2295d536c1d 253->276 254->260 260->248 260->276 263->264 312 2295d5369de-2295d5369e5 __scrt_dllmain_after_initialize_c 263->312 264->233 285 2295d536a13-2295d536a1f call 2295d537180 264->285 274 2295d536bd0-2295d536bd3 266->274 275 2295d536bd5-2295d536bea call 2295d536910 266->275 267->266 273 2295d536b9a-2295d536bbc call 2295d53268c call 2295d536a78 267->273 273->266 306 2295d536bbe-2295d536bc6 call 2295d545780 273->306 274->275 274->276 275->276 294 2295d536bec-2295d536bf6 275->294 276->252 296 2295d536a21-2295d536a2b call 2295d537098 285->296 297 2295d536a45-2295d536a50 285->297 300 2295d536c01-2295d536c11 call 2295d545780 294->300 301 2295d536bf8-2295d536bff 294->301 296->297 311 2295d536a2d-2295d536a3b 296->311 297->236 300->276 301->276 306->266 311->297 312->264 313 2295d5369e7-2295d536a04 call 2295d53abc8 312->313 313->264
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
          • API String ID: 190073905-1786718095
          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction ID: 98c625c09eff0f36b24967c82461e185994a4a6477cb6c99a2958b7298546d16
          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
          • Instruction Fuzzy Hash: 3781A022704245A6FA53AFED94593592290EF95B80FD48029FA458779EDF38C8FF8730
          Function 000002295D539944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 467 2295d539944-2295d5399ac call 2295d53a814 470 2295d539e13-2295d539e1b call 2295d53bb48 467->470 471 2295d5399b2-2295d5399b5 467->471 471->470 472 2295d5399bb-2295d5399c1 471->472 474 2295d539a90-2295d539aa2 472->474 475 2295d5399c7-2295d5399cb 472->475 477 2295d539d63-2295d539d67 474->477 478 2295d539aa8-2295d539aac 474->478 475->474 479 2295d5399d1-2295d5399dc 475->479 482 2295d539d69-2295d539d70 477->482 483 2295d539da0-2295d539daa call 2295d538a34 477->483 478->477 480 2295d539ab2-2295d539abd 478->480 479->474 481 2295d5399e2-2295d5399e7 479->481 480->477 484 2295d539ac3-2295d539aca 480->484 481->474 485 2295d5399ed-2295d5399f7 call 2295d538a34 481->485 482->470 486 2295d539d76-2295d539d9b call 2295d539e1c 482->486 483->470 496 2295d539dac-2295d539dcb call 2295d536d40 483->496 488 2295d539ad0-2295d539b07 call 2295d538e10 484->488 489 2295d539c94-2295d539ca0 484->489 485->496 501 2295d5399fd-2295d539a28 call 2295d538a34 * 2 call 2295d539124 485->501 486->483 488->489 505 2295d539b0d-2295d539b15 488->505 489->483 493 2295d539ca6-2295d539caa 489->493 498 2295d539cac-2295d539cb8 call 2295d5390e4 493->498 499 2295d539cba-2295d539cc2 493->499 498->499 511 2295d539cdb-2295d539ce3 498->511 499->483 504 2295d539cc8-2295d539cd5 call 2295d538cb4 499->504 536 2295d539a2a-2295d539a2e 501->536 537 2295d539a48-2295d539a52 call 2295d538a34 501->537 504->483 504->511 509 2295d539b19-2295d539b4b 505->509 513 2295d539b51-2295d539b5c 509->513 514 2295d539c87-2295d539c8e 509->514 516 2295d539ce9-2295d539ced 511->516 517 2295d539df6-2295d539e12 call 2295d538a34 * 2 call 2295d53baa8 511->517 513->514 518 2295d539b62-2295d539b7b 513->518 514->489 514->509 520 2295d539d00 516->520 521 2295d539cef-2295d539cfe call 2295d5390e4 516->521 517->470 522 2295d539c74-2295d539c79 518->522 523 2295d539b81-2295d539bc6 call 2295d5390f8 * 2 518->523 526 2295d539d03-2295d539d0d call 2295d53a8ac 520->526 521->526 528 2295d539c84 522->528 548 2295d539c04-2295d539c0a 523->548 549 2295d539bc8-2295d539bee call 2295d5390f8 call 2295d53a038 523->549 526->483 546 2295d539d13-2295d539d61 call 2295d538d44 call 2295d538f50 526->546 528->514 536->537 539 2295d539a30-2295d539a3b 536->539 537->474 552 2295d539a54-2295d539a74 call 2295d538a34 * 2 call 2295d53a8ac 537->552 539->537 545 2295d539a3d-2295d539a42 539->545 545->470 545->537 546->483 556 2295d539c0c-2295d539c10 548->556 557 2295d539c7b 548->557 567 2295d539bf0-2295d539c02 549->567 568 2295d539c15-2295d539c72 call 2295d539870 549->568 573 2295d539a8b 552->573 574 2295d539a76-2295d539a80 call 2295d53a99c 552->574 556->523 561 2295d539c80 557->561 561->528 567->548 567->549 568->561 573->474 577 2295d539df0-2295d539df5 call 2295d53baa8 574->577 578 2295d539a86-2295d539def call 2295d5386ac call 2295d53a3f4 call 2295d5388a0 574->578 577->517 578->577
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
          • String ID: csm$csm$csm
          • API String ID: 849930591-393685449
          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction ID: da551b364453b684aac20aeaef5e6ad67a05c1b449b1d4552db4f9eae988a640
          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
          • Instruction Fuzzy Hash: 00E1AEB2704780D6EB62CFA9D48939D7BA0FB45798F800515FE8957B49CB34C1E2CB21
          Function 000002295D543504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: _set_statfp
          • String ID:
          • API String ID: 1156100317-0
          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction ID: 4d7a16c8f84e2147aeb73df7b6f4eafd36b58c9a2c7a84b204248e4a72c11798
          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
          • Instruction Fuzzy Hash: F611A7227DCA1271FA5A15ECE54D3A916806B58374FC84638FB76062FECA24D8F34122
          Function 000002295D53F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: _invalid_parameter_noinfo
          • String ID: Tuesday$Wednesday$or copy constructor iterator'
          • API String ID: 3215553584-4202648911
          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction ID: 23e656c347c1b441ba95a6f2cc160327888d9115f172b8bb851d413c784f1195
          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
          • Instruction Fuzzy Hash: 9661B276704640A2FA678FEDE94C32A66A1EF85781FD44515FA0A177ACDB34C8E38330
          Function 000002295D53A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
          • String ID: csm$csm
          • API String ID: 3896166516-3733052814
          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction ID: 850b4a3b32301abf376dda588f44768a94a4c843b664c247edfac5ecfee9c4de
          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
          • Instruction Fuzzy Hash: 7E519132300380DAEB7ACF99944835877A0FB55B94F984215FA9987BD9CB38D4F2C721
          Function 000002295D5383E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: CurrentImageNonwritable__except_validate_context_record
          • String ID: csm$f
          • API String ID: 3242871069-629598281
          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction ID: cf76caa513402423ef1de6ca9bba5c9327f9e149eec27c1d7f8438aeb0d1bf89
          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
          • Instruction Fuzzy Hash: EE31B372301740B6E71ADF59E8487193B64FB44B98F858014FE5603B4CDB38C9A2C716
          Function 000002295D539E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: CallTranslator
          • String ID: MOC$RCC
          • API String ID: 3163161869-2084237596
          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction ID: 2997df5615918fccefb6b8514ccd5441272279f2dfd5a55482fe6714c0e174f4
          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
          • Instruction Fuzzy Hash: CE61AD77B00B84DAEB22CFA9D48439D77A0FB44B88F444215EF4917B98DB38D1A6CB50
          Function 000002295D537356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000024.00000002.3071251930.000002295D530000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002295D530000, based on PE: true
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_36_2_2295d530000_svchost.jbxd
          Similarity
          • API ID: __std_exception_copy
          • String ID: ierarchy Descriptor'$riptor at (
          • API String ID: 592178966-758928094
          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction ID: 0b4036483603ea026bbd5867053e3460b1e7db21a28e1e4dfa0739cc0c630890
          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
          • Instruction Fuzzy Hash: 75E08661740B48A0DF068F65E84439833A1DB58B64FC89122E95C07315FA78D1FAC311